GDPR simplified: A guide for your small business

Using Microsoft 365 Business to mitigate and manage GDPR compliance

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. The GDPR is due to come into force on May 25, 2018. If your business sells to, provides services to, or employs citizens of the European Union, then the GDPR will affect you.

This article helps you understand what the GDPR is, why it came about, and how Microsoft 365 Business can help your organization comply with the GDPR.

A quick overview of the GDPR

The GDPR is an EU regulation that updates and expands the earlier Data Protection Directive (DPD) first enacted in 1995. The GDPR is concerned with the privacy of an individual's data, be that individual a client, customer, employee, or business partner. The GDPR's goal is to strengthen personal data protection for EU citizens, whether they reside in the EU or elsewhere. The regulation sets out expectations and advises on how to achieve them. When the GDPR becomes enforceable in late May 2018, organizations must have measures in place that satisfy the requirements of the GDPR.

The GDPR is all about data and how it's used. Think of data as having a life cycle. The cycle starts when you collect data, continues as you store it and use it (processing), and ends when you completely delete it from your systems.

The GDPR is concerned with the following types of data:

  • Personal data: If you can link data to an individual and identify them, then that data is considered personal with respect to the GDPR. Examples of personal data include name, address, date of birth, and IP address.

  • Sensitive personal data This is data that adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data.

GDPR terms

You'll see some terms referred to frequently in the GDPR. It's important to understand these terms.

Consent

The GDPR states: "The processing of personal data should be designed to serve mankind." The GDPR hopes to achieve this goal by using consent when processing personal data. That could be the simple act of asking your customers if they want to receive email messages from your company. It also means no more opt-out check boxes on your website when you want to use data for marketing. You must take explicit consent using a "clear affirmative act". And, you will need to also keep records of when a consent is taken or revoked.

Data subject rights

The GDPR establishes data subject rights, which means that, with respect to their personal data, customers, employees, business partners, clients, contractors, students, suppliers, and so forth have the right to:

  • Be informed about their data: You must inform individuals about your use of their data.

  • Have access to their data: You must give individuals access to any of their data that you hold (for example, by using account access or in some manual manner).

  • Ask for data rectification: Individuals can ask you to correct inaccurate data.

  • Ask for data to be deleted: Also known as the 'right to erasure', this right allows an individual to request that any of their personal data a company has collected is deleted across all systems that use it or share it.

  • Request restricted processing: An individual can ask that you suppress or restrict their data. However, it is only applicable under certain circumstances.

  • Have data portability: An individual can ask for their data to be transferred to another company.

  • Object: An individual can object to their data being used for various uses including direct marketing.

  • Ask not to be subject to automated decision-making, including profiling: The GDPR has strict rules about using data to profile people and automate decisions based on that profiling.

Common small business questions about the GDPR

I'm a sole proprietor - do I really have to worry about the GDPR?

The GDPR is about the data you process, not the number of employees you have. It affects companies of all sizes, even sole proprietors. However, companies with fewer than 250 employees do have some exemptions, such as reduced record keeping, but only if you are sure the data processing doesn't affect the individual's rights and is occasional processing.

As an example, processing of non-personal data would be exempt or need reduced measures. However, if you process any data that is seen as "special category sensitive data", even if it only occasionally, you will have to record this data processing. The definition of "occasional processing" is vague, but it's meant to apply to data that is used once or rarely.

You should also make sure that personal data that you collect is protected. This means that you need to encrypt it and make sure that access to it is controlled using at least a password. Keeping your customer data on a spreadsheet on your desktop with no protection won't meet GDPR expectations.

How can I tell if our company website is GDPR compliant?

The first question to ask yourself is: Do you collect personal data anywhere on your site? For example, you might have a contact form that asks for a name and email address. If you want to send marketing emails, make sure you add an 'opt-in' checkbox that explains exactly what you will use the data for. Only if the recipient checks that box can you use their personal data for marketing purposes.

Also, check that the database that stores the data is protected. Your web hosting company or cloud storage vendor will be able to advise on this. If you use Microsoft 365 Business, storage of data is GDPR-compliant.

My company is outside Europe. Does the GDPR really affect us?

The GDPR is a regulation that protects EU citizens. If your company deals with EU citizens now, or you hope to in the future, you will be affected. This applies to both citizens living in an EU State and those living elsewhere.

Consider the following examples:

  • A U.S. company that hires cars to EU citizens will need to satisfy GDPR requirements when they collect and process the customer's data. The company will be required to take consent when they take the customer's data and ensure that the data is stored securely. They will also need to make sure the customer can apply all of their data subject rights.

