Bowman House (2024 Leaderboard Ad)

Let's Talk

Your Total Guide To Business

Bowman House (Business Sponsor)

How Wiltshire Businesses Can Protect Customer Data

Every Wiltshire business holds customer data, from a Salisbury cafe taking card payments to a software firm on one of Swindon's business parks. If that data leaks, the damage to trust and finances can be hard to undo.

The good news is that protecting it doesn't require a huge IT budget, just the right habits and a willingness to check your own defences. Here are the steps that actually make a difference.

What the Law Now Expects From You

The DUAA and What It Changes

UK GDPR still sets the baseline for how you collect, store and use customer information. On top of that, the Data (Use and Access) Act 2025 has been phasing in changes throughout 2025 and 2026. The DUAA amends, but does not replace, the UK GDPR, the Data Protection Act 2018 and PECR.

Your New Complaints Obligations

One change worth knowing about affects how you handle complaints. From 19 June 2026, UK organisations are required to operate a formal data protection complaints process. You'll need to acknowledge any complaint within 30 days of receipt, confirming that you've received it and that it will be investigated, and then look into it without undue delay.

Under the new framework, individuals are expected to raise their complaint with you first before escalating to the ICO. The ICO can decline to investigate complaints where the individual hasn't engaged with you as required, which makes your complaints process a frontline regulatory obligation rather than a nice-to-have. If you don't already have a clear way for customers to do that, now is the time to set one up.

The law requires you to provide at least one accessible way for people to submit a complaint, such as an online form or dedicated email address. You'll also need to accept complaints that arrive through other channels, including social media, even if they don't use your preferred process.

You'll also need to update your privacy notice to tell people about their right to complain to you directly, alongside their existing right to contact the ICO.

Why Proof Matters More Than Policy

The wider point is that the rules reward businesses that can show they take data seriously. A written policy on its own won't cut it. You need to prove the policy works in practice, which is where testing comes in.

Why Written Policies Aren't Enough

Plenty of businesses have a data protection policy sitting in a folder somewhere. The problem is that a policy describes what should happen, not what actually does. Your website might have an old plugin with a known flaw.

Your payment system might be passing data in a way you've never checked. Your staff might be reusing weak passwords across accounts.

This is the gap that penetration testing closes. A pen test is a controlled, authorised attempt to break into your systems, carried out by security professionals who think like real attackers. They probe your website, payment systems and internal network to find the weak spots before a criminal does. A good provider of penetration testing services will hand you a clear report explaining what they found and how to fix it, in language you can actually act on.

You don't need to test everything every week. Most small and medium businesses run a test once a year, or after any major change to their website or systems. What matters is that you're checking reality, not assuming your defences hold.

A Sensible Starting Point: Cyber Essentials

If all of this feels like a lot, Cyber Essentials is a good place to begin. It's a UK government-backed scheme, overseen by the NCSC, that covers five basic controls every business should have in place:

  • Firewalls to create a secure boundary between your network and the internet
  • Secure configuration of devices and software
  • User access control, so people can only reach what their role needs
  • Malware protection on every device
  • Security update management, keeping software patched and supported

Cyber Essentials is proportionate, which means it suits a small Wiltshire shop just as well as a growing tech firm. It won't replace a full pen test, but it gives you a solid foundation and signals to customers and partners that you take security seriously.

Where to Start With Your Data Protection

Protecting customer data comes down to three things: knowing what the law expects, building good basic habits, and checking that your defences actually work. The businesses that get this right aren't the ones with the biggest budgets, they're the ones that treat security as part of running the company rather than an afterthought.

Start with Cyber Essentials, write a complaints process you can stand behind, and book a penetration test when you're ready to see where you really stand. Your customers trust you with their details. Showing you've earned that trust is one of the simplest ways to keep it.

Bowman House (NEW - Animated Ad)
Black Nova Designs (NEW Animated Ad for 2024)
File Stream Systems (Animated Ad)
M4 Self Store (Animated Ad)
Nexus Business Centre (Animated Ad)
Lydiard Park Hotel & Conference Centre (Animated Ad)
Doubletree by Hilton Swindon (Animated Ad)
Future Planning
Wilkins Talent Solutions (Animated Ad)
Burdett Legal (Previously HT Wills - Animated Ad)
Unscrewed Systems Network (Leaderboard Ad)

Weather in Wiltshire

Update cookies preferences