How Good IT Governance Can Keep Your SME Out of the Law Courts

David Southern | Date: April 4, 2017 | 3 minute read


Discover how best practice in IT governance can reduce the administrative burden and improve compliance management for your SME.


Over-regulation is hampering SMEs' growth and eating away at their competitiveness. In a recent report by the Federation of Small Businesses (FSB), over half the businesses surveyed said that their company's growth was held back by administrative burdens. Too bogged down by red tape, they were unable to find the time to work on their real business activities.

SMEs struggle to compete with larger enterprises on this front. With fewer resources, they have limited capacity for compliance and so only core specialisms are covered. Yet, the risks to SMEs of non-compliance are high - hefty fines, legal claims and reputational damage - and with increasing complexity and more stringent oversight, keeping up with regulation is a serious challenge.

Know your risk of IT non-compliance

One area of growing concern for SMEs is IT governance. Businesses necessarily hold and process personal data relating to both their customers and employees. This brings them within the scope of the Data Protection Act 1998, which requires that the information is:

  • Fairly and lawfully processed
  • Processed for specified purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with individuals' rights
  • Secure
  • Not transferred outside the European Economic Area without adequate protection.

As the amount of sensitive personal information held by businesses grows, and the number of data security breaches and cyber threats continues to rise, SMEs' IT governance is becoming increasingly difficult to manage. Furthermore, the Information Commissioner's Office (ICO) has increased powers to ensure compliance. As well as conducting audits to monitor best practice, since 2010 the commission can issue fines of up to £500,000 for serious breaches of the act.

Keep abreast of regulatory changes for IT

The General Data Protection Regulation (GDPR), which comes into force in May 2018, will only compound the complexity of IT governance for SMEs. Although an EU law, it will impact businesses outside the EU that deal with the personal information of EU citizens. Computer Weekly summarises the aims of the law as:

  • Returning control of personal data to users
  • Simplifying the regulatory environment
  • Improving the protection of data through the appointment of a data protection officer where data processing is carried out.

Data protection officers will be responsible for managing data security and other critical business continuity issues specific to the holding and processing of personal data. They do not necessarily have to be an employee. Third parties already helping with local data protection compliance can fulfil this role. The Ministry of Justice has estimated that meeting the requirements of GDPR would cost UK businesses nearly £320m. The costs of non-compliance are very high - fines amount to 4% of global turnover or €20 million, whichever is greater.

Remaining compliant with IT regulations

Maintaining well-organised, systems and data will minimise the risk of non-compliance while making IT governance easier. By following cybersecurity and data management best practice Businesses Can Remain Compliant with Employment Regulations, your business can reduce the time and effort spent on administration while improving its data processing and its overall security. These are the 5 core practices you should adopt:

Digitise information

Paper records make retrieving information slow and increase the risk of losing or mislaying files. Two-thirds of data breaches are caused by human error. Digitised information can be held securely in one central location, where it can be made easily accessible to authorised staff.

Secure your data

Make sure you can control access to your data, using rights and permissions to restrict access to those authorised. Implement version control to generate audit trails of access and amendments.

Integrate your data

Avoiding paper documents will not always be possible, so you will need a document management system that can connect information from different sources to give you a complete picture.

Keep data up to date and complete

This will allow you to establish a single source of truth and proactively manage your personal data to identify gaps and keep information up to date.

Store data securely

Make sure that wherever you store your data has robust security and disaster recovery in place. Implementing a comprehensive backup solution will protect against loss and enable you to easily access data that needs to be retained. Set alerts to automatically destroy redundant archived data to prevent security breaches and remain compliant with data protection regulation.

SMEs that adopt best practice in IT governance will not only significantly reduce their administrative burden, they will also improve their competitiveness by demonstrating to customers and employees that they can be trusted with cybersecurity and data protection.


  • The administrative burden of complying with multiplying regulatory demands hampers the growth of SMEs.
  • IT governance is of particular concern for SMEs.
  • Your business should be aware of its obligations under both the Data Protection Act and GDPR.
  • Maintaining well-organised systems and data reduces the risk of compliance failures.
  • Following best practice in cybersecurity and data management reduces your administrative burden and boosts your competitiveness.

Learn to identify, assess and mitigate weaknesses in your IT management with our helpful e-Guide. Download: Manage the 60% Risk of Cyber Attack to Your Operations: The Business Leader's Guide to IT Strategy

New Call-to-action


Get in touch and discover how we can help make things easier.

Call us on 01606 336200, or fill in the form below.