Why this matters
Most data protection incidents are not caused by hackers — but by routine oversights: an unencrypted email attachment containing customer data, a photo of a whiteboard with personal information shared in a team chat, customer data entered into a private AI application.
GDPR and the Swiss nDSG require not just technical measures — they require demonstrable organisational measures. 'We had a training session two years ago' is not sufficient for a supervisory authority. What counts: demonstrable, regular practice.
The good news: data protection in everyday work does not require large projects. It is six small routines that together make a fundamental difference.
How to do it right
Live the clean-desk policy consistently
When leaving your workstation: lock away or destroy all physical documents containing personal data. Lock the screen. Whatever is visible can be seen — by cleaning staff, visitors, colleagues.
No personal data in AI tools
ChatGPT, Copilot, Gemini, and other generative AI services must not receive customer data, employee data, or other personal information as prompt input — unless a data-protection-compliant contract exists. Check whether your organisation has an approved AI solution.
Use encrypted links for email attachments
If you must send sensitive documents by email: use an encrypted link (SharePoint, OneDrive, Google Drive with access control) rather than an attachment. Email attachments are not encrypted and can be intercepted on mail servers.
Clipboard hygiene
The clipboard stores passwords, customer data, and confidential text — often longer than you think. Use a password manager with its own clipboard management that clears the contents after 30–60 seconds.
Actively practise data minimisation
Before storing any data, ask: do I really need this? For how long? Data minimisation is not only a GDPR obligation — it also reduces risk in the event of a breach. What does not exist cannot be stolen.
Report incidents immediately
If you notice or suspect that personal data has fallen into the wrong hands: report immediately — internally and if necessary to the supervisory authority. GDPR allows 72 hours for notification. Waiting means losing that window.
Tools we recommend
- Microsoft Information Protection / Azure Purview — automatic classification and protection of documents by sensitivity level; well-integrated in M365 environments
- ClipperCC for clipboard — automatic deletion of clipboard contents after a configurable time; alternative: password managers with built-in clipboard clearing
- Auto-lock settings — set default screen lock timeout to 5 minutes (Windows/macOS: Settings > Screen Saver or Power Options); protects unattended devices
- SharePoint/Google Drive with permissions — shared links with expiry dates and access restrictions rather than open link sharing; configure as default in the admin console
If you only remember one thing
Most data protection incidents in everyday work arise from habit, not malice. Building routines protects you and your organisation — without significant effort.
Introduce an AI usage policy
Define in a clear, one-page policy: which AI tools are approved, what data may go in, what may not. Without a clear rule, employees assume everything is permitted — and end up with customer data in third-party AI systems.