In everyday situations, many employees are asked to give access to personal data without knowing that it’s personal data. In the spirit of being helpful to clients, partners, or colleagues, employees are unknowingly giving out other people’s personal data. In this blog post, I will walk you through what a request for accessing personal data is, who should have access to personal data, and 4 concrete recommendations for how you can ensure that you are not giving out personal data in an unlawful way. We also welcome you to try out our course on giving out personal data, designed to increase employee awareness.
Everyone handles personal data
Almost every organisation is processing personal data these days. Knowing what is classified as personal data is the first step towards keeping it safe. The employees in your organisation might get a request to access personal data that you are processing – this request could be from the person who the data belongs to, from third parties or even from other employees in the organisation.
Giving unauthorised people access to personal data may have serious consequences for your organisation. After all, as a data controller, you have a legal and ethical responsibility to protect the personal data you are processing. Knowing your responsibility as a data controller is vital for the safe handling of personal data. However, another very important part of meeting this responsibility comes down to your employees. What should they consider when they are asked to give out personal data, and what can you do to improve how they handle these situations?
What is a request to access personal data?
A request to access personal data sounds like a very formal thing – however, it does not need to be. Everyday situations that we come across in our workday might as well be regarded as requests to give out personal data. For example, what if one of your customers calls you and asks you for details about how he or she is registered within your company, so they can make sure that the information is updated?
Or consider that you get a phone call from a business partner. He says that he tried to reach out to your colleague for an urgent matter and asks you to check what your colleague has on her calendar, so he can call her when she is free.
Can these situations be regarded as requests to access personal data?
The point is that everyday situations where you or your colleagues want to help a customer, or another colleague, might put you in a situation where you are illegally giving out personal data.
Who should have access to personal data?
Those to whom the personal data belongs have a right to access their personal data, so you must give out the personal data you have about them if they ask for it.
Additionally, others might also, unknowingly or not, ask you to give out personal data. In any case, you must be careful because you as the data controller have an obligation to protect the personal data you are processing.
What if the person requesting access to his/her own personal data is not that person? What if your colleague has something in her calendar that can be regarded as personal data, and she would not like the external business partner to know about it?
In general, there are two things you need to be sure of when asked to give out personal data:
The identity of the person who asks for access to personal data.
That the person asking you to give out personal data has the right to access the data.
How you should fulfil these requirements will depend on the specific context. For example, for confirming the identity of a person who calls you, you might want to ask the person to contact you through a secure e-mail, or simply ask the person to identify himself/herself with an identity card. When it comes to the right to access the personal data of others, generally only their guardian or someone with a power of attorney can request access to this personal data.
Security awareness over helpfulness
Your employees should be regarded as front-line workers when it comes to dealing with requests to access personal data. It is they who will have to deal with requests to give out personal data.
Most personal data leakages happen due to employees’ good intentions.
These good intentions lead employees to give out personal data to unauthorised people. This can result in severe consequences for the person the data is about, the person giving out the personal data, and the organisation that is the data controller.
It is not a bad thing to be helpful to others, but your employees should put security over helpfulness. A simple rule of thumb that you can tell your employees is:
Remember that cybercriminals are aware of people’s good intentions and desire to be helpful. They will take advantage of these good intentions to take down their targets!
4 concrete recommendations for giving out personal data
You should make sure that your employees have the knowledge and tools to deal with requests for access to personal data. This means that your colleagues should know about the legal requirements for processing personal data - and comply with them. This also requires your team to have up-to-date knowledge of the principles of the GDPR, and how to follow them.
Want to know what legal grounds you need to process personal data? Read our article about the legal basis for processing personal data here.
So now comes the fun part. I started this blog post with the following question in mind: how can organisations make sure that their employees are good at dealing with requests to access personal data, and how can employees be confident in handling such requests? Here, I will present 4 concrete recommendations to overcome these issues:
1. Employee awareness is your best friend
When people think about cyber security, IT security, information security or the like, they usually tend to think of superficial computers that can break into almost any system in the world, or perhaps a guy in a black hoodie who constantly presses the keys on the keyboard in response to flowing green text on a screen with a black background.
While this Hollywood-inspired imagination of cyber security is not bad, because it keeps cyber security on people’s agenda, it puts a shadow on some of the realities of how information, including personal data, can be protected. Cyber security is a matter of the interplay between people, processes, and technology – and so is dealing with requests for access to personal data.
The number one thing you should do to be better at handling access to personal data, which relates to the people part, is to make sure your employees are aware of the issue. They are the ones that will deal with the requests to access personal data, and they are the ones who will either make it or break it!
Turn your employees from being a threat to your organisation’s cyber security to your best defence against cybercriminals. This is also important when it comes to handling requests for personal data. Train your employees on what personal data is and how they can detect a situation where they should be reluctant to give out personal data. Employees that are aware of what they are doing are perhaps the most important weapon against cybercriminals!
2. Restrict access to personal data for your employees
At CyberPilot, we always advocate that people – i.e., your employees – constitute a large part of the cyber security in your organisation. However, that does not mean that you should neglect the importance of technology.
One way to use technology to help your employees avoid unknowingly giving out personal data is to restrict their access to personal data. You can for instance do this by having defined access permits to various folders in your shared drive.
Why should employees who don’t need a piece of information in order to do their jobs be able to access that information?
For example, only those employees who are working with certain customers should be able to access the information about those customers. By doing this, you are reducing the odds that your employees give access to personal data to unauthorised people.
3. Create a guideline for giving out personal data
Now, you have invested in making your employees aware of issues with giving out personal data and you have created restrictions in your systems to make sure no one has access to information they don’t need.
By doing this, you have invested in the people and technology to ensure lawful access to personal data. The next part you should focus on is – you guessed it –processes.
Create a guideline that walks your employees through what they should consider and do when they are facing requests for access to personal data. Clearly define the processes of how they should act. For example, you might want to base the guidelines on the two points I mentioned above: confirmation of identity and the right to access personal data.
In your guideline for (not) giving out personal data, you might include examples of:
- What is regarded as personal data
How your employees could confirm the identity of a person
How they can refuse to give out personal data in everyday situations, even when the person asking is someone they know very well (e.g., a business partner)
What they should do if they are unsure of how to act
4. Make sure your employees have someone to consult
My last recommendation for dealing with access to personal data is to have someone or someplace – such as a Data Protection Officer (DPO), a lawyer, a person responsible for the GDPR, or a legal department – which can help employees in situations where they are in doubt.
After all, you cannot expect all your employees to be experts in regulations like the GDPR. They should just be aware of the issue and have some practical knowledge of handling everyday situations. Whenever extraordinary situations occur, they should be able to seek help from someplace.
This is, however, beyond just appointing a person or department. It is about your organisational culture. Your employees must be willing and confident to seek advice when they are in doubt about requests to access personal data. Similarly, your DPO or the person or department responsible for the GDPR must be willing to help your employees out.
Achieving a culture like this is easier said than done. For inspiration on how you can turn your company culture into a strong cyber security culture, I would recommend looking at our guide to creating a security culture or this free e-book that my colleagues at CyberPilot have created.
Conclusion: Your employees will either make it or break it
It is impossible to avoid processing personal data these days, and that goes for almost all types of organisations. In everyday situations that your employees are facing in their work, they will often be required to access personal data – from their co-workers, business partners, or customers. It is crucial that you train your employees in knowing how to act when they are asked to give out personal data. This is because you, as the data processor, have a responsibility to ensure that you are not giving away personal data to unauthorised people.
The best way to equip your employees with the necessary skills and training is to adopt a continuous training program for your employees. This makes it easier for them to remember the importance of handling personal data in a lawful way, and at the same time, it keeps proper handling of personal data on the agenda. As a whole, it contributes to achieving a security culture in your organisation as well as compliance with the GDPR.
If you are still reading, you are probably interested in ensuring that personal data is handled and accessed properly in your organisation. At CyberPilot, we specialise in providing awareness training for employees. Right now, you can try out our awareness training for free – without any commitments or making a purchase. I would especially recommend trying our course on giving out personal data, and seeing if it feels like a good fit for your organisation.