How do we keep logs and access controls to satisfy ICO guidance?

Updated

Keeping detailed logs and controlling who can access your IT systems is essential for meeting the Information Commissioner's Office (ICO) guidance on data protection. Simply put, this means recording who does what on your systems and ensuring only authorised staff can access sensitive information. This helps your business spot potential security issues early, maintain customer trust, and demonstrate compliance with UK data protection laws like the Data Protection Act 2018 and UK GDPR.

Why this matters for UK SMEs

Without proper logging and access controls, your business risks data breaches, unauthorised changes, or loss of critical information. Such incidents can lead to costly downtime, damage to your reputation, and possible fines or enforcement action from the ICO. For example, if an employee accidentally deletes customer records or a cyber attacker gains access to your systems, detailed logs help you understand what happened and when. Access controls reduce the chance of such incidents by limiting who can view or change sensitive data.

A typical scenario

Consider a UK SME with around 50 staff handling customer data across sales, finance, and support teams. Without clear access controls, staff might access data unrelated to their role, increasing the risk of accidental or malicious misuse. If a ransomware attack occurs, logs showing unusual login times or failed access attempts can help IT quickly identify compromised accounts and contain the breach. A trusted IT partner would implement role-based access controls, enable multi-factor authentication (MFA), and set up centralised logging to capture key events across servers, applications, and network devices.

Practical checklist for SMEs

  • Ask your IT provider: How do you manage user access rights? Do you enforce role-based access and MFA?
  • Check logging practices: Are logs collected centrally and retained securely for an appropriate period (e.g. 6–12 months)?
  • Review access lists: Regularly verify who has access to sensitive systems and data, removing any unnecessary permissions.
  • Confirm audit readiness: Can your IT provider produce logs on demand for investigations or ICO audits?
  • Test internal controls: Perform spot checks on user accounts and review password policies to ensure complexity and regular updates.
  • Backup logs and data: Ensure your backups include logs and that these are stored securely offsite or in the cloud.
  • Document policies: Maintain clear internal policies on access control and logging aligned with ICO guidance and Cyber Essentials requirements.

Common pitfalls to avoid

Avoid relying solely on default system settings or manual logging processes that are inconsistent or incomplete. Overly broad access rights or shared accounts make it hard to trace actions back to individuals. Neglecting to review and update access controls regularly can leave your business exposed as staff roles change. Finally, failing to store logs securely or for a sufficient time can hinder incident investigations and compliance efforts.

For UK SMEs, working with an experienced IT consultant or managed service provider can help establish and maintain effective logging and access control practices tailored to your business needs. They can also assist with preparing for ICO audits and meeting standards like Cyber Essentials or ISO 27001. If you haven't reviewed your approach recently, consider speaking with a trusted IT advisor to ensure your systems protect your data and your customers.

Tools & software for this topic

Not ready to change IT providers yet? These buying guides walk through tools your team can use to improve things on your own.

We may earn a small commission if you sign up with any of these tools and services, at no extra cost to you. We only feature tools that are appropriate for British businesses like yours.

Tools you can try right away

These tools line up with the topics in this guide and are commonly used by small and mid-sized businesses.

Acronis Cyber Protect

Best for: Best for UK SMEs seeking combined backup and malware protection in one solution

Integrated backup and cybersecurity for reliable data protection

Acronis Cyber Protect combines backup, disaster recovery, and cybersecurity features in a single platform. It is commonly used by organisations that want to reduce risk with integrated malware defence alongside data protection. Many find it useful for managing backups and security from one console.

View Acronis Cyber Protect plans

Backblaze Business Backup

Best for: Best for UK SMEs seeking simple, cost-effective cloud backup with unlimited data

Reliable cloud backup for straightforward data protection and recovery

Backblaze Business Backup is commonly used by small businesses for easy, unlimited cloud backup. It offers straightforward setup and predictable pricing, helping organisations protect data without complex management or hidden fees.

View Backblaze Business Backup plans

Box Business

Best for: Best for UK SMEs needing combined backup and team file access

Secure cloud backup with easy file sharing and collaboration

Box Business is commonly used by SMEs to back up data while enabling secure file sharing and collaboration. It offers strong integration with popular productivity tools and supports compliance with UK data protection standards.

