What policies do I need in place as a small business?

If you’re running a small business, you may not have thought about all the policies you must have in place, let alone those you should have in place. As with many things, it’s better to be pro-active, as scrambling to produce a policy document that’s been asked of you from a potential customer, or worse, from an employment tribunal, is not fun for anyone. This blog provides an introduction to the different requirements, and gives some pointers for getting started.

Before we dive into the detail it is worth clarifying what we mean by a policy. There are different definitions out there but for this blog post we mean.

• Policy - A high level of documentation, details the “What”.
• Process – A lower level of documentation, details the “How”.

But this isn’t a rigid definition, and it is often practical to combine the two into one. What is important is that any document that you create communicates the required information to the reader in a clear, concise, and unambiguous way.

Introduction

Whilst bigger companies typically have a dedicated HR and legal team, it can be hard for small and medium-sized companies to know what to do without having to resort to expensive outside help. We have aimed this blog at small businesses, as these are our clients and there is a difference in some of the legal requirements for larger businesses.

Given that there are many definitions for the sizes of companies, what do we mean by a small business? For the purpose of this article, when we say small business, we mean fewer than 100 people and/or a turnover of less than £10 million; and a medium business is fewer than 250 people and/or a turnover of less than £36 million. These figures have been chosen as they reflect the Government’s Companies House Guidance. GDPR requirements also change when you have more than 250 employees, and the requirement to publish a Modern Anti-Slavery Statement is required if your turnover is greater than £36 million.

Overall, there are four areas of policy, with a complicated and in some cases overlapping justification:

1. What’s legally required.
2. What you’re best placed to have, for legal protection in the event of something unfortunate happening.
3. What you need for data protection compliance, i.e. GDPR.
4. What you likely need for basic cyber security schemes such as Cyber Essentials.

Of course, having policy in place is only the first step – making sure it is universally understood, followed, and verified is also important.

Does the Law Require my company to have any policies?

As a small business operating in Great Britain there are three policies that you are required to have by law. They are:

• Health and Safety Policy – This is required if you have 5 or more employees. If you have more than 10 then you also need an Accident Book.
• Disciplinary Policy – what happens in the event of poor performance or misconduct.
• Grievance Policy – how employees can report a grievance, and the internal process for handling it.

The Disciplinary and Grievance policies are linked to the Employment Act 2008, which doesn’t apply in Northern Ireland. Relevant legislation for Northern Ireland can be found at nidirect, and the Labour Relations Agency.

There is lots of helpful information on Health and Safety available from The Health and Safety Executive, and lots of good guidance on Disciplinary and Grievance processes available from the Advisory, Conciliation and Arbitration Service.

Are there any other policies I should think about?

There are some other policies which are not legally required, but should be in place to cover you in the event of any legal action. Without these policies it may be difficult to defend yourself in court, if it ever came to that. They are:

• Equality and Diversity Policy (aka Equal Opportunities Policy). – see the ACAS guidance.
• Anti-Bribery and Corruption Policy – see the Gov.UK guidance.
• Modern Anti-Slavery Policy (required if your annual turnover is £36 million or more).

But what about GDPR?

The General Data Protection Regulation doesn’t mandate any policies, but it does require any organisation that processes the personal data of EU citizens to comply with the legislation. GDPR also applies to UK citizens post-Brexit, in the form of the UK GDPR. Most companies would, at the very least, hold data on their staff and their customers.

Currently there are no UK GDPR Codes of Conduct to provide guidelines to help companies comply with UK GDPR, but there is a wealth of information available from the Information Commissioner’s Office (ICO). The ICO also provide guidance on documentation requirements.

If a company experiences a data breach or the ICO requests that a company demonstrates its compliance with GDPR, the easiest way to achieve this is to have the following documentation, as a minimum:

• Personal Data Protection Policy.
• Privacy Notice & Employee Privacy Notice.
• Data Retention Policy & Data Retention Schedule.
• Record of Data Subject Consent (including parental consent for children).
• Records of any Data Protection Impact Assessments that you have conducted (DPIA Register):
  • If you have CCTV you must have done a DPIA for it.
  • If you process special category data, you must have done a DPIA for it.
• Data Processing Agreements (DPAs) for any Processors who handle the Personal Data your organisation is responsible for.
• If you are a Processor for someone else’s data, you should also have a DPA in place, provided to you by the Controller.
• Incident Management Policy & Register (aka Data Breach Policy).

