In everyday situations, many employees are asked to give access to personal data without knowing that it’s personal data. In the spirit of being helpful to clients, partners, or colleagues, employees are unknowingly giving out personal data of other people. In this blog post, I will walk you through what a request for accessing personal data is, who should have access to personal data, and 4 concrete recommendations on how you can ensure that you are not giving out personal data in an unlawful way.
Almost every organisation is processing personal data these days. The employees in your organisation might get a request to access personal data which you are processing – this request could be from the person which the data belongs to, from third-parties or even from other employees in the organisation.
Giving unauthorised people access to personal data may have serious consequences for your organisation. After all, as a data controller, you have the legal and ethical responsibility to protect the personal data you are processing. A very important part of meeting this responsibility comes down to your employees. What should they consider when they are asked to give out personal data, and what can you do to improve how they handle these situations?
A request to access personal data sounds like a very formal thing – however, it does not need to be. Everyday situations that we come across in our workday might as well be regarded as a request to give out personal data. For example, what if one of your customers calls you and asks you which details, he or she is registered within your company, so she can make sure that the information is updated?
Or consider that you get a phone call from a business partner who says that he tried to reach out to your colleague for an urgent matter and asks you to check what your colleague has in her calendar, so he can call her when she is free.
Can these situations be regarded as a request to access personal data?
The point is that everyday situations where you or your colleagues want to help a customer, or another colleague might as well put you in a situation where you are giving out personal data illegally.
Those whom the personal data belongs to, have a right to access their personal data – so you must give out the personal data you have about them if they ask for it.
Additionally, others might also, unknowingly or not, ask you to give out personal data. In any case, you must be careful because you as the data controller have an obligation to protect the personal data you are processing.
What if the person requesting access to his/her own personal data, is not that person? What if your colleague has something in her calendar that can be regarded as personal data, and that she would not like the external business partner to know about?
In general, there are two things you need to be sure of when asked to give out personal data:
How you should fulfil these requirements will depend on the specific context. For example, for confirming the identity of a person who calls you, you might want to ask the person to contact you through a secure e-mail, or simply ask the person to identify himself/herself with an identity card. When it comes to right to access personal data of others, it is in general only their guardian or someone with a power of attorney who can request access to personal data.
Your employees should be regarded as front-line workers when it comes to dealing with requests to access personal data. It is them who will have to deal with requests to giving out personal data.
Most personal data leakages happen due to employees’ good intends.
These good intents lead to giving out personal data to unauthorised people, which then may result in severe consequences for the person the data is about, for the person giving out the personal data, and lastly also to the organisation who is the data controller.
It is not a bad thing to be helpful to others, but your employees should put security over helpfulness. A simple rule of thumb that you can tell your employees is:
Remember that cybercriminals are aware of people’s good intentions to be helpful to others – and make no mistakes, they will use these intentions to take down their targets!
You should make sure that your employees have the required knowledge and tools to deal with requests to access personal data, thus compliance with legal requirements for processing personal data.
Want to know what legal grounds you could have to process personal data? Read our article about the legal basis for processing personal data here
So now comes the fun part. I started this blog post with the following question in mind: how can organisations make sure that their employees are good at dealing with requests to access personal data, and how can employees be confident in handling such requests? Here, I will present 4 concrete recommendations to overcome these issues:
When people think about cyber security, IT security, information security or that like, they usually tend to think of superficial computers who can break into almost any system in the world, or perhaps a guy in a black hoodie who constantly presses the keys on the keyboard in response to flowing green text on a black background in the screen.
While this Hollywood-inspired imagination of cyber security is indeed not a bad thing, because it keeps cyber security on people’s agenda, it puts a shadow on some of the realities of how information, including personal data, can be protected. Cyber security is a matter of the interplay between people, processes, and technology – and so is dealing with requests to accessing personal data.
The number one thing you should do to be better at handling access to personal data, which relates to the people part, is to make sure your employees are aware of the issue. They are the ones that will deal with the requests to accessing personal data, and they are thus those who will either make it or break it!
Turn your employees from being a threat to your organisation’s cyber security to being the best defence against cybercriminals – also when it comes to handling requests for personal data. Train them in determining what personal data is and how they can detect a situation where they should be reluctant to give out personal data. Employees that are aware of what they are doing, is perhaps the most important weapon against cybercriminals!
At CyberPilot, we always advocate that people – i.e., your employees – constitute a large part of the cyber security in your organisations. However, that does not mean that you should neglect the importance of technology.
One way to use technology to help your employees avoid unknowingly giving out personal data is to restrict their access to personal data. You can for instance do this by having defined access permits to various folders in your shared drive.
Why should employees who don’t need a piece of certain information in order to do their job, be able to access that information?
For example, only those employees who are working with certain customers should be able to access the information about those customers. In this way, you are reducing the odds that your employees will give access to personal data to unauthorised people.
Now, you have invested in making your employees aware of issues with giving out personal data and you have created restrictions in your systems to make sure no one has access to information they don’t need to.
Basically, you have invested in the people and technology parts of ensuring lawful access to personal data. The next part you should focus on is – you guessed it – processes.
Create a guideline that walks your employees through what they should consider and do when they are facing requests to access personal data. Clearly define the processes of how they should act. For example, you might base this guideline on the two points I mentioned above – confirmation of identity and right to access personal data.
In your guideline for (not) giving out personal data, you might include examples of:
My last recommendation for dealing with access to personal data is to have someone or someplace – such as a Data Protection Officer (DPO), a lawyer, a person responsible for GDPR, or a law department – which can help employees in situations where they are in doubt.
After all, you cannot expect all your employees to be experts in regulations like the GDPR. They should just be aware of the issue and have some practical knowledge of handling everyday situations. Whenever extraordinary situations occur, they should be able to seek help from someplace.
This is, however, beyond just appointing a person or department. It is something about your organisational culture. Your employees must be willing to, and confident in seeking advice when they are in doubt about requests to access personal data. Similarly, your DPO or person responsible for GDPR, or department must be willing to help your employees out.
Achieving a culture like this easier said than done. For inspiration on how you can turn your company culture into a cyber security culture, I would recommend looking at this free e-book that my colleagues at CyberPilot have created.
It is impossible to avoid processing personal data these days, and that goes on for almost all types of organisations. In everyday situations that your employees are facing in their work, they will often be required to access personal data – from their co-workers, business partners or customers. It is crucially important that you train your employees in knowing how to act when they are asked to give out personal data. This is because you, as the data processor, have a responsibility to ensure that you are not giving away personal data to unauthorised people.
The best way to equip your employees with the necessary skills and training is to adopt a continuous training program for your employees. This makes it easier for them to remember the importance of handling personal data in a lawful way, and at the same time, it keeps proper handling of personal data in the agenda, thus contribute to achieving a security culture in your organisation.
If you are still reading, you are probably interested in assuring proper handling of personal data in your organisation, including dealing with access to personal data. At CyberPilot, we specialise in providing awareness training for employees. Right now, you can try out our awareness training for 3 months for free – without any commitments or making any purchase. I would absolutely recommend trying it out and see how it feels in your organisation.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.