As a small business, you might think data protection practices are only for big companies with IT teams and legal departments. However, one small mistake can lead to significant consequences. This week, I am going to do things slightly differently. We are going to tell the story of Fred, a local gardener who trusted his personal data to a small business—and what happened next. This may be fictitious and a bit extreme, but its roots are based on data incidents and breaches that I have supported.
A Simple Business Transaction Gone Wrong
Once upon a time in Dataford, Fred, a friendly gardener, decided to refresh his business by creating a new website. He found a small, local company called CyberWhizzaster, run by a man who seemed knowledgeable and ready to help. After some discussion, Fred handed over his personal information—his name, address, phone number, and even some financial details—and left feeling confident that his new website would soon blossom, just like his gardens.
A few days later, Fred received an email from CyberWhizzaster. Thinking it was an update on his website, Fred opened it eagerly. But what he found was not what he expected. The email began with, “Hi Fred,” but contained all of his personal information—his full name, home address, phone number, and even financial details, like his latest business transactions. To Fred’s horror, attached to the email was a photo of additional notes CyberWhizzaster had made during their meeting—some of which had nothing to do with the website build. Personal details he’d casually shared, like his family’s upcoming holiday plans, were included in these notes. Worse still, the email appeared to have been sent to multiple people, not just Fred.
Fred felt panic setting in. His sensitive information had been shared with others, and who knew how far it had spread? He quickly emailed CyberWhizzaster to find out what had gone wrong. A few hours later, they replied, offering only a brief apology: “Dear Fred, we’re sorry for the mistake. It seems an automated system accidentally sent your details to the wrong recipients. We’re investigating.”
Fred’s Quest for Answers
Fred wasn’t reassured. This was more than a minor mistake—his personal data had been shared. So, Fred decided to take it a step further. He submitted a Subject Access Request (SAR), asking CyberWhizzaster to provide:
- Exactly what information had been shared?
- What systems were they using to store and manage his data?
- Where his data was being held.
- A copy of the investigation report into how this breach happened.
Fred also asked if CyberWhizzaster had assessed the incident and if it was required to report it to the Information Commissioner’s Office (ICO), as the law requires when personal data, especially financial information, is exposed.
As he waited for their response, Fred began to think more deeply about how CyberWhizzaster had handled his data. That’s when he noticed something unsettling: the email he had received hadn’t come from a business account—it came from CyberWhizzaster@gmail.com, a personal email account. Fred’s concern deepened. Were they running a business using a personal Gmail address?
The Risk of Unsecured Data and Unvetted Subcontractors
Fred decided to call CyberWhizzaster directly to ask about their data protection measures. What he learned left him in shock:
- They had no formal data protection policies or processes in place. Everything was “in the guy’s head,” with nothing written down.
- They didn’t have a list of the software they used to manage data, nor did they know where Fred’s data was stored. They said, “It’s standard stuff—we picked it up on AppSumo.”
- Even more alarmingly, Fred discovered that CyberWhizzaster used subcontractors outside the UK and EU—specifically in countries that didn’t have the same data protection laws. Fred had never been told that people outside the UK or EU might access his personal information, and now he worried about where his data ended up.
- Finally, CyberWhizzaster admitted they didn’t even know what data they had on Fred or how long they’d been holding it. There was no system in place to keep track.
Fred was stunned. International data transfers? No tracking of personal data? If they didn’t even know where his data was or who had access to it, how could they protect it?
Fred realised that this was a serious breach of GDPR and that CyberWhizzaster was potentially exposing themselves—and him—to huge risks. They hadn’t informed him about the subcontractors outside the UK and EU and weren’t following basic data protection laws. Fred began to consider reporting the breach directly to the ICO himself since CyberWhizzaster seemed so far behind on data protection that they hadn’t even started to understand the implications of their actions.
The Financial and Reputational Impact
Fred also reflected on the possible financial consequences for CyberWhizzaster. Under GDPR, fines for data breaches can reach £17.5 million or 4% of global turnover—enormous amounts for any business, let alone a small one. Beyond the fines, Fred worried about the reputational damage they could face. Trust is crucial in any business; if customers discovered this breach, CyberWhizzaster might never recover, especially as 60% of SMEs close within 6 months of a serious data breach.
As Fred considered his next steps, he thought about his own business. He had always been careful with customer data, but now he realised the importance of being fully compliant. Could something like this happen in his business? Were his processes strong enough to protect his clients’ data?
What can SMEs learn from Fred’s experience?
If you handle customer data, it’s critical to:
- Know where your data is stored—can you track it?
- Have policies and procedures in place to handle personal information securely.
- Ensure you use business-grade tools instead of relying on personal email accounts and unverified apps.
- Be aware of international data transfers—proper safeguards are needed if your data is being accessed outside the UK and EU.
- Conduct regular data audits to know what information you’re holding and why.
Cutting corners with data protection might seem like a good way to save time or money, but it can lead to significant legal, financial, and reputational risks.
Fred had learned his lesson. He hoped other businesses would, too. So now, I ask you:
Are you confident in your data handling practices, or could a situation like this put your business at risk? If so, why not book a free clarity call today
Could you answer the same questions Fred had for CyberWhizzaster?
Read more on how GDPR affects small businesses.