For service sector businesses, finding the right data storage solution can be a complex undertaking. Regulatory bodies such as the Law Society and the FSA have the power to suspend a regulated firm’s activities if it fails to retain data for the necessary amount of time. Consequently, it is essential to consider all available options and understand the associated risks. In the past, the issue of data storage was mainly determined by the advantages and disadvantages of hard disks, tapes, and optical storage media such as CDs. However, the advent of cloud computing and mobile devices has changed the debate. This guide provides an overview of the various data storage options and the potential benefits and challenges each present. We will also discuss ways to minimise risk and ensure regulatory compliance.



The question of whether to work online or offline has emerged as an important one for businesses as the use of cloud services and mobile devices have become increasingly commonplace. On the one hand, centralised data sources and applications enable different users to access the same up-to-date information from anywhere. On the other hand, the use of unauthorised cloud services and taking data offline can create security risks, such as data being put in the cloud in an uncontrolled way or the potential of computing or storage devices being lost with highly confidential data. It is therefore vital for businesses to carefully consider the risks and benefits of both online and offline working.

A successful data management policy should aim to keep data online as much as possible. If it must be taken offline, encryption should be used to protect the data on the user’s device. Additionally, security measures such as destroying data if incorrect passwords or decryption attempts are made can be implemented.




Servers may be housed in a physical location such as an office server room, data centre, head office, or a commercial third-party data centre. Depending on the sensitivity of the data and the level of risk that can be tolerated, physical security measures should be taken to prevent damage and theft. For example, in an open-plan office where a Small Business Server is stored, a locked server room or data centre may provide the necessary access control.

24/7 access control can help maintain physical security standards for servers in office environments. Verifying any physical access events with real-time technologies like CCTV is recommended. Additionally, consider the advantages of encryption to prevent unauthorized data access if it occurs. For data centre facilities to meet ISO27001 physical security standards, the facility must implement physical security measures that comply with industry best practices.


Some businesses may use remote data centres to store server data for backup and Disaster Recovery (DR) or for hosted desktop solutions. Additionally, discrete web applications for specific business processes may also place company information on remote data centre servers. Data sovereignty is a barrier that has prevented some businesses from fully exploiting the benefits of cloud computing, as the question marks over which laws apply to data held in offshore locations have proved problematic. The Safe Harbour agreement allowed American companies to use a single standard for consumer privacy and data storage in both the US and Europe; however, recent legal challenges have brought its validity into question. The European Court of Justice has ruled that individual EU nations should set their own rules and that US-registered companies storing European customer data in European facilities may have to surrender the data to the US authorities if requested.


UK companies should opt for service providers that are registered in the UK and have data storage policies that limit data to UK-only data centres. Private clouds offer businesses the advantages of the cloud while keeping their data under their direct control. However, multi-tenanted private clouds, where resources are shared between businesses, can compromise the security of individual companies. Public clouds offer greater financial benefits, but at the cost of increased risk.