GDPR simplified: A guide for your small business

Check out all of our small business content on Small business help & learning.

Using Microsoft 365 for business to help you to mitigate and manage GDPR compliance

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. If your business sells to, provides services to, or employs citizens of the European Union, then the GDPR will affect you.

As a small business admin, you're probably asking yourself "how do I get started"? This may be especially true if your business doesn't handle personal data as a core business activity, or if GDPR is totally new to you.

You can get started by reviewing this article, which is aimed at helping you understand what the GDPR is, why it came about, and how Microsoft 365 for business can help your organization comply with the GDPR.

It also includes answers to common questions about GDPR that small businesses may have, and highlights steps a small business can take to prepare for GDPR.

Important

The Microsoft 365 solutions and recommendations in this article are tools and resources that can help you manage and protect your data, but are not a guarantee of GDPR compliance. It is up to you to assess your own compliance status. Consult with your own legal and/or professional advisors when needed.

A quick overview of the GDPR

The GDPR is an EU regulation that updates and expands the earlier Data Protection Directive (DPD) first enacted in 1995. The GDPR is concerned with the privacy of an individual's data, be that individual a client, customer, employee, or business partner. The GDPR's goal is to strengthen personal data protection for EU citizens, whether they reside in the EU or elsewhere. The regulation sets out expectations and advises on how to achieve them. Organizations must have measures in place that satisfy the requirements of the GDPR.

The GDPR is all about data and how it's used. Think of data as having a life cycle. The cycle starts when you collect data, continues as you store it and use it (processing), and ends when you completely delete it from your systems.

The GDPR is concerned with the following types of data:

  • Personal data: If you can link data to an individual and identify them, then that data is considered personal with respect to the GDPR. Examples of personal data include name, address, date of birth, and IP address. The GDPR considers even encoded information (also known as "pseudonymous" information) to be personal data, regardless of how obscure or technical the data is, if the data can be linked to an individual.

  • Sensitive personal data This is data that adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data.

GDPR terms

You'll see some terms referred to frequently in the GDPR. It's important to understand these terms.

Consent:

The GDPR states: "The processing of personal data should be designed to serve mankind." The GDPR hopes to achieve this goal by using consent when processing personal data. That could be the simple act of asking your customers if they want to receive email messages from your company. It also means no more opt-out check boxes on your website when you want to use data for marketing. You must take explicit consent using a "clear affirmative act". And, you'll need to also keep records of when a consent is taken or revoked.

Data subject rights:

The GDPR establishes data subject rights, which means that, with respect to their personal data, customers, employees, business partners, clients, contractors, students, suppliers, and so forth have the right to:

  • Be informed about their data: You must inform individuals about your use of their data.

  • Have access to their data: You must give individuals access to any of their data that you hold (for example, by using account access or in some manual manner).

  • Ask for data rectification: Individuals can ask you to correct inaccurate data.

  • Ask for data to be deleted: Also known as the 'right to erasure', this right allows an individual to request that any of their personal data a company has collected is deleted across all systems that use it or share it.

  • Request restricted processing: An individual can ask that you suppress or restrict their data. However, it's only applicable under certain circumstances.

  • Have data portability: An individual can ask for their data to be transferred to another company.

  • Object: An individual can object to their data being used for various uses including direct marketing.

  • Ask not to be subject to automated decision-making, including profiling: The GDPR has strict rules about using data to profile people and automate decisions based on that profiling.

Steps to prepare for GDPR

This section describes steps a small business can take to help it get ready for GDPR. Much of the information for these steps was provided through Seven steps for businesses to get ready for the General Data Protection Regulation, a publication provided through the Publications Office of the European Union.

A good way for a small business to get started with GDPR is to make sure to apply the following key principles when collecting personal data:

  • Collect personal data with clearly defined purposes for what you are using it for, and don’t use them for anything else. For example, if you tell your clients to give you their email addresses so they can get your new offers or promotions, you can only use their email addresses for only that specific purpose.
  • Don’t collect more data than you need. For example, if your business requires a mailing address for you to deliver goods, you need a customer's address and a name, but you don’t need to know the person's marital status.

Step 1: Know the personal data that you collect and use within your business, and the reasons you need it

As a small business, one of the first steps you should take is to make an inventory of the personal data you collect and use within your business, and why it's needed. This includes data on both your employees and your customers.

For example, you may need your employee's personal data based on the employment contract and for legal reasons (for example, reporting taxes to the Internal Revenue Service).

As another example, you may manage lists of individual customers to send them notices about special offers, if they have consented to this.

Microsoft 365 features that can help in Step 1

Microsoft Purview Information Protection can help you discover, classify, and protect sensitive information in your company. You can use trainable classifiers to help you identify and label document types that contain personal data.

