Proudly supporting businesses across Hull & East Yorkshire
Everything Else

GDPR From an IT Perspective: What Small Businesses Are Still Getting Wrong

Published 9 July 2026
Hand selecting digital document on virtual interface

GDPR came into force in 2018 and most businesses have done the visible stuff. The cookie banner is on the website, there is a privacy policy somewhere, and staff have heard the word compliance at least once.

But the IT side of GDPR is where many small businesses still have real gaps, and that is where the most serious risks tend to live.

Why IT and GDPR are closely connected

GDPR is fundamentally about the protection of personal data. And personal data lives on your devices, in your email, in your cloud storage, and in the tools your team uses every day.

That makes your IT setup a core part of your compliance. A poorly configured device, an unprotected email account, or a lack of backup can all create legal risk, not just technical inconvenience.

The mistakes we see most often

Device security: staff laptops and computers that leave the office, get used at home, or occasionally get lost or stolen are a common source of breaches. If a device is not encrypted and password-protected, any data on it is exposed the moment it leaves your hands.

No multi-factor authentication on email: email is where most personal data flows. An email account without multi-factor authentication is genuinely easy to compromise. If a staff member’s email is hacked, everything in that inbox is potentially at risk.

Former staff still having access: when someone leaves a business, their accounts should be disabled quickly. Accounts that remain active for weeks or months after someone has left are a real vulnerability, and one that comes up in almost every IT audit we carry out.

No backup for Microsoft 365: Microsoft 365 is not a backup solution. It retains deleted items for a limited time, but it does not protect you from accidental deletion, account compromise, or ransomware. A separate backup is required for genuine data protection.

Unclear data retention: GDPR requires you to know what personal data you hold, where it is stored, and how long you keep it. Businesses that have data scattered across shared drives, personal devices, and old email accounts often cannot answer these questions.

What about breach reporting?

If personal data is compromised, whether through a hack, a lost device, or accidental disclosure, you have 72 hours to report it to the ICO if the breach is likely to result in a risk to individuals.

Many small businesses do not have a process for this. They might not even know a breach has occurred. Good IT monitoring helps with both: it makes breaches more likely to be detected, and having a managed IT provider means you have someone to call who can help you assess the situation quickly.

Where to start

You do not need to overhaul everything at once. The highest-impact steps are:

  • Enable multi-factor authentication on all business accounts, starting with email
  • Make sure all devices are encrypted and have strong, unique passwords
  • Disable accounts for any staff who have left
  • Set up a proper backup for your Microsoft 365 data
  • Document what personal data you hold and where it lives

None of these are technically complicated. They are mostly a matter of making sure they have actually been done.

A free IT audit is a good place to start

At Matthew Temple Consulting, our IT audit covers the security and configuration checks that directly relate to GDPR compliance. We give you an honest picture of where you stand and clear recommendations for what to address.

Get in touch to book yours.

Say Hello

We'd love to hear from you

However you'd like to reach us, a friendly local person is ready to help. We reply within one working day.
Visit us
K2 Tower, 60 Bond Street, Hull, HU1 3EN

Start the conversation

Pop your details in and we'll be in touch shortly.
Homepage Footer