Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Data protection and compliance readiness

Do you know where your sensitive data is stored?

Background

This matters because it affects fines, insurance, client contracts, and reputation. UK GDPR Article 30 requires most businesses to keep a Record of Processing Activities (ROPA) — a list of what personal data you process, why, and for how long. If you take card payments, PCI DSS applies on top of GDPR.

Questions to ask yourself

  • Do we know what personal data we hold and where it lives?
  • Are suppliers handling our data safely?
  • Could we actually respond to a data breach if we had to?
  • Could we answer a customer security questionnaire today?
  • Would our insurance pay out if we hadn't followed basic controls?

What you can do today

Sketch your data map

Three things.

  • 01Draw four boxes on paper: Customer, Employee, Financial, Supplier. For each: where it lives, who reads, who deletes.
  • 02Look at three random staff laptops. Customer lists on a laptop are data leaving the building each evening.
  • 03Look at your office Wi-Fi router. List every connected device.