I got some questions about GDPR compliance. I would like to know how we can make our company compliant on the technical and organizational side.
We use Microsoft Office and a Software As a Service (Saas) ERP named Odoo. How can we use these tools in a way to be GDPR compliant. On the technical side I suppose we can't do much. However on the organizational side I think we are supposed to make the difference. I was thinking about restrictions to some shares, create leaving and arriving procedures for collegues.
What I am worrying about is how to manage client data. Would it be enough to leave them on our professional laptop or do they need to be on the share with limited access?
If you need more information in order to understand my questions I will be happy to provide them.
I agree with you, the organizational side can make the difference in increasing compliance and awareness about security and GDPR requirements. Setting an access policy determining the level of confidentiality of documents and persons allowed to access or modify them is a good security measure.
Another organizational measure is to set the rules of data processing for your employees with a data protection policy and also an IT security policy in order to define some technical aspect like software that is not allowed in your organization's IT system.
Thinking about the storage you mentioned, keeping all data on your laptop can expose you to a data breach in case the laptop stops working or something happens to data, so that if you decide to follow this path implement some backup solution.
Another approach is to keep data on cloud setting access levels to your employees and increase the possibility to work from anywhere. In this case, consider installing a VPN in order to protect access and navigation and, of course, set access levels for your employees.
Here you can find some information about starting the compliance process: