Managing customer data securely: a guide for small teams

A small team often knows its customers personally. That is exactly what tempts people to be careless about data protection: addresses sit in an Excel spreadsheet, notes are scattered across three inboxes, and the password for the shared tool is on a sticky note next to the screen. As long as nothing goes wrong, no one notices. But when a laptop disappears or an employee leaves the company, it quickly becomes clear just how scattered the customer data really is. This guide shows how to create order with manageable effort, without needing your own IT team to do it.

What data protection for SMEs is really about

Since the revision of the Swiss Data Protection Act (revDSG) took effect in September 2023, stricter rules apply to handling personal data. The good news for small teams: it is not about building up bureaucracy, but about being able to explain at any time which data you have stored and why. Anyone dealing with customers or suppliers in the EU should also keep the GDPR in mind.

At their core, these obligations come down to three questions that you should be able to answer for every record:

• Which data are we collecting, and do we actually need it?
• Who has access to it, and is that access justified?
• How long do we keep the data, and when do we delete it?

Data protection in an SME does not mean encrypting everything, but knowing where which data lives and who is allowed to see it.

Data minimisation: store less, protect less

The simplest record is the one you never collect in the first place. Before a form field makes its way into your CRM, it is worth asking whether you really need that information for the business relationship. A business contact's date of birth, their private mobile number, or notes about personal preferences are often nice to have, but create unnecessary risk if something goes wrong.

A practical example: a five-person consultancy spent years keeping a list of fee rates, internal assessments, and private contact details in the same spreadsheet as the billing addresses. When a new intern was given access to the spreadsheet, they saw everything else too. The solution was not more technology, but a clear separation: what belongs to invoicing lives apart from internal evaluations.

Grant access deliberately

Assign permissions on the principle of "as much as necessary, as little as possible". In small teams, experience shows that everyone soon ends up with full access to everything, because it is more convenient. Take half an hour twice a year and check: who still works here, who needs which access, and which old accounts can be deactivated?

The technical basics that really count

You do not need to become a security expert to pull the most important levers. These four measures bring the greatest benefit for small teams:

1. Two-factor authentication for all business accounts, especially email and CRM. It prevents the most common form of data theft.
2. A password manager for the whole team, so that no one reuses passwords or shares them via chat.
3. Regular backups whose restoration you have tested at least once. A backup that does not work when it matters is no backup at all.
4. Keeping data in the right place. Pay attention to where your tools store the data. For many Swiss SMEs it is an advantage if the data stays in Switzerland and is not spread across several jurisdictions.

Clear processes instead of gut feeling

Security comes less from individual tools than from recurring routines that everyone knows. Set out on a single page what happens when a person joins and when they leave, who customers should turn to with an access request, and who is informed in the event of an incident. This document does not have to be perfect, it just has to exist and be used.

Also practise the worst case on a small scale: if someone asked you in writing tomorrow to receive or delete all the data stored about them, could you do it within a reasonable timeframe? Anyone who answers yes to that question has cleared the key hurdle of the revDSG.

When the tool helps out

Much of this becomes easier when customer data is not scattered across spreadsheets and inboxes, but kept in one place. That is exactly what Advanzo is for: an AI-powered CRM for Swiss SMEs that keeps the data in Switzerland and makes permissions and histories traceable. AI features such as email generation, deal scoring, or conversation summaries support your daily work without you giving up control over your data. The idea behind it stays simple: "remove complexity, not add it" - so that even a small team handles data protection with confidence, instead of being afraid of it.