Check out all of our small business content on Small business help & learning.
Using Microsoft 365 for business to help you to mitigate and manage GDPR compliance
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. If your business sells to, provides services to, or employs citizens of the European Union, then the GDPR will affect you.
As a small business admin, you're probably asking yourself "how do I get started"? This may be especially true if your business doesn't handle personal data as a core business activity, or if GDPR is totally new to you.
You can get started by reviewing this article, which is aimed at helping you understand what the GDPR is, why it came about, and how Microsoft 365 for business can help your organization comply with the GDPR.
It also includes answers to common questions about GDPR that small businesses may have, and highlights steps a small business can take to prepare for GDPR.
The Microsoft 365 solutions and recommendations in this article are tools and resources that can help you manage and protect your data, but are not a guarantee of GDPR compliance. It is up to you to assess your own compliance status. Consult with your own legal and/or professional advisors when needed.
The GDPR is an EU regulation that updates and expands the earlier Data Protection Directive (DPD) first enacted in 1995. The GDPR is concerned with the privacy of an individual's data, be that individual a client, customer, employee, or business partner. The GDPR's goal is to strengthen personal data protection for EU citizens, whether they reside in the EU or elsewhere. The regulation sets out expectations and advises on how to achieve them. Organizations must have measures in place that satisfy the requirements of the GDPR.
The GDPR is all about data and how it's used. Think of data as having a life cycle. The cycle starts when you collect data, continues as you store it and use it (processing), and ends when you completely delete it from your systems.
The GDPR is concerned with the following types of data:
You'll see some terms referred to frequently in the GDPR. It's important to understand these terms.
Consent:
The GDPR states: "The processing of personal data should be designed to serve mankind." The GDPR hopes to achieve this goal by using consent when processing personal data. That could be the simple act of asking your customers if they want to receive email messages from your company. It also means no more opt-out check boxes on your website when you want to use data for marketing. You must take explicit consent using a "clear affirmative act". And, you'll need to also keep records of when a consent is taken or revoked.
Data subject rights:
The GDPR establishes data subject rights, which means that, with respect to their personal data, customers, employees, business partners, clients, contractors, students, suppliers, and so forth have the right to:
This section describes steps a small business can take to help it get ready for GDPR. Much of the information for these steps was provided through Seven steps for businesses to get ready for the General Data Protection Regulation, a publication provided through the Publications Office of the European Union.
A good way for a small business to get started with GDPR is to make sure to apply the following key principles when collecting personal data:
As a small business, one of the first steps you should take is to make an inventory of the personal data you collect and use within your business, and why it's needed. This includes data on both your employees and your customers.
For example, you may need your employee's personal data based on the employment contract and for legal reasons (for example, reporting taxes to the Internal Revenue Service).
As another example, you may manage lists of individual customers to send them notices about special offers, if they have consented to this.
Microsoft Purview Information Protection can help you discover, classify, and protect sensitive information in your company. You can use trainable classifiers to help you identify and label document types that contain personal data.
Individuals must know that you process their personal data and for which purpose. For example, if a customer needs to create a customer profile to access your business's online site, make sure you state specifically what you intend to do with their information.
But there is no need to inform individuals when they already know how you will use the data. For example, when they provide you a home address for a delivery they ordered.
You also have to be able to inform individuals on request about the personal data you hold on them and give them access to their data. Being organized with your data makes it easier to provide to them, if needed.
For employees data, keep it as long as the employment relationship remains and for related legal obligations. For customer data, keep it as long as the customer relationship lasts and for related legal obligations (for example, tax purposes). Delete the data when it is no longer needed for the purposes for which you collected it.
Retention policies and labels can be used to help you keep personal data for a certain time and delete it when it’s no longer needed.
If you store personal data on an IT system, limit the access to the files containing the data, for example, by a strong password. Regularly update the security settings of your system.
The GDPR does not prescribe the use of any specific IT system, but make that the system has the appropriate level of security. See GDRP Article 32: Security of Processing for more information.
If you store physical documents with personal data, make sure that they are not accessible by unauthorized persons.
If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to help you to manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and data encryption when sending or retrieving your files.
You can use Set up compliance features to help to protect your business's sensitive information. Compliance Manager can help you get started right away! For example, you can Create and Deploy data loss prevention policies that uses the GDPR template.
Prepare a short document explaining what personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority if needed.
Such documents should include the information listed below.
| Information | Examples |
|---|---|
| The purpose of data processing | Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees |
| The types of personal data | Contact details of customers; contact details of suppliers; employee data |
| The categories of data subjects concerned | Employees; customers; suppliers |
| The categories of recipients | Labor authorities; tax authorities |
| The storage periods | Employees’ personal data until the end of the employment contract (and related legal obligations); customers’ personal data until the end of the client/contractual relationship |
| The technical and organizational security measures to protect the personal data | IT system solutions regularly updated; secured location; access control; data encryption; data backup |
| Whether personal data is transferred to recipients outside the EU | Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments |
You can find Microsoft’s contractual commitments with regard to the GDPR in the Microsoft Online Services Data Protection Addendum, which provides Microsoft’s privacy and security commitments, data processing terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement.
If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures).
To better protect personal data, organizations might have to appoint a Data Protection Officer (DPO). However, you may not need to designate a Data Protection Officer if processing of personal data isn’t a core part of your business, or if you are a small business. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO. Even if you need to make use of a DPO, these duties might be assigned to an existing employee in addition to his/her other tasks. Or you could choose to hire an external consultant for this duty as needed.
You normally don’t need to carry out a Data Protection Impact Assessment. This is reserved for businesses that pose more risk to personal data (for example, if they do a large-scale monitoring of a publicly accessible area, such as video-surveillance).
If you are a small business managing employee wages and a list of clients, you typically do not need to do a Data Protection Impact Assessment.
The GDPR is about the data you process, not the number of employees you have. It affects companies of all sizes, even sole proprietors. However, companies with fewer than 250 employees do have some exemptions, such as reduced record keeping, but only if you are sure the data processing doesn't affect the individual's rights and is occasional processing.
As an example, processing of non-personal data would be exempt or need reduced measures. However, if you process any data that is seen as "special category sensitive data", even if it only occasionally, you will have to record this data processing. The definition of "occasional processing" is vague, but it's meant to apply to data that is used once or rarely.
You should also make sure that personal data that you collect is protected. This means that you need to encrypt it and make sure that access to it is controlled using at least a password. Keeping your customer data on a spreadsheet on your desktop with no protection won't meet GDPR expectations.
The first question to ask yourself is: Do you collect personal data anywhere on your site? For example, you might have a contact form that asks for a name and email address. If you want to send marketing emails, make sure you add an 'opt-in' checkbox that explains exactly what you will use the data for. Only if the recipient checks that box can you use their personal data for marketing purposes.
Also, check that the database that stores the data is protected. Your web hosting company or cloud storage vendor will be able to advise on this. If you use Microsoft 365 for business, storage of data is GDPR-compliant.
The GDPR is a regulation that protects EU citizens. If your company deals with EU citizens now, or you hope to in the future, you will be affected. This applies to both citizens living in an EU State and those living elsewhere.
Consider the following examples:
The GDPR also applies if customer data moves across borders. If you use cloud computing for data storage, you will need to make sure the service is fully GDPR-compliant. It can get complicated if data storage is in locations that have a poor record of data protection. If you use Microsoft 365 for business, we have the correct legal documentation in place to cover GDPR requirements.
Under the GDPR, if you collect data you are affected to some extent. The GDPR has the concept of a data processor and a data controller:
You need to make sure your customers, even ones that you've had for years, have consented to use their data for marketing. You may have previously captured consent, as well as a record to show it. If so, you're all set to continue marketing. If not, you need to get permission from the customer to continue marketing to them. This usually involves sending an email asking customers to go to your site and select an option to consent to receive future emails.
The GDPR doesn't just affect customer data; it extends to employee data, too. New recruits are often located using social media platforms such as LinkedIn. Make sure that you don't store any potential recruit data without their express permission.
As for existing employees and new employee contracts, a signature at the end of a contract does not necessarily assume consent, especially when a non-affirmative clause is used in a contract. In this case, you must capture consent in an explicit manner associated with the clause. What this means depends on your employee contract, but you can use "legitimate interest" in some cases and add an employee data processing notice to make sure your employees are aware of what you will do with their data.
Becoming compliant with the GDPR is about making sure that personal data is protected. The GDPR has a concept known as Privacy by Design and Default. This means that data protection should be "baked in" to a system and a product so that satisfying privacy concerns is second nature.
Like their larger counterparts, a small business needs convenience without sacrificing security. Microsoft 365 for business is designed for companies of fewer than 300 employees. Small companies can use Microsoft cloud-based tools to improve business productivity. With Microsoft 365 for business, a small business can manage emails, documentation, and even meetings and events. It also has built-in security measures and device management, which are vital for GDPR compliance.
Microsoft 365 for business can help you with the GDPR process in the following ways:
Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Microsoft 365 for business provides you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business.
To get ready for the GDPR, here are some suggestions for next steps to take:
Get legal advice appropriate for your company or organization.