View Box Business plans

Carbonite for Business

Best for: Best for UK SMEs needing straightforward cloud backup with easy restore

Reliable cloud backup with flexible recovery options for SMEs

Carbonite for Business is commonly used for cloud backup and disaster recovery by small and medium-sized organisations. It offers automated backups with flexible restore options, helping reduce data loss risk and maintain business continuity.

View Carbonite for Business plans

CrashPlan for Small Business

Best for: Best for UK small businesses needing straightforward, continuous backup with easy recovery options

Reliable cloud backup with continuous data protection for SMEs

CrashPlan for Small Business offers continuous cloud backup designed for small organisations. It is commonly used to protect business data with automatic backups and simple restore processes, helping reduce risk and downtime.

View CrashPlan for Small Business plans

Dropbox Business

Best for: Best for SMEs needing straightforward cloud backup with team collaboration features

Secure cloud backup with easy file access and sharing for teams

Dropbox Business is commonly used for cloud backup and file sharing within small to medium UK businesses. It offers reliable file syncing across devices and simple collaboration tools, helping teams keep data backed up and accessible without complex setup.

View Dropbox Business plans

Need hands-on help?

If you’d rather have a provider handle this for you, here are firms that work on IT Consulting & vCIO in United Kingdom.

Top firms for IT Consulting & vCIO
Cloud10 IT & Cloud Services
Manchester, England

Overview

Cloud10 IT & Cloud Services is a managed IT services provider based in Manchester, England. They specialise in delivering reliable IT support tailored for small and medium-sized enterprises (SMEs), charities, and professional services. With a focus on fostering secure communication and efficient issue resolution, this IT support company plays a vital role in enhancing the operational integrity of their clients.

This MSP is dedicated to providing consistent and effective support that simplifies the IT experience for its clients. They ensure that technical issues are resolved swiftly and that there is ongoing communication throughout the process. By offering a range of services, Cloud10 helps organisations streamline their operations while maintaining compliance with regulations such as the UK GDPR and Cyber Essentials.

What clients say about this company

Feedback from clients highlights the exceptional level of support they receive from Cloud10. Many appreciate the ease of raising issues and the prompt response times that facilitate smooth resolutions. Clients often remark on how well the team communicates during troubleshooting, which builds trust and reassurance.

5.0★
Solid Rock IT UK
London, England

Overview

Solid Rock IT UK is a managed IT services provider based in London, England. They focus on delivering reliable IT support and tailored solutions for a range of clients, including small and medium-sized enterprises, charities, and educational institutions. With a commitment to security, this IT support company helps clients navigate their IT challenges efficiently.

This MSP specialises in various areas, including cybersecurity, network cabling, and WiFi solutions. They aim to ensure that clients maintain robust IT systems while offering clear communication and thorough follow-up for all services. Solid Rock IT UK places a strong emphasis on delivering personalised support to meet the unique needs of each customer.

What clients say about this company

Clients appreciate the consistent follow-up and clear communication provided by this company. Many have noted the professionalism of their engineers, who demonstrate expertise when addressing issues related to hardware upgrades and system setups at clients' locations.

The company's dedication to thoroughness and transparency has also garnered positive feedback. Clients feel reassured by Solid Rock IT UK's honest approach and their ability to resolve IT issues promptly, helping them achieve necessary cybersecurity certifications and improve their network setups.

4.9★
Stephensons IT Support Solutions Ltd
Barnsley, England

Overview

Stephensons IT Support Solutions Ltd is a managed IT services provider based in Barnsley, England. This IT support company focuses on delivering reliable support for various technology needs, particularly for small and medium-sized enterprises (SMEs) and educational institutions. Their goal is to ensure clients have seamless access to technology and are equipped to handle any IT challenges.

This MSP offers a range of services, including IT support, hardware repair, and maintenance. They are known for their clear communication and transparent pricing, which help build trust with clients. With a focus on resolving issues quickly and efficiently, this provider supports clients in maintaining smooth operations and enhancing their overall tech experience.