Step 2: Inform your customers, employees, and other individuals when you need to collect their personal data

Individuals must know that you process their personal data and for which purpose. For example, if a customer needs to create a customer profile to access your business's online site, make sure you state specifically what you intend to do with their information.

But there is no need to inform individuals when they already know how you will use the data. For example, when they provide you a home address for a delivery they ordered.

You also have to be able to inform individuals on request about the personal data you hold on them and give them access to their data. Being organized with your data makes it easier to provide to them, if needed.

Step 3: Keep personal data for only as long as necessary

For employees data, keep it as long as the employment relationship remains and for related legal obligations. For customer data, keep it as long as the customer relationship lasts and for related legal obligations (for example, tax purposes). Delete the data when it is no longer needed for the purposes for which you collected it.

Microsoft 365 features that can help in Step 3

Retention policies and labels can be used to help you keep personal data for a certain time and delete it when it’s no longer needed.

Step 4: Secure the personal data you are processing

If you store personal data on an IT system, limit the access to the files containing the data, for example, by a strong password. Regularly update the security settings of your system.

Note

The GDPR does not prescribe the use of any specific IT system, but make that the system has the appropriate level of security. See GDRP Article 32: Security of Processing for more information.

If you store physical documents with personal data, make sure that they are not accessible by unauthorized persons.

If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to help you to manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and data encryption when sending or retrieving your files.

Microsoft 365 features that can help in Step 4

You can use Set up compliance features to help to protect your business's sensitive information. Compliance Manager can help you get started right away! For example, you can Create and Deploy data loss prevention policies that uses the GDPR template.

Step 5: Keep documentation on your data processing activities

Prepare a short document explaining what personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority if needed.

Such documents should include the information listed below.

Information Examples
The purpose of data processing Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees
The types of personal data Contact details of customers; contact details of suppliers; employee data
The categories of data subjects concerned Employees; customers; suppliers
The categories of recipients Labor authorities; tax authorities
The storage periods Employees’ personal data until the end of the employment contract (and related legal obligations); customers’ personal data until the end of the client/contractual relationship
The technical and organizational security measures to protect the personal data IT system solutions regularly updated; secured location; access control; data encryption; data backup
Whether personal data is transferred to recipients outside the EU Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments

You can find Microsoft’s contractual commitments with regard to the GDPR in the Microsoft Online Services Data Protection Addendum, which provides Microsoft’s privacy and security commitments, data processing terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement.

Step 6: Make sure your subcontractors respect the rules

If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures).

Step 7: Assign someone to oversee personal data protection

To better protect personal data, organizations might have to appoint a Data Protection Officer (DPO). However, you may not need to designate a Data Protection Officer if processing of personal data isn’t a core part of your business, or if you are a small business. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO. Even if you need to make use of a DPO, these duties might be assigned to an existing employee in addition to his/her other tasks. Or you could choose to hire an external consultant for this duty as needed.

You normally don’t need to carry out a Data Protection Impact Assessment. This is reserved for businesses that pose more risk to personal data (for example, if they do a large-scale monitoring of a publicly accessible area, such as video-surveillance).

If you are a small business managing employee wages and a list of clients, you typically do not need to do a Data Protection Impact Assessment.

Common small business questions about the GDPR

I'm a sole proprietor - do I really have to worry about the GDPR?

The GDPR is about the data you process, not the number of employees you have. It affects companies of all sizes, even sole proprietors. However, companies with fewer than 250 employees do have some exemptions, such as reduced record keeping, but only if you are sure the data processing doesn't affect the individual's rights and is occasional processing.

As an example, processing of non-personal data would be exempt or need reduced measures. However, if you process any data that is seen as "special category sensitive data", even if it only occasionally, you will have to record this data processing. The definition of "occasional processing" is vague, but it's meant to apply to data that is used once or rarely.

You should also make sure that personal data that you collect is protected. This means that you need to encrypt it and make sure that access to it is controlled using at least a password. Keeping your customer data on a spreadsheet on your desktop with no protection won't meet GDPR expectations.

How can I tell if our company website is GDPR compliant?

The first question to ask yourself is: Do you collect personal data anywhere on your site? For example, you might have a contact form that asks for a name and email address. If you want to send marketing emails, make sure you add an 'opt-in' checkbox that explains exactly what you will use the data for. Only if the recipient checks that box can you use their personal data for marketing purposes.

Also, check that the database that stores the data is protected. Your web hosting company or cloud storage vendor will be able to advise on this. If you use Microsoft 365 for business, storage of data is GDPR-compliant.

My company is outside Europe. Does the GDPR really affect us?

The GDPR is a regulation that protects EU citizens. If your company deals with EU citizens now, or you hope to in the future, you will be affected. This applies to both citizens living in an EU State and those living elsewhere.

