Rapid advances in technology have generated a wide range of opportunities for UK businesses. Companies are now able to collect and harness all sorts of information to create refined, data-driven strategies that often increases their chances of success. Yet as data continues to become more and more crucial to many company processes, data security has emerged as one of the top business risks today.
According to the UK Governments Cyber Security Breaches Survey 2018, 74% of the countries company owners now say that cyber security is a top priority. That makes sense, bearing in mind that 43% of UK businesses have experienced a data security breach or sustained a cyber attack in the last 12 months. Yet despite this heightened sense of awareness concerning the importance of data security in business, a huge proportion of UK companies are still totally unprepared.
Just over a quarter of businesses surveyed by the UK Government say they have formal data security policies in place which is particularly worrying, given what a huge impact they can have on a companies bottom line. Last year, the average cost of a data breach for a large UK business was 22,300. Meanwhile, medium-sized businesses lost an average of 16,100 per attack, while small businesses lost an average of 3,100.
To some business owners, that might not sound like a lot. But to a freelancer, sole trader or the owner of a small company, losing over 3,000 in a single data breach could ultimately make or break a companies short-term success rate. Fortunately, there are plenty of steps small businesses can take to prevent data breaches and improve their data security processes particularly when working with a virtual offices provider.
How do virtual offices work?
Before we delve right into virtual offices and data security, its worth taking a step back to ensure you actually understand what a virtual office is.
So, what exactly is a virtual office?
Simply put, virtual office services are an affordable solution for small businesses and self-employed individuals that enable them to utilise a prominent business address, leverage the skills of professional reception staff and use meeting room space or office space when required, without having to pay the astronomical costs of a lease, utility bills, equipment and staff wages associated with traditional serviced offices.
There are a range of virtual office providers across the UK, and they offer a range of services to various business owners.
For example, Blue Squares virtual office package offers use of a business address, mail handling, business telephone and fax numbers, telephone answering, fax-to-email services, discounted conference and meeting room facilities, and touchdown office hire as and when required. Unlike some other virtual office providers, Blue Squares services are designed to be flexible around the needs of our customers and serve as a low-cost alternative to traditional office space.
What information do I need to give to a Virtual Office provider?
There are plenty of reasons a small business would want to leverage the professional services of a virtual office provider and as part of those services, you will generally need to provide certain pieces of data to your provider to finalise any contract agreement for delivery of services.
This personal data often includes the basic details you might provide to any merchant or retailer that you shop with, and could include things like your:
- First and last name
- Home address
- Forwarding address
- Telephone number
- Date of birth
- Email address
- Payment details such as a credit or debit card number
- Bank account details
That list is by no means exhaustive, because no two services or virtual office providers are alike. For example, to prove your identity and take advantage of the virtual office services at Blue Square, you’ll be asked to provide proof of identification.
Why? Like other business services providers, Blue Square is legally required by Anti-Money Laundering (AML) regulations and Know Your Customer (KYC) requirements to obtain certified proof of ID and proof of address documents for all customers who use our services. We do not need to use data relating to your proof of identification for anything else, and we never will.
Other providers may also ask you to include additional information such as the type of industry you’re operating in, a SIC code if applicable, a VAT number if you’ve got one, proof of charitable status or any other key indicator that identifies your business. Some providers also ask for optional information such as time preferences for receiving forwarded calls as part of a phone answering service.
This data is information that your service provider will be able to utilise to offer you a better and more bespoke service and if your provider is following industry best practice and is compliant with existing data protection laws, your data should be as safe as possible.
How should Virtual Offices store and use my data?
So, how is that data stored and used? And more importantly, is it secure? Because of the European Unions landmark General Data Protection Regulation (GDPR), it had better be.
In May 2018, the EU enacted sweeping rule changes to the ways in which companies in the UK are allowed to collect, process and store data. GDPR is very much a consumer-focused initiative that hands data subjects new rights in terms of what qualifies as their consent and the right to be forgotten.
This places the onus on companies that need to store or process data, to think hard about how they use data and how they keep customer data safe because if a UK company fails to comply with GDPR, keep your data safe or respect your wishes it can mean catastrophic fines for that company. Bearing that in mind, your virtual office provider should have already implemented robust measures over the past 12 months to ensure customer data is protected.
Under GDPR, all virtual office providers in the UK are required to undergo a risk analysis and develop organisational policies, physical and technical measures to identify and avoid data security risks.