What clients say about this company

Clients appreciate the professionalism and reliability of Stephensons IT Support Solutions Ltd. Many have noted the clear communication throughout their service experience, which contributes to a positive working relationship. Customers often describe the company as honest and straightforward, valuing the transparency in pricing and service timelines.

Feedback highlights the quick resolution of IT issues, with clients reporting satisfaction with the speed of service. Many users have recommended this IT support company for its competitive pricing and the quality of repairs. Overall, clients express confidence in the support provided, often returning for additional services when needed.

5.0★
AgencyTech IT
Bristol, England

Overview

AgencyTech IT is a managed IT services provider based in Bristol, England. This IT support company focuses on delivering reliable technical assistance to small and medium-sized enterprises (SMEs), charities, and educational institutions across the UK. They work to ensure that clients' IT systems function smoothly and securely.

This MSP helps clients by providing a range of services, including troubleshooting, device repair, and general IT support. They are committed to upholding high standards of service in line with UK regulations, such as GDPR and Cyber Essentials. By prioritising communication and professionalism, they aim to build long-lasting relationships with their clients.

What clients say about this company

Feedback from clients highlights the friendly and welcoming service they experience at AgencyTech IT. Many appreciate the fast resolution of their IT issues, often praising the staff for their knowledge and helpfulness in addressing technical problems effectively.

Clients often mention the company's honesty and transparency in dealings, especially regarding pricing. They feel confident that they receive fair service, whether for repairs or general IT support, creating a positive impression and encouraging recommendations to others.

4.9★
Apex Computing Services
Manchester, England

Overview

Apex Computing Services is a managed IT services provider based in Manchester, England. This IT support company focuses on delivering reliable IT support and cyber security solutions to a range of clients, including small and medium-sized enterprises (SMEs), charities, and professional services. Their goal is to help organisations improve their technology reliability and security while enhancing communication between their teams.

This MSP has built a reputation for their responsive and professional service. Clients appreciate their thoroughness in addressing issues, ensuring that all requirements are understood and met. By adhering to UK regulations such as the UK GDPR and Cyber Essentials, they offer a secure and compliant environment for businesses to thrive.

What clients say about this company

Feedback from clients highlights the quick and helpful responses from Apex Computing Services. Many have experienced a smooth transition to their services and commend the professional manner in which support requests are handled. There is a consistent emphasis on the company's ability to resolve issues efficiently.

Clients also express satisfaction with the transparent communication from the account management team. They appreciate the proactive approach and clear expectations set by the staff, who ensure that clients are kept updated throughout any ongoing support. This reliability has built strong trust between the clients and the MSP.

5.0★
Bubble IT
Nottingham, England

Overview

Bubble IT is a managed IT services provider based in Nottingham, England. They focus on delivering reliable IT support and solutions to a wide range of clients, including small and medium-sized enterprises (SMEs), charities, and educational institutions. This IT support company is dedicated to addressing their clients' technology needs with a strong emphasis on security, efficiency, and clear communication.

This MSP assists clients by diagnosing and resolving IT issues promptly. They take pride in their honest and transparent approach, ensuring that customers feel informed throughout the process. With a focus on providing cost-effective services, Bubble IT is committed to building lasting relationships with their clients and helping them navigate the increasingly complex world of technology.

What clients say about this company

Clients have praised Bubble IT for their friendly and efficient service. Many appreciate the supportive atmosphere, noting that the team takes the time to explain problems clearly. This personal touch has led to a high level of trust, with clients feeling confident in the solutions provided.

The company has also been recognised for its commitment to security and transparency. Customers often highlight the professionalism of the staff, who are dedicated to resolving issues effectively and promptly. Bubble IT's reasonable pricing and welcoming environment further contribute to positive client experiences.

4.7★
See all IT Consulting & vCIO service companies
By city
London, England
View all
Manchester, England
View all
Nottingham, England
View all
Edinburgh, Scotland
View all
Glasgow, Scotland
View all
Birmingham, England
View all
Bristol, England
View all
Reading, England
View all

Related reading