Every business and every employee responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Note the part above that says the data must be handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
If you have any type of employee or customer data stored on your computers, then you are ultimately responsible for the protection of this data.
Even if your business doesn’t store any data, it’s still a target for Ransomware attacks because they know that whatever data is stored, is usually necessary for the business to operate and make money.
Full list of responsibilities are explained here https://www.gov.uk/data-protection