Getting Started: Data Protection
Here is the collective advice from a group of IT Professionals members on data protection, what to consider and how to get started to improve your business practices.
Part 1: The Challenge – Why Small Businesses Need to Rethink Data Collection and Protection
Small businesses often collect more personal data than they truly need—sometimes without a clear plan for how to protect it. We’ve seen it all: ID photocopies kept in filing cabinets, customer databases containing unnecessary date-of-birth fields, or loyalty programmes quietly selling aggregated purchase histories. While the risks are not unique to New Zealand, they are increasingly global, and the consequences are real.
Insecure data capture is a prime target for malicious actors and commercial exploitation. Once harvested—whether through hacking, poor access controls, or intentional sale—your customer data can be cross-referenced with other sources to build alarmingly detailed personal profiles. This isn’t hypothetical; from large US retailers like Walmart to historical examples like Reader’s Digest holding detailed data on over 50% of US households decades ago, the collection and monetisation of personal information has long been standard practice.
The danger is amplified by a “collect now, figure it out later” mindset—especially in environments without strong privacy regulation. While the EU’s GDPR has created much-needed guardrails, many businesses here still operate without robust privacy-by-design principles. That’s a problem not just for compliance, but for customer trust.
Part 2: How to Get Started with Better Data Protection
If you’re a digital tech professional in a small business—or managing tech for one—building stronger data protection isn’t just about preventing breaches. It’s about embedding smarter decisions at the point of data collection, and ensuring ongoing security for the data you do need.
Practical Application: Where to Start
Begin with NIST’s frameworks — They’re free, accessible, and structured to help small operations implement security step-by-step. Start with the NIST Cybersecurity Framework Small Business Quick Start Guide and Small Business Cybersecurity Corner for a roadmap that’s easy to follow.
Combine that with Privacy by Design (PbD) thinking — At every data collection point, ask “Why do we need this data?” If you can’t answer confidently, don’t collect it. Learn more about PbD.
Plan to mature over time — As your systems and processes develop, consider alignment with ISO 27001 or adopting the IASME Governance Standard for an affordable, small-business-focused approach.
Good Practice to Embed Early
Minimise data collection — Only capture what’s essential for the transaction or service.
Secure storage — Encrypt sensitive data at rest and in transit, and avoid storing copies in unsecured systems (like email inboxes or shared folders without access controls).
Access control — Limit access to personal data to staff who genuinely need it, and log that access.
Retention policies — Have a clear process for securely disposing of data when it’s no longer needed.
Incident response planning — Prepare a clear, tested plan for what to do if a breach occurs—who to notify, how to limit damage, and how to communicate with affected customers.
Bottom line: Data protection isn’t just for big corporations. Small businesses are both stewards and custodians of their customers’ trust—and the reputational and legal costs of getting it wrong are far higher than the investment needed to get it right.
