Previously, we explored what Personally Identifiable Information (PII) is and how a clear privacy policy helps build trust and meet
legal obligations. But a policy alone isn’t enough. To truly protect your customers’ data – and your business – you need to put that policy into action.
Here are seven practical steps small businesses can take to safeguard PII:
1. Know What You Collect - and Why
Start by auditing the PII you collect. This includes names, emails, phone numbers, addresses, and any other data that can identify someone.
Ask yourself:
- Do we really need this information?
- How long do we need to keep it?
Reducing the amount of PII you collect, and store lowers your risk exposure.
2. Create a Personal Data Register
Maintain a register that tracks:
- What PII you collect
- Where it’s stored (e.g. cloud apps, spreadsheets, email)
- Who has access to it
This helps you stay compliant and respond quickly in case of a breach.
3. Limit Access to Sensitive Data
Not everyone in your business needs access to all customer data. Use role-based access controls to ensure only authorised staff can view or edit PII. Regularly review permissions and revoke access when roles change.
4. Encrypt and Back Up Data
Encryption protects data in transit and at rest. Even if a device is lost or stolen, encrypted data remains unreadable. Also, back up your data regularly and store backups securely. Make sure only trusted personnel can access or modify them.
5. Use Secure Communication Channels
Avoid sending PII over unsecured channels like plain-text email. Use secure portals or encrypted messaging tools when sharing sensitive information with clients or partners.
6. Train Your Team
Human error is one of the biggest causes of data breaches.
Train your staff on:
- Recognising phishing attempts
- Handling customer data securely
- Reporting suspicious activity
Make data protection part of your onboarding and ongoing training.
7. Plan for Incidents
Even with the best precautions, breaches can happen. Have a response plan that includes:
- How to contain the breach
- Who to notify (customers, regulators)
- How to prevent future incidents
This shows customers you take their privacy seriously and helps you recover faster.
Protecting PII isn’t just about compliance – it’s about trust. By taking these steps, you show your customers that their data is safe with you. And in today’s digital world, that’s a powerful competitive advantage.
If you’re ready to go deeper, check out the Australian Cyber Security Centre’s guide for small to medium businesses. It can be found here. Or revisit our earlier post on privacy policies
Understanding PII: A Guide for Small Business Owners – Part 1 | Concord IT
