5 Answers to Get Started with Data Protection in Your Company

WRITTEN BY Marie M.

Data Protection Consultant
Founder of 'Your Life Your Data'

„I get so many headaches even thinking about data protection“, „It is so important but I need more time and it is not a priority at all right now.“ Sounds familiar? Most business owners I talk to give me the same answers when it comes to data protection. It is easier than you think to follow the General Data Protection Regulation (GDPR).

For most modern businesses, data is their most important asset. In terms of commercial operations, data forms the basis for driving sales and marketing, enables you to keep in touch with customers and allows you to store information about your workforce. But as the famous saying goes: with great power comes great responsibility.

My story

My name is Marie, I am a lawyer and entrepreneur based in Berlin. Started my own data protection consultancy during the pandemic next to my full time job. I mostly help female founders and small business owners with their privacy protection and could not love it more.

About 10 years ago I started getting interested in data. Back then, the online world was pretty small but kept growing already. Knowing the value behind all of that data we provide every day and every minute in our online lives, I could not stop thinking about privacy protection and the rights of every individual behind it.

How to get started with data protection in your company

I will give you 5 quick answers to the most asked questions from my clients:

#1 How to create a GDPR compliant website

Let’s face it, you need these three essentials if your business performs or you have customers within the European Union to have a legal website:

First, a legal notice so that your website visitors know who is responsible for the website. It includes the business owners name, address of the company or if there is no office address yet, the address of the business owner (no, you cannot skip this part!).

You need your VAT identification number according to § 27a Value Added Tax Act of Germany. Please do not put your regular tax number online. That is a highly confidential information and could be used by strangers to get information about your company from the tax office.

If you feel uncomfortable having that kind of private information online, you can book a service that is called “Adress-Schutz”. The companies providing this service basically get all your mail and forward it to you. If you run an online business without getting a ton of mail, this can be a good option for you.

What’s next? Right, your privacy policy. This is basically just a piece of information about how you process personal data, how long you store it and what kind of tools (like your video call software, messengers, social media, …) and plugins you are using to run your business smooth and proper. It is also an overview about data subject rights. Keep in mind that your business, best-case scenario, is growing. So you should look into your privacy policy every now and then to be sure it is up to date.

Don’t forget about your cookie consent banner. This is the third essential on our list. The banner pops up on your website when a user visits your site for the first time and gives the user a choice of consent before their data is processed. It comes mostly with your website modelling kit. Make sure to activate it.

Et voilà, your first steps to a legal website.

Collect, store and use data appropriately and with good reason.

#2 How to get started with privacy protection

Ok, you’ve got your website and your clients are rolling in. No matter what field you are working in, e.g. fashion business, coaching, medical, e-commerce, I am 100% sure you are collecting personal data. Collect, store and use data appropriately and with good reason.

The data in question must form part of a client contract or the client must otherwise have given their explicit authority for their data to be processed. What is personal data? – Anything that can be used to identify an individual person such as names, age, email addresses, IP numbers, phone numbers, health information, social security numbers etc.

A quick insight into why the EU is so freaking strict about personal data. First of all, it is a fundamental right. Secondly, if it is technologically possible to know everything about someone’s life, and I really mean everything (where you live, with whom you live together, how old you are, your sexuality, your religious view, your last online shopping purchase) but also your next shopping purchase and your next moves in life, isn’t it a bit too dangerous to leave this just to the big tech companies these days?
Back to your company and its privacy protection.

Write down all personal data you collect. Just take a piece of paper or open your favourite tool to write stuff down digitally and do it.

Now you categorise it into data subjects (client, employer, lead, supplier…) and the purpose. Purpose means for what you actually gather it. Do you work with a client and need their data? Do you collect it for your newsletter or your accounting?

Congrats, you now have officially an overview of your data processing.

Become a Member

Turn your passion into a purposeful job and overcome business challenges with the help of online courses in a supportive environment of like-minded female entrepreneurs.

Join 7 days for free

#3 How to store personal data

Ever thought about how you as a private person save data? Some of us use external hard disk drives, most of us use clouds. Clouds are very convenient. You just upload your content and get access from everywhere anytime.

The language we use when we speak to ourselves can be empowering and motivating. Or it can stop us in our tracks. How we communicate with ourselves and our self-talk is crucial.

But just to make sure: as a business owner, you need to stick to the GDPR. The main issue here is that most clouds that are for free and give you a lot of data storage are based in the U.S. and so are their servers. This means by uploading the personal data of your clients, employers etc. you pass these on to a “third country”. The level of data protection outside of the E.U. is very different and based on European legal regulations, not the same at all. So make sure to use a cloud service based within the E.U. or Germany. In that case, you do not need any kind of Standard Contractual Clauses.

Standard what? It is basically a contract you need between a company outside of the E.U. and you if you pass personal data to them.

#4 Be aware of who gets access to the personal data by your organization

You must make sure robust procedures and processes, as well as adequate technical resources, are put in place to safeguard data from being compromised and be ready to respond to any data breaches. Do you need some ideas of how to do it? Install anti-virus software, activate your firewall, have at least one backup (I usually have two), have strong passwords, do not keep your laptop unsupervised, tape your camera if not in use.

#5 Destroy any personal data that is no longer needed

The last and totally underrated point is very simple. Delete personal data if you do not have any purpose to use it anymore. This means, you finished working with that client, patient or employee and simply have no more right to use their personal data. In Germany, there are some deadlines that have to be observed, like for the tax office, commercial register or labor law-related ones. So be aware that you need to save some information longer than others.

Conclusion: GDPR Compliance is easier than you think

GDPR compliance is as important for small businesses as it is for large multi-national corporations. Consequently, many businesses have chosen to appoint a Data Protection Officer to address to the GDPR requirements or appoint a consultancy business to get their GDPR preparations started before delegating the role to an existing employee.

Especially when your business is still small you can also manage to do it by yourself. Data protection does not need to be hard work. It is exactly the opposite.

Start by looking into these 5 quick answers. Data protection means more security for your business and it helps you push your company to a new professional level. Your clients and partners will love it. So it is good for you and your company’s brand. Good data protection is a real game-changer and a competitive advantage for your business.

*The content of this article is not a legal advice and can under no circumstance substitute a legal advice in individual cases.

Marie is a lawyer and entrepreneur based in Berlin. Next to her full-time job she founded her own data protection consultancy, Your Life Your Data. She mostly helps female founders and small business owners with their privacy protection.

She loves that we can control what kind of data and information we give away and therefore stop the big tech companies making money out of it and ourselves. Besides that, she runs and eats a lot - lots of pain au chocolat! And she doesn't know how to get all that energy from if not from meditation.

If you are inspired by Marie’s tips on how to respect your and others’ data, please visit the Your Life Your Data website, Instagram or her LinkedIn profiles. For data privacy consultances or cyber security schooling, contact her here. To find more empowering and motivational articles, check out our online magazine. Discover our Online Academy & Community Membership and try it for 7 days for free.