Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

Personal data: Who should have access?

Do you know who should have access to personal data and when to ask for access? It's not as obvious as we'd like, so learn more here.

20-12-2023 - 11 minute read. Posted in: tips.

Personal data: Who should have access?

Who should have access to your personal information?

GDPR has been part of our lives since May 2018 where it was introduced in the EU. Ever since then, employees and organizations have been obliged to follow the personal data regulations and laws.

But who should actually have access to your personal data? We’ll take a better look at who should have access to people's personal data and how they should handle it. If you want a deeper understanding of personal data and its role in cybersecurity, explore our guide on what is personal data.

Handling personal data

We might not think about every situation where we handle and process personal data, however we do it quite a lot. We handle personal data if we help our customers out with their bank statements, or when we chat with our colleagues about their backgrounds or family relations.

You can thus get requests from colleagues about processing personal data that either concerns them, a third party or other employees in the organization. If you’re unsure about how to handle sensitive data properly, take a look at our guide on how private browsing works.

That is when you should reconsider what you do next. If you give an unauthorized person access to personal data, it can have serious consequences for your organization. As a data controller, you have an obligation and responsibility to protect the data you’re processing. Government agencies also play a significant role in data collection, and there are growing concerns among Americans about the extent of monitoring by these entities, including data gathered for taxation, national security, and social welfare purposes. The public often lacks confidence in government oversight and understanding of how their personal data is used.

The responsibility lies with you and your colleagues; they need to consider when they are asked to redistribute data - and how they handle it.

You can not always tell when you’re getting a request for access to personal data. There are everyday situations where employees want to help out customers, colleagues and partners and this can lead to the sharing of personal information. It can be information about a colleague’s schedule or confirming a deal, however that can lead to a potential breach of GDPR.

What is a subject access request?

A Subject Access Request (SAR) is a formal request made by an individual to a data controller, asking for access to their personal data that is being processed by the controller. This right is enshrined in the General Data Protection Regulation (GDPR) and allows individuals to request a copy of their personal data, as well as information about how it is being processed.

When an individual submits a subject access request, the data controller is obligated to provide the requested information within one month. This includes details about the purposes of the processing, the categories of personal data concerned, and any recipients to whom the data has been disclosed. It’s a crucial mechanism that empowers individuals to understand and control how their personal data is being used.

When is it a subject access request?

It can sound difficult to distinguish between a request to access personal information and simple watercooler talk.

When we think of requesting something it suddenly becomes a formal act, however it doesn’t have to be. If a customer reaches out and wants to know some specifics about your latest registrations or your external partner needs some information about a planned meeting he has with another colleague, it is essentially a request to access personal information. The customer and external partner are requesting to get additional information about their own data and a colleagues meeting schedule. For further information about the steps involved in submitting a request, individuals can refer to our detailed guide on processing times, costs, and procedures for addressing concerns.

The important thing is, that it is information that is personal to an individual. It’s not only confidential information about their health and other sensitive data, it’s also schedules and appointments that we all have in our lives.

Who should have access?

You might wonder who should have access to your personal information, and the short answer is, whoever the information belongs to and is about.

So if a person, whose data you process, asks for access to it, you must give them access. You should, though, be cautious if others ask for access to personal data - as we’ve established, it may not be as obvious as we’d like it to be.

The tricky thing about this is that most people will request access via a phone call or through email - here you cannot completely verify their identity and at the worst case, give access to sensitive information to someone else. The cyberthreat of identity theft is lurking, and hackers become even better at imitating others. That is why you should always be 100% sure of a person’s identity before giving them access to personal information.

Transparency regarding automated decision making is crucial, especially under GDPR regulations. Individuals have the right to be informed about such processes and understand the implications of profiling on their personal data.

You can also, without intending to, accidentally see any private matters in your colleague’s calendar when you check if they’re free for a meeting - so, you should always request access before you interact with other people’s personal data.

So, in short:

  • Always verify the identity of the person requesting access to the personal data in question.

  • Always make sure that the person requesting access, actually as the right to access the information.

You can verify a person’s identity either by getting them to verify it through a secure email, or by asking them for an ID card.

When you want to make sure that a person has the right to access another person’s data, they are usually a type of guardian (like a parent or partner), or someone with legal right to access the data.

Best practices for processing personal data

When processing personal data, it is essential to follow best practices to ensure that the data is handled securely and in compliance with relevant regulations. Here are some key best practices to keep in mind:

  • Limit access: Only those who need access to personal data to perform their job functions should have it. This minimizes the risk of unauthorized access and potential data breaches.

  • Implement robust security measures: Use strong passwords, encryption, and other security measures to protect personal data from unauthorized access or breaches.

  • Provide clear information: Be transparent with individuals about how their personal data is being processed. This includes informing them about the purposes of the processing and their rights under GDPR.

  • Ensure data accuracy: Regularly update and verify personal data to ensure it is accurate and up-to-date. Inaccurate data can lead to incorrect decisions and potential harm to individuals.

