I have over 12 years of experience in quality and compliance. I knew when I set up my business, especially as I grow it, I would need documentation to support it. At the moment, it is just me, so I could say everything is in my head. But compliance is the bedrock of a business. I am a firm believer: get the foundations in, and you can build anything.

I had an incident that meant I had to trigger my business contingency plan recently.

My computer has been ‘off’ for a few days, and then it just went ‘the computer says NO!’. I did what most would do: see what was going on and see if I could fix it myself, including the obligatory turn it off and on again. Still nothing.

At this point, I could have gone into panic mode. My computer was not letting me open anything. I could not work. I could not access my calendar or emails on the machine. There is no way to do anything on this machine.

Triggering the contingency plan

As I said, I have a contingency plan that was triggered yesterday.

  1. Contact my (outsourced) IT team, who were messaging me to determine what was happening. They couldn’t access the machine due to the issue.
  2. I pulled out my MacBook
  3. Internally record the incident

Reporting and Investigating

I wrote the process, so I did not need to check what I needed to do. I know I have to record and investigate the incident internally and assess the origins of the incident and the impact, if any, on the data.

As a data protection consultant, I wondered if it was malware or had been hacked. But, on investigation., it looks like human error. In short, I made a mistake transferring some files from one cloud to another, which sent the computer into overdrive and clogged its memory. No memory, no way to work. Hold on – all my work is done on the computer. How the hell am I going to support my clients?

So, no data was lost or compromised. That also means that I don’t need to report it to the ICO.

Lessons learned

So why should I record and share my mistakes? There are a few great reasons.

  1. To help you learn and not make the same mistakes I do
  2. To reduce the risk of it happening again. I always say reduce. We are human, and we make mistakes.
  3. To show that we all make mistakes around information, technology, and data, even data protection consultants. It is what we do next that is important.
  4. Highlight that human error is one of the biggest causes of data incidents and breaches. It is not something to be punished for if accidental.

Why does it matter?

It is important to write it down for micro and small businesses. Ok, so as I write this, the only employee is me, but I outsource work. I have a team. But there is still a lot of learning to do.

There are a couple of reasons why I write it down

  1. Reflection
    • Reflection is a great tool. How often do we hear “in hindsight …”. From reflection, we learn what went wrong and what we need to do to improve. It can not take away all the risks but reduces them.
  2. If it is not written down, it did not happen.
    • Having a written record of factual events is a good way to show, internally and externally, what went wrong and what was done to sort it out. It is much harder to show what was done if there is no record.
  3. Keep me on track
    • By having a record of lessons learned from my investigation, I am giving myself an action plan to do. Again, if it is not written down, where is my record that I have to change something or that I have?
  4. As a small business owner, I recently experienced a major incident that forced me to activate my business contingency plan. It all started when my computer suddenly stopped working, leaving me unable to access any files, calendars, or emails. Panic set in as I realized the extent of the issue and its impact on my ability to work and support my clients.
  5. Fortunately, I had the foresight to establish a contingency plan for such situations. I immediately contacted my outsourced IT team, and they began working to resolve the problem. In the meantime, I quickly switched to my backup MacBook to continue my work.
  6. This incident prompted me to reflect on the importance of incident reporting and preventive measures for small businesses. I realized that having a solid documentation system in place is crucial, even for a one-person operation like mine. Compliance and data protection are the foundation of any business, and proper incident reporting is essential to maintaining that foundation.
  7. In the aftermath of this incident, I took the time to record and investigate what had happened. It turned out that the issue was caused by a simple human error on my part – a mistake I made while transferring files between cloud platforms. This caused my computer’s memory to become overloaded and rendered it inoperable. Thankfully, no data was lost or compromised, so I didn’t need to report the incident to any regulatory authorities.
  8. Sharing and recording my mistakes serves several important purposes. Firstly, it allows others to learn from my experience and avoid making the same errors. Secondly, it helps to minimize the risk of similar incidents occurring in the future. It’s important to acknowledge that we are all human and prone to making mistakes, especially when it comes to information, technology, and data. What truly matters is how we respond and take preventive measures moving forward.
  9. For micro and small businesses, documenting incidents and lessons learned is crucial. Even if you are a sole proprietor or outsource work, there is still much to gain from this practice. Reflection is a powerful tool for learning and improvement. We can reduce the likelihood of future incidents by analyzing what went wrong and identifying areas for improvement. Additionally, having a written record of factual events is essential for internal and external communication. It demonstrates transparency and accountability, making explaining what happened and how it was resolved easier. Lastly, keeping a record of lessons learned provides a clear action plan for making necessary changes and improvements.
  10. In conclusion, incident reporting and preventive measures are vital for small businesses. By proactively addressing and documenting incidents, we can learn, grow, and minimize the impact of future issues. Remember, it’s not about avoiding mistakes altogether but rather how we respond and improve to ensure the continued success of our businesses.