Where appropriate, companies are encouraged to deploy reasonable security measures such as pseudonymisation and encryption to protect client data. Access to data and processing activities much be limited in scope and availability, and the data subject must be explicitly informed at the point of data collection what their data will be used for and who will have access to it.
Most virtual office providers in the UK should have a designated Data Protection Officer who is responsible for overseeing GDPR compliance and ensuring that your data is as secure as possible at all times. This individual will be your first point of contact with your virtual office provider if you have any questions about your data, and this is the individual you should ask if you’d like access to your data or would like to request it is deleted.
How to tell if a Virtual Office provider is GDPR compliant
Here’s the most crucial way to determine how safe your data is and whether your virtual offices provider is actually GDPR compliant: you’ve got to read their privacy statement.
This document and/or webpage should outline in detail all of the ways in which your data will be handled by your services provider. It will detail the security measures that have and will be taken, your data rights and what you should expect from your provider in terms of data security.
To see what a GDPR-compliant privacy statement looks like, you can view the Blue Square Offices Privacy Policy here. Measures we take to ensure our client data is secure at all times includes use of the EU and US Governments shared Privacy Shield for all necessary and applicable data transfers. Our policy also outlines the ways in which we limit access to your data to ensure that it is only accessed by trained professionals when that information is needed.
Its worth pointing out that no matter how many precautions your virtual office provider takes, there will always be a risk of a data breach. It is virtually impossible to deliver an ironclad guarantee that no hacker in the world can penetrate a secure firewall or a methodical data protection system and this risk is present across all companies and industries, not just virtual office providers.
That being said, virtual office providers like Blue Square do everything they can and follow industry guidelines and government rules that are specifically designed to mitigate risks like cybercrime and protect your data at all costs.
What can I do to protect my data?
While your virtual offices provider is working hard to protect your personal data, the same responsibilities fall on you to protect the data of your customers and clients. As a business owner yourself, you are responsible to fulfil the same obligations that your virtual office provider must fulfil in terms of data protection and observing the rights of your data subjects.
If you regularly work in public or at a co-working space, data security is particularly critical and fortunately, there are plenty of simple, preventative steps you can take to maximise data security.
Sole traders and small business owners without a permanent brick-and-mortar office space for which they are responsible don’t have the option to dive head first into a major investment like a firewall system to protect an internal data network. But under GDPR, all businesses are required to take reasonable steps to protect customer data and so if you’re operating a small business primarily from your laptop, tablet or mobile phone, you are legally obliged to take reasonable steps to protect that information.
In practical terms, this means you should have a passcode on your mobile devices and a password-protected laptop or home-working station. You shouldn’t save your passwords on shared devices available for use in a virtual office co-working space and before you strike an agreement to take on virtual office services or serviced office space with a provider, you need to ensure you read and understand your privacy policy.
Ask about the network protections your provider has in place, and find out about any existing policies or recommendations you should follow as the client, to ensure your customer data is protected at all times.
If you need to send your data or transmit it to another device, you should always send it using an encryption service in case the data is intercepted unlawfully by a third party and despite the size of your company, you should always produce a privacy policy and data security protocols that can be shared with your clients.
This will not only demonstrate to potential clients your ability to protect their data and your credibility as a compliant UK business, but it will also serve as a crucial, step-by-step guide on what you must do in the event of a genuine security breach.
The bottom line
Its important to emphasise that it is impossible to guarantee total data security at all times. Fraudsters and cyber criminals are constantly advancing and evolving their tactics, and improvements must constantly be made to maximise your company’s data protection arrangements.
But just because you cannot be guaranteed 100% data security does not mean that you should settle for sub-par service and mediocre security. When you are shopping around for a virtual office services provider, you owe it to yourself and your customers to make sure you are doing business with a GDPR-compliant organisation that takes your privacy seriously and is doing everything it can to ensure your data is kept safe and secure at all times.
More important still, as a business owner you must take reasonable steps to ensure that your data and the data of your customers is kept as safe as possible. Yet so long as you’re being mindful of potential risks, and you’re working alongside a virtual office provider with experience in data security, you should be able to press forward with your business goals and focus on your potential success rather than dwell on potential risks.
Looking for more tips on how to grow your business? Be sure to check out the Blue Square Offices blog. There, you’ll find loads of useful tips on company formation, managing remote teams, outsourcing and more.