Consider the following examples:

  • A U.S. company that hires cars to EU citizens will need to satisfy GDPR requirements when they collect and process the customer's data. The company will be required to take consent when they take the customer's data and ensure that the data is stored securely. They will also need to make sure the customer can apply all of their data subject rights.

  • An Australian company sells products online, and its users set up online accounts. GDPR data subject rights and consent will be applied to EU citizens who open an account. The company will need to make sure the customer can apply all of their data subject rights.

  • An international charity collects data about donors and uses it to send out updates and requests for donations. The GDPR states: '...the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." However, the responsibility is on the organization to prove their interests override those of the data subject. The company (or in this case, the charitable organization) should always get informed, explicit, opt-in consent.

The GDPR also applies if customer data moves across borders. If you use cloud computing for data storage, you will need to make sure the service is fully GDPR-compliant. It can get complicated if data storage is in locations that have a poor record of data protection. If you use Microsoft 365 for business, we have the correct legal documentation in place to cover GDPR requirements.

Sure, I collect data, but some other company stores it. Does that get me off the hook?

Under the GDPR, if you collect data you are affected to some extent. The GDPR has the concept of a data processor and a data controller:

  • Data Controller: An individual or organization (you can have joint controllers) that decides how, what, and why data is collected. They may store it using another company's cloud servers. For example, a website that collects customer data is a controller.

  • Data Processor: An individual or organization that stores data on behalf of the controller(s) and processes these data upon request. For example, Microsoft 365 Apps for business data storage acts as a processor and is fully GDPR compliant.

    An organization or system can act as both a controller and a processor. Microsoft 365 for business can act as both and complies with the GDPR.

Can I still send out marketing emails to my old customers?

You need to make sure your customers, even ones that you've had for years, have consented to use their data for marketing. You may have previously captured consent, as well as a record to show it. If so, you're all set to continue marketing. If not, you need to get permission from the customer to continue marketing to them. This usually involves sending an email asking customers to go to your site and select an option to consent to receive future emails.

Do I have to worry about the GDPR when I recruit new employees? What about current employees?

The GDPR doesn't just affect customer data; it extends to employee data, too. New recruits are often located using social media platforms such as LinkedIn. Make sure that you don't store any potential recruit data without their express permission.

As for existing employees and new employee contracts, a signature at the end of a contract does not necessarily assume consent, especially when a non-affirmative clause is used in a contract. In this case, you must capture consent in an explicit manner associated with the clause. What this means depends on your employee contract, but you can use "legitimate interest" in some cases and add an employee data processing notice to make sure your employees are aware of what you will do with their data.

Satisfy privacy concerns using Microsoft 365 for business

Becoming compliant with the GDPR is about making sure that personal data is protected. The GDPR has a concept known as Privacy by Design and Default. This means that data protection should be "baked in" to a system and a product so that satisfying privacy concerns is second nature.

Like their larger counterparts, a small business needs convenience without sacrificing security. Microsoft 365 for business is designed for companies of fewer than 300 employees. Small companies can use Microsoft cloud-based tools to improve business productivity. With Microsoft 365 for business, a small business can manage emails, documentation, and even meetings and events. It also has built-in security measures and device management, which are vital for GDPR compliance.

Microsoft 365 for business can help you with the GDPR process in the following ways:

  • Discover: An important step to GDPR compliance is knowing what data you have.

  • Manage: Controlling access to data and managing its use is an integral part of GDPR. Microsoft 365 for business protects business data based on policies you want to apply to devices. Device management is vital in an age where employees work remotely. Microsoft 365 for business includes device management features that make sure data is protected across all devices. For example, you can specify that all Windows 10 devices in your business are protected via Windows Defender.

  • Protect: Microsoft 365 for business is designed for security. Its device management and data protection controls work across your business network, including remote devices, to help keep data secure. Microsoft 365 for business offers controls such as privacy settings in Microsoft 365 apps and encryption of documents. With Microsoft 365 for business, you can perform GDPR compliance monitoring to make sure you have the right level of protection set.

  • Report: The GDPR places a lot of emphasis on reporting. Even a business with a single employee, if that business processes large amounts of data, is required to document and report on their procedures. Microsoft 365 for business takes the headache out of reporting requirements for smaller organizations.

    Tools such as audit logs allow you to track and report on data movement. Reports include classifying the data you collect and store, what you do with the data, and transfers of the data.

Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Microsoft 365 for business provides you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business.

Next steps

To get ready for the GDPR, here are some suggestions for next steps to take:

Important

Get legal advice appropriate for your company or organization.

Additional resources

Microsoft Trust Center overview of the GDPR

The Official Microsoft Blog: Microsoft commitment to GDPR

European Commission sites: