Data leaks don't always make the news. For every headline about a massive breach at a multinational, there are thousands of quiet leaks at small and medium businesses — an employee forwarding sensitive files to a personal email, a cloud service misconfigured to be publicly accessible, or a backup drive left unencrypted in a desk drawer.

Enterprise Data Loss Prevention (DLP) tools from vendors like Symantec, Microsoft Purview, or Forcepoint cost tens of thousands per year and require dedicated security teams to manage. Most SMBs can't justify that investment. But that doesn't mean they can't protect their data.

The most effective data leak protection doesn't start with buying software. It starts with knowing what you have.

What is a data leak?

A data leak is the unintended exposure of data to an unauthorized party. Unlike a data breach (which involves active intrusion), a leak often happens through negligence, misconfiguration, or lack of awareness.

Common leak vectors for SMBs include:

  • Email — forwarding internal documents externally, CC'ing the wrong person
  • Cloud storage — shared links with "anyone with the link" access
  • Personal devices (BYOD) — company data on unmanaged phones and laptops without encryption
  • Former employees — access not revoked after departure
  • Backups — unencrypted backup drives, cloud backups without access controls
  • Third-party services — data shared with vendors who have their own sub-processors

The data leak protection checklist

Here are 10 practical steps any SMB can take — no enterprise DLP suite required.

1. Know what services you use

List every cloud service, SaaS tool, and platform your organisation uses. Include the obvious ones (email, CRM, accounting) but also the forgotten ones (that free file sharing tool someone signed up for three years ago).

For each service, document: who owns the relationship, where data is stored (country), and what the service's role is (controller or processor).

2. Map who accesses what

Document which roles or people access which services. A marketing intern shouldn't have access to the HR system. An external contractor shouldn't be in your financial software.

Look for concentration risks: if one person has access to everything, their account is a single point of failure.

3. Assess device security

Every device that accesses your services is a potential leak point. For each device category (company laptops, personal phones, shared workstations), check:

  • Is disk encryption enabled?
  • Is there a screen lock policy?
  • Is remote wipe available (for mobile/laptop)?
  • Are operating system updates automatic?
  • Is there MDM (Mobile Device Management)?

An unencrypted laptop left in a train is a data leak waiting to happen.

4. Document your data items

What types of data does your organisation process? Customer names, financial records, employee contracts, health data? Classify each data item by sensitivity.

Special category data (health, biometric, racial/ethnic origin) requires extra protection under GDPR. If you process it, you need to know exactly where it is.

5. Check your legal bases and retention periods

For each data item, document why you're processing it (the GDPR legal basis) and how long you keep it. Data you don't need anymore is data that can't leak. Delete what you no longer need.

Missing legal bases and undefined retention periods are red flags in any audit.

6. Review access periodically

Access rights accumulate over time. People change roles, join projects, leave the company — but their access often stays the same. Run periodic access reviews:

  • Does everyone still need the access they have?
  • Are there accounts that haven't been used in months?
  • Are shared accounts in use (these should be eliminated)?

7. Check your backup strategy

Backups are essential, but they're also copies of your sensitive data. Ask yourself:

  • Where are your backups stored? On-site? Off-site? Cloud?
  • Are they encrypted?
  • Who has access to the backup media?
  • Have you tested restoring from backup recently?
  • Do your backups follow a strategy like 3-2-1 (3 copies, 2 media types, 1 offsite)?

An unencrypted backup on a NAS without access controls is a leak vector.

8. Assess vendor lock-in and exit strategies

If a vendor holds your data and you can't export it, you're dependent. If that vendor is compromised, your data goes with it. For each critical service:

  • Can you export your data in an open format?
  • What happens if the vendor goes bankrupt or is acquired?
  • Do you have a data processing agreement (DPA) in place?

9. Document data transfers

Data doesn't stay in one place. It flows between services — your CRM syncs to your email marketing tool, your ERP exports to your business intelligence dashboard, your laptops back up to a NAS which replicates to the cloud.

Map these transfers. For each one, document: what data moves, why, how (API, file transfer, manual export), and whether it crosses borders.

10. Generate a risk assessment

Once you've documented everything above, you have enough information to assess your risks. Look at each service and ask: what's the worst that could happen if this service is compromised? What if this data leaks? What if this device is lost?

A risk register that scores each service based on data sensitivity, access patterns, and security controls gives you a prioritised list of what to fix first.

From checklist to continuous process

This checklist isn't a one-time exercise. Data landscapes change constantly — new services are adopted, people join and leave, regulations evolve. The organisations that avoid data leaks are the ones that make this documentation a living process, not a dusty PDF.

Tools that help

Readmodel® automates most of this checklist. It provides 200+ pre-configured service templates, maps data flows with an interactive graph, scores risks automatically, checks backup strategy compliance, assesses device security, and generates AI-powered analysis reports. The ROPA and risk register exports come as a byproduct of the documentation you'd want to do anyway.

Data leak protection starts with visibility. You can't protect what you can't see.