  • Handle SARs properly: Have clear procedures in place for handling subject access requests and other data protection rights. This ensures that requests are processed efficiently and in compliance with GDPR.

Prioritize data security

No matter how helpful you want to be, you need to remember GDPR and personal data security.

It's often employees who are faced with the question “can I just get the info about so-and-so's meeting schedule” where we usually just want to help out, and inform the caller about the schedule.

However, that is a major breach of GDPR and personal confidentiality. The employee who is asked this question might not have asked for a verification of the caller's ID, and thus give out personal information to a stranger and unauthorized person.

That is why security comes first, helpfulness comes second. Hackers use many tactics to get personal information and usually use social engineering to appeal to our emotions - they know how kind-hearted and helpful people want to be and thus exploit it.

Tips for when you provide personal information

You want to stay compliant with GDPR, which you can do both with a data protection officer (DPO), but also by informing your employees of the rules and regulations connected with processing personal data.

Implement awareness training

First of all, you should educate the people who handle any requests to access personal data. Every employee within an organization should know of the guidelines and laws that GDPR entails, so they won't breach any laws and thus result in a GDPR fine.

By raising awareness of the security concerning personal data, you ensure that people are cautious when they handle it. Cybersecurity starts with people, and processing personal data is no exception.

The employees of an organization should not pose a threat to the safety of personal data - they should be the best protector of it.

Limit access

Another important thing you can implement to improve your safety around personal data is to limit who has access to the sensitive information. Here technology can be a great helper in limiting access, and thus establish the principle of privilege among the employees.

By limiting access, you also limit the risk of people unintentionally sharing information without the right to.

So, a good rule of thumb is to only give access to the data concerning the employee's customers, and not give access to all customers of the company.

Make clear guidelines

Clear guidelines ensure that you minimize the doubt and/or confusing there could be when it comes to sharing and accessing personal information.

In these guidelines you should define how you can verify customer's identity, what personal data is and what they should do, if they're not sure how to act in certain situations. This will make it easier for employees to comprehend the complex world of GDPR and personal data.

Use your DPO

You should remember that you either have a DPO or the person responsible for your company's compliance with GDPR.

When people know that you have someone responsible and knowledgeable about GDPR and compliance, they hopefully feel that they can ask and clear any questions they might have.

Compliance and data protection

It's always important to stay vigilant when you deal with sensitive data. This includes knowing what sensitive and personal information is, and also about knowing when someone requests access to it.

We may not consider that a meeting schedule or customer registrations are personal data, but they are. So now, in case someone asks for information about it, you know that it is personal data.

It's great to use the tools and people around you, so if you should have any questions or concerns about a certain case or problem, you should feel comfortable to ask, e.g. your company's DPO or the person responsible for your compliance and data protection.

Security awareness

Security awareness is critical when handling personal data. Employees should be trained to recognize the risks associated with processing personal data and to take steps to mitigate those risks. This includes being aware of the potential for identity theft and taking steps to prevent it.

Regular training sessions and awareness programs can help employees stay informed about the latest security threats and best practices. By fostering a culture of security awareness, organizations can better protect personal data and reduce the risk of data breaches. Learn more about why gamification in awareness trainingcan be an effective way to boost cybersecurity knowledge in your organization.

Prioritizing security over helpfulness

When handling personal data, it is essential to prioritize security over helpfulness. This means that employees should not provide access to personal data to individuals who do not have a legitimate reason for accessing it, even if it may seem helpful to do so. Instead, employees should follow established procedures for handling requests for access to personal data and ensure that all requests are properly verified and authorized.

By prioritizing security, organizations can prevent unauthorized access to personal data and protect individuals’ privacy. It’s important to remember that while being helpful is valuable, it should never come at the expense of data security.

Planning for security incidents

Despite best efforts, security incidents can still occur. It is essential to have a plan in place for responding to security incidents, including procedures for containing and eradicating the breach, notifying affected parties, and providing support. This plan should be regularly reviewed and updated to ensure that it remains effective.

Having a well-defined incident response plan can help organizations quickly and effectively address security breaches, minimizing the impact on individuals and the organization. Regular drills and updates to the plan can ensure that everyone knows their role and responsibilities in the event of a security incident. To stay informed on how to prevent third-party data breaches, check out our article on preventing third-party data breaches.

This post has been updated on 21-01-2025 by Caroline Preisler.

Author Caroline Preisler

Caroline Preisler

Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.

View all posts by Caroline Preisler

Similar posts

4chan offline after suspected cyberattack
cybercrime

4chan offline after suspected cyberattack

4chan is offline following a suspected cyberattack. Users report extended downtime as speculation grows about a potential data breach.

16-04-2025 · 3 min.
WormGPT on the loose
cybercrime

WormGPT on the loose

ChatGPT's evil brother, WormGPT, has emerged. We take a closer look at the malicious AI technology and make you smarter about it.

08-09-2023 · 9 min.
What is SPF?
awareness

What is SPF?

SPF is part of the tripartite toolkit consisting of DMARC, DKIM and SPF - all of which helps to ensure better email security.

21-12-2022 · 4 min.