GDPR basics for employees

You handle personal data every day - often without noticing. Here are the five reflexes that keep you and your company GDPR-compliant.

The GDPR (in Switzerland: nDSG, the revised data protection law - very similar in content) sounds like a lawyer topic. In reality it touches every desk: every contact list, every customer email, every report containing names is processing of personal data in legal terms. GDPR doesn't demand perfection - it demands awareness, data minimization, and the ability to react.

01

Think broadly about personal data

Name, email, IP address, photo, location, salary, health data - all of it. Including Excel files, Slack, notes.

02

Data minimization as reflex

Do you really need name + address + birthdate? Or is an anonymous ID enough? Less data = less risk.

03

Incidents in 72 hours

A data leak or the loss of a device with personal data = report to data protection immediately. GDPR sets a 72-hour notification window.

What counts as "personal data" really?

Anything that identifies a person or makes them identifiable. Not only clear data:

Direct: name, email, phone, address, date of birth, photo
Indirect: IP address, device ID, customer number, online behavior
Especially sensitive: health, religion, political views, union membership, biometric data - stricter rules apply here.

A simple Excel list with customer names is also "processing". So is a Slack message "Ms. Müller called about X". So is a photo on the company website.

The six principles (in short)

Lawfulness: There is a legal basis (contract, consent, legal obligation).
Purpose limitation: Use data only for the purpose it was collected for. Don't repurpose marketing data for credit checks.
Data minimization: Collect only what is truly needed.
Accuracy: Keep data current, correct what is wrong.
Storage limitation: Don't keep forever. Define retention periods.
Integrity & confidentiality: Protect against loss and unauthorized access.

The five reflexes for daily work

1. Before you send personal data

Do I really need all the fields?
Is the recipient authorized?
Is the channel secure (encrypted mail, company cloud - not WeTransfer)?

2. When you set up new lists / tracking

Involve data protection before, not after.
Document the purpose in writing ("why are we collecting this?").
Set a deletion period from the start.

3. When an external data request arrives "Please send me all data you hold about me" - that's a data subject access request. Don't answer yourself. Forward immediately to the data protection officer. The legal deadline is one month.

4. On an incident Laptop stolen, email with personal data to the wrong recipient, USB stick lost - those are potential breaches. Report at once: 72 hours is tight.

5. When cleaning up Old customer data in your inbox, Excel lists from 2019, drawers full of business cards - go through periodically and delete / shred what's no longer needed.

Real case - wrong recipient

An employee accidentally sends a list of employee salaries to an external address instead of an internal one. Transmission time: 2 seconds. What was done right: report to data protection and IT within 15 minutes. Recipient called and asked to delete with written confirmation. Authority notified.

What would have prevented it: no auto-suggested recipients in the mail client, encryption for personnel data, four-eyes review on sending.

Fast notification is the difference between an internal incident and a six-figure fine.

What you don't have to decide yourself

Whether something is a reportable breach.
Whether a request is a data subject access request.
Whether a new tool is GDPR-compliant.

For all of that, there's the Data Protection Officer (DPO) and IT security. When in doubt: ask. Always the better reflex than "it'll probably be fine".