What is General Data Protection Regulation (GDPR)?
At its core, GDPR is all about protecting the personal data of individuals – making sure there is proper security, governance, and management of such data to help prevent it from being misused or getting into the wrong hands. To help ensure that your organization is effectively protecting personal data as well as sensitive content relevant to organizational compliance needs, you need to implement solutions and processes that enable your organization to discover, classify, protect, and monitor data that is most important.
The GDPR is concerned with the following types of data:
- Personal data If you can link data to an individual and identify them, then that data is considered personal with respect to the GDPR. Examples of personal data include name, address, date of birth, IP address, mobile number, bank details/account numbers etc. The GDPR considers even encoded information (also known as “pseudonymous” information) to be personal data, regardless of how obscure or technical the data is, if the data can be linked to an individual.
- Sensitive personal data This is data that adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data.
GDPR has been in place since May 25th, 2018. Regardless of the fact where your company is based (EU or not), if you work with Personally Identifiable Information (PII) of EU citizens, you need to be GDPR compliant. A nominated authority in each of the EU countries can decide whether there has been an infringement of the GDPR regulations within their region and what the fines and penalties will be. The aim of the financial penalty is for it to be effective, proportionate, and dissuasive. The higher tier of GDPR fines and penalties could be up to €20 million or 4% of the previous financial year’s worldwide annual revenue, whichever is the higher of the two.
That’s why it is very important for every company working with EU citizens PII to be GDPR compliant.
7 Steps to prepare for GDPR
- Step 1: Check the personal data you collect and your data collection process, the purpose for which you do it and on which legal basis
- Step 2: Inform your customers, employees and other individuals when you collect their personal data
- Step 3: Keep PII data for only as long as needed
- Step 4: Secure collected PII data
- Step 5: Keep and maintain documentation on your data processing activities
- Step 6: Make sure your subcontractors respect the rules
- Step 7: Oversee PII data protection
- Conclusion
Below we will present you with 7 steps to be GDPR compliant. The tools and resources presented here can help you manage and protect your PII data but are not a guarantee of GDPR compliance. It is up to you to assess your own compliance status. You can consult with your own legal and
A good way to get started with GDPR is to make sure to apply the following key principles when collecting personal data:
- Collect personal data with clearly defined purposes for what you are using it for, and don’t use it for anything else. For example, if you tell your clients to give you their email addresses so they can get your new offers or promotions, you can only use their email addresses for that specific purpose.
- Don’t collect more data than you need. For example, if your business requires a mailing address for you to deliver goods, you need a customer’s address and a name, but you don’t need to know the person’s marital status.
Step 1: Check the personal data you collect and your data collection process, the purpose for which you do it and on which legal basis
One of the first steps you should take is to make an inventory of the personal data you collect and use within your business, and why it is needed. This includes data on both your employees and your customers.
For example, you may need your employee’s personal data based on the employment contract and for legal reasons (for example, reporting taxes to the Internal Revenue Service).
As another example, you may manage lists of individual customers to send them notices about special offers, if they have consented to this.
Which Microsoft 365 tool can help you discover, classify, and protect sensitive information?
Microsoft Purview Information Protection helps you to discover, classify, and protect sensitive information in your company. You can use trainable classifiers to help you identify and label document types that contain personal data. Classifiers are a Microsoft 365 E5, or E5 Compliance feature, but you can learn about trianable classifires on Microsoft or contact one of our advisors.
Step 2: Inform your customers, employees and other individuals when you collect their personal data
Individuals must know that you process their personal data and for which purpose. But there is no need to inform individuals when they already have information on how you will use the data, for instance, when a customer asks you to make a home delivery.
You also must inform individuals on request about the personal data you hold on to them and give them access to their data. Keep your data in order, so when e.g., your employee asks you about what sort of personal data you have, you can provide it easily with no extra hassle.
Step 3: Keep PII data for only as long as needed
Employee’s data: keep it as long as the employment relationship remains and for related legal obligations.
Customer’s data: keep it as long as the customer relationship lasts and for related legal obligations (for example, tax purposes)
Delete the data when it is no longer needed for the purposes for which you collected it!
Which Microsoft 365 tool can help with personal data retention policies and labels?
Retention policies and labels can be used to help you keep personal data for a certain time and delete it when it’s no longer needed. More on this in the future, but if you need to know more please refer to this Microsoft article about retention policies and retention labels.
Step 4: Secure collected PII data
Limit the access to the files containing PII data if you store personal data on an IT system, for example, by a strong password. Regularly update the security settings of your system.
If you store physical documents with personal data, make sure that they are not accessible by unauthorized persons. Lock them in a safe or a cupboard.
Which Microsoft 365 tool can help you store personal data?
If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to help you to manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint Online), and data encryption when sending or retrieving your files.
You can use compliance features to help to protect your business’s sensitive information. Compliance Manager can help you get started right away! For example, you can set up a DLP policy that uses the GDPR template.
Step 5: Keep and maintain documentation on your data processing activities
Create a document explaining what personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority if requested.
Such a document should include e.g., the information below
| Information | Samples |
| The purpose of data processing | Alerting customers about special offers / providing home delivery; paying suppliers; salary and social security cover for employees |
| The types of personal data | Contact details of customers; contact details of suppliers; employees’ data |
| The categories of data subjects concerned | Employees; customers; suppliers |
| The categories of recipients | Labor authorities; tax authorities |
| The storage periods | Employees’ personal data until the end of the employment contract (and related legal obligations); customers’ personal data until the end of the client/contractual relationship |
| The technical and organizational security measures to protect personal data | IT system solutions regularly updated; locked cupboard/safe |
| Whether personal data is transferred to recipients outside the EU | Use of a processor outside the EU (e.g., for storage in the cloud) |
Which Microsoft 365 tool can help with privacy and security activities?
Microsoft Online Services Data Protection Addendum, which provides Microsoft’s privacy and security commitments, data processing terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement.
Step 6: Make sure your subcontractors respect the rules
If you use a sub-contractor for processing PII data to another company, use only a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance security measures). Before you sign a contract, check if they have already changed and adjusted to the GDPR. Put it in the contract.
Step 7: Oversee PII data protection
To better protect personal data, organizations might have to appoint a Data Protection Officer (DPO). However, you may not need to designate a Data Protection Officer if processing personal data isn’t a core part of your business, or if you are a small business. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO. Even if you need to make use of a DPO, these duties might be assigned to an existing employee in addition to his/her other tasks. Or you could choose to hire an external consultant for this duty as needed.
You normally don’t need to carry out a Data Protection Impact Assessment. This is reserved for businesses that pose more risk to personal data (for example, if they do a large-scale monitoring of a publicly accessible area, such as video-surveillance).
If you are a small business managing employee wages and a list of clients, you typically do not need to do a Data Protection Impact Assessment.
Conclusion
If you are an organization dealing with PII (Personally Identifiable Information) and you don’t want bad reputation, lack of customer trust and penalties, then you’d need to spend some time and efforts on your GDPR compliance journey. If you want a trusted partner that can be by your side end-to-end in that journey, reach out to us at Impactory. We are here to help!
Additional resources
- Want to know if SharePoint is for you? Read our expert review on it.
- Migrating to SharePoint Online? You can find helpful tips in our detailed blog post.
- How to get started with SharePoint integration? Check out our process with infographic.
blog
News from Impactory
Find out the latest from our company and stay up to date with everything worth knowing about our intelligent solutions and services from the multifaceted Microsoft Office world.
[UPDATED] Microsoft Viva – Employee Experience Platform EXP
With the introduction of Microsoft Viva, Microsoft’s goal is to strengthen the position of Teams as a hub for everyone’s workday, connecting everything to make it more convenient.
What is Microsoft Teams Premium, and what are the benefits?
Microsoft Teams Premium is a Teams add-on license that allows organizations with Microsoft 365 subscriptions to enhance their Teams experience.
Microsoft Viva – the New Employee Experience Platform
Microsoft Viva is the new employee experience platform that’s designed to empower people and teams to be their best.
Confluence vs. SharePoint – Which Collaboration tool is right for me?
Both Confluence and SharePoint have pros and cons and one can be a better fit for you, depending on your needs.
The Complete SharePoint Guide
Find out how to use SharePoint for document management, project management, intranet portals, and more. SharePoint is a web-based collaboration and document management platform that allows teams to store, organize, and share information and files.
IMPACTORY
Your reliable, high-performance partner
We offer a wide range of consultancy services for the planning, introduction, and implementation of SharePoint, Microsoft 365, and hybrid applications. Benefit from our many years of experience in the industry.