GDPR compliance is a complex area that we will cover in a future blog.

What about Cyber Essentials?

Cyber Essentials has changed considerably over the last few years, and while it requires a lot of technical measures to be in place, it doesn’t explicitly require any specific documented policies.

However, it does ask for the following, which may be easiest to demonstrate via documentation.

• A process to create and approve user accounts.
• An established process in place to change passwords promptly if there is a suspected account compromise.
• Support for users to choose unique passwords that are long enough and the use of multi-factor authentication.
• Separate accounts to perform administrative activities. These accounts should not be used for emailing, web browsing or other standard user activities.
• The use of multi-factor authentication where possible.
• A record of all people that have been granted administrator accounts, which is reviewed regularly.
• Approved business case for any open ports that can be externally accessed on routers or firewalls.
• Approved business case for any firewall configurations that allow access to their configuration settings over the internet.
• Approved business case for any inbound firewall rules.

We would recommend creating an Identity and Access Management (IDAM) policy or password policy, and a “Joiners and Leaver” process to cover the first six bullets. Similarly, the final three bullets may necessitate a firewall policy.

That’s not all. Cyber Essentials asks for many other technical controls to be in place, including device management, malware protection, and secure configuration, which is why Cyber Essentials is another blog we will do later.

Are There any Other Policies You Would Recommend?

Creating and maintaining policies can be an expensive and time-consuming activity, which may not be financially viable for many SMEs. However, there are a few policies that we would recommend all SMEs create on top of the recommended policies above.

IT and Internet Usage Policy (aka Reasonable Use Policy)

A small business will often have a mixture of company-supplied and BYOD (Bring your own Device) computers for their employees. An IT and Internet Usage Policy can inform employees about the acceptable use of technology in the workplace. This can be used to ensure that employees do not:

• Perform inappropriate or illegal activity on the internet that could jeopardize the company’s legal position and reputation.
• Misrepresent the company on the internet.
• Use company provided/managed equipment for personal use if you don’t wish them to. Or conversely, use personal devices for company use.
• Share company data inappropriately.
• Care for and maintain company provided/managed equipment insufficiently.

You can also use this policy to mandate a standard for BYOD devices, for example mandate that they must use an AV product and keep the device up to date.

Supply Chain Due Diligence Policy

It is very likely that any small business will have data that they wish to protect from a commercial perspective, and data that they are legally obliged to protect under legislation like GDPR.

It is also likely that small businesses will use other companies, services, platforms, and products to help them store and process this data. It could be a cloud provider that stores data for you, or a payment service that handles all your transactions, or some accounting software. Before you chose which company, service, or product you wish to entrust your data with, you should undertake a basic due diligence activity to make sure they comply with all relevant legislation and data security best practice. A Supply Chain Due Diligence Policy can ensure you have a set of standard questions that any supplier must answer so you can get some assurances that your data is being looked after appropriately.

While it is not practical for larger companies like Microsoft to answer individual questionnaires, they should publish a privacy notice, potentially a GDPR statement, or some other kind of statement detailing how they store and process your data.

You wouldn’t leave all your company data in an open filing cabinet in a public office where anyone could access, take, or change it, which is exactly what you could be doing electronically when you select a company or service to manage your data.

Joiner and Leavers Process

While not strictly a policy, we would recommend creating a Joiners and Leavers Process. When a new employee joins your business, you want to make sure that they:

• Are provided with all the equipment necessary to do their job.
• Receive all the required training.
• Agree to all the rules and regulations with which you need them to comply.

A Joiners and Leavers process can act as a tick-list to make sure that every new employee is provided with everything mentioned above. For example, it is no use having a Health and Safety Policy if you don’t make sure everyone reads it and acknowledges that they have read it.

Conversely, when someone leaves your company you want to make sure they return all their equipment and that they don’t continue to have access to any company data.

What if I need help?

If you need help, come and talk to us about your requirements.

Red Maple Technologies can offer a range of services from simple help and guidance, templates of standard policies or full policy development, tailored to the size and shape of your business.

• Getting Started with Microsoft Intune - Part 2
• Getting Started with Microsoft Intune - Part 1
• Microsoft 365 Email Protections

About Claire Gurney

Claire is a technical cyber security professional with over 25 years' experience across a broad range of roles within the public and private sectors. With a deep understanding of cyber security, she has in her career focused on security architecture, systems engineering, secure and safety critical software development, applied cryptography and security polices and standards. At Red Maple she helps deliver our security consulting services.