  • An Australian company sells products online, and its users set up online accounts. GDPR data subject rights and consent will be applied to EU citizens who open an account. The company will need to make sure the customer can apply all of their data subject rights.

  • An international charity collects data about donors and uses it to send out updates and requests for donations. The GDPR states: '...the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." However, the responsibility is on the organization to prove their interests override those of the data subject. The company (or in this case, the charitable organization) should always get informed, explicit, opt-in consent.

The GDPR also applies if customer data moves across borders. If you use cloud computing for data storage, you will need to make sure the service is fully GDPR-compliant. It can get complicated if data storage is in locations that have a poor record of data protection. If you use Microsoft 365 Business, we have the correct legal documentation in place to cover GDPR requirements.

Sure, I collect data, but some other company stores it. Does that get me off the hook?

Under the GDPR, if you collect data you are affected to some extent. The GDPR has the concept of a data processor and a data controller:

  • Data Controller: An individual or organization (you can have joint controllers) that decides how, what, and why data is collected. They may store it using another company's cloud servers. For example, a website that collects customer data is a controller.

  • Data Processor: An individual or organization that stores data on behalf of the controller(s) and processes these data upon request. For example, Office 365 Business data storage acts as a processor and is fully GDPR compliant.

    An organization or system can act as both a controller and a processor. Microsoft 365 Business can act as both and complies with the GDPR.

Can I still send out marketing emails to my old customers?

You need to make sure your customers, even ones that you've had for years, have consented to use their data for marketing. You may have previously captured consent, as well as a record to show it. If so, you're all set to continue marketing. If not, you need to get permission from the customer to continue marketing to them. This usually involves sending an email asking customers to go to your site and select an option to consent to receive future emails.

Do I have to worry about the GDPR when I recruit new employees? What about current employees?

The GDPR doesn't just affect customer data; it extends to employee data, too. New recruits are often located using social media platforms such as LinkedIn. Make sure that you don't store any potential recruit data without their express permission.

As for existing employees and new employee contracts, a signature at the end of a contract does not necessarily assume consent, especially when a non-affirmative clause is used in a contract. In this case, you must capture consent in an explicit manner associated with the clause. What this means depends on your employee contract, but you can use "legitimate interest" in some cases and add an employee data processing notice to make sure your employees are aware of what you will do with their data.

Satisfy privacy concerns using Microsoft 365 Business

Becoming compliant with the GDPR is about making sure that personal data is protected. The GDPR has a concept known as Privacy by Design and Default. This means that data protection should be "baked in" to a system and a product so that satisfying privacy concerns is second nature.

Like their larger counterparts, a small business needs convenience without sacrificing security. Microsoft 365 Business is designed for companies of fewer than 300 employees. Small companies can use Microsoft cloud-based tools to improve business productivity. With Microsoft 365 Business, a small business can manage emails, documentation, and even meetings and events. It also has built-in security measures and device management, which are vital for GDPR compliance.

Microsoft 365 Business can help you with the GDPR process in the following ways:

  • Discover: An important step to GDPR compliance is knowing what data you have.

  • Manage: Controlling access to data and managing its use is an integral part of GDPR. Microsoft 365 Business protects business data based on policies you want to apply to devices. Device management is vital in an age where employees work remotely. Microsoft 365 Business includes device management features that makes sure data is protected across all devices. For example, you can specify that all Windows 10 devices in your business are protected via Windows Defender.

  • Protect: Microsoft 365 Business is designed for security. Its device management and data protection controls work across your business network, including remote devices, to help keep data secure. Microsoft 365 Business offers controls such as privacy settings in Office applications and encryption of documents. With Microsoft 365 Business, you can perform GDPR compliance monitoring to make sure you have the right level of protection set.

  • Report: The GDPR places a lot of emphasis on reporting. Even a business with a single employee, if that business processes large amounts of data, is required to document and report on their procedures. Microsoft 365 Business takes the headache out of reporting requirements for smaller organizations.

    Tools such as audit logs allow you to track and report on data movement. Reports include classifying the data you collect and store, what you do with the data, and transfers of the data.

Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Microsoft 365 Business provides you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business.

Next steps

To get ready for the GDPR, here are some suggestions for next steps to take:

Important

Get legal advice appropriate for your company or organization.

Additional resources

Microsoft Trust Center overview of the GDPR

The Official Microsoft Blog: Microsoft commitment to GDPR

European Commission sites: