Steps to Prepare for the GDPR
This section describes the steps a small business can take to prepare for the GDPR. Much of the information for these steps was provided through Seven Steps for Businesses to Prepare for the derecho al olvido , a publication offered through the Publications Office of the European Union.
A good way for a small business to get started with the GDPR is to ensure that the following key principles are applied when collecting personal data:
- Collect personal data with clearly defined purposes for which you are using it and do not use it for anything else. For example, if you tell your customers to give you their email address so they can receive your new offers or promotions, you can use their email address only for that specific purpose.
- Do not collect more data than you need. For example, if your business needs a mailing address to deliver goods, you’ll need a customer’s address and name, but you don’t need to know the person’s marital status.
Step 1: Know the personal data you collect and use within your business and the reasons why you need it
One of the first steps you should take as a small business is to take stock of the personal data you collect and use within your business and why it is needed. This includes data about both your employees and your customers.
For example, you need your employee’s personal information based on the employment contract and for legal reasons (for example, reporting taxes to the tax authorities).
As another example, you can manage lists of individual customers to send them notifications about special offers, if they have agreed to this.
Microsoft Purview Information Protection can help you discover, classify, and protect sensitive information in your business. You can use trainable classifications to help you identify and label document types that contain personal information.
Step 2: Inform your customers, employees and others when you need to collect their personal information
Individuals need to know that you are processing their personal data and for what purpose. For example, if a customer needs to create a customer profile to access your company’s online site, you’ll need to specify what you want to do with their data.
However, it is not necessary to inform individuals if they already know how you will use the data. For example, when they give you a home address for a delivery they ordered.
You must also be able to inform persons on request about the personal data you have about them and give them access to their data. Organizing your data makes it easier to deliver it when needed.
For employee data: keep it for as long as the employment relationship continues and for related legal obligations. Keep it for customer data as long as the customer relationship lasts and for related legal obligations (e.g. tax purposes). Delete the data when it is no longer needed for the purposes for which you collected it.
Also read: mario costeja
Retention policies and labels can be used to help you retain personal data for a period of time and delete it when it is no longer needed.
If you store personal data on an IT system, you restrict access to the files containing the data, for example with a strong password. Update your system’s security settings regularly.
If you store physical documents containing personal information, you must ensure that they are not accessible to unauthorized persons.
If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to manage permissions to files and folders, centralized secure locations to store your files (OneDrive or SharePoint document libraries) and data encryption when sending or retrieving your files.
You can use Set Up Compliance Features to protect your company’s sensitive data. Compliance management can help you get started right away. For example, you can set up a DLP policy that uses the AVG template .
Prepare a short document explaining what personal data you keep and for what reasons. You may need to make the documentation available to your national data protection authority, if necessary. You can find Microsoft’s contractual obligations with respect to the GDPR in the Microsoft Online Services Data Protection Addendum , which provides Microsoft’s privacy and security commitments, the data processing terms and the GDPR terms for Microsoft-hosted services that customers subscribe under a volume licensing agreement.
Also read: sharenting significado