Personal data: Who should have access?

GDPR has been part of our lives since May 2018 where it was introduced in the EU. Ever since then, employees and organizations have been obliged to follow the personal data regulations and laws.

But who should actually have access to your personal data? We’ll take a better look at who should have access to your personal data and how they should handle it.

Handling personal data

We might not think about every situation where we handle and process personal data, however we do it quite a lot. We handle personal data if we help our customers out with their bank statements, or when we chat with our colleagues about their backgrounds or family relations.

You can thus get requests from colleagues about processing personal data that either concerns them, a third party or other employees in the organization.

That is when you should reconsider what you do next. If you give an unauthorized person access to personal data, it can have serious consequences for your organization. As a data controller, you have an obligation and responsibility to protect the data you’re processing.

• The responsibility lies with you and your colleagues; they need to consider when they are asked to redistribute data - and how they handle it.

You can not always tell when you’re getting a request for access to personal data. There are everyday situations where employees want to help out customers, colleagues and partners and this can lead to the sharing of personal information. It can be information about a colleague’s schedule or confirming a deal, however that can lead to a potential breach of GDPR.

When is it a request to access personal information?

It can sound difficult to distinguish between a request to access personal information and simple watercooler talk.

When we think of requesting something it suddenly becomes a formal act, however it doesn’t have to be. If a customer reaches out and wants to know some specifics about your latest registrations or your external partner needs some information about a planned meeting he has with another colleague, it is essentially a request to access personal information. The customer and external partner are requesting to get additional information about their own data and a colleagues meeting schedule.

The important thing is, that it is information that is personal to an individual. It’s not only confidential information about their health and other sensitive data, it’s also schedules and appointments that we all have in our lives.

Who should have access?

You might wonder who should have access to your personal information, and the short answer is, whoever the information belongs to and is about.

So if a person, whose data you process, asks for access to it, you must give them access. You should, though, be cautious if others ask for access to personal data - as we’ve established, it may not be as obvious as we’d like it to be.

The tricky thing about this is that most people will request access via a phone call or through email - here you cannot completely verify their identity and at the worst case, give access to sensitive information to someone else. The cyberthreat of identity theft is lurking, and hackers become even better at imitating others. That is why you should always be 100% sure of a person’s identity before giving them access to personal information.

You can also, without intending to, accidentally see any private matters in your colleague’s calendar when you check if they’re free for a meeting - so, you should always request access before you interact with other people’s personal data.

So, in short:

• Always verify the identity of the person requesting access to the personal data in question.
• Always make sure that the person requesting access, actually as the right to access the information.

You can verify a person’s identity either by getting them to verify it through a secure email, or by asking them for an ID card.

When you want to make sure that a person has the right to access another person’s data, they are usually a type of guardian (like a parent or partner), or someone with legal right to access the data.

Prioritize security

No matter how helpful you want to be, you need to remember GDPR and personal data security.

It’s often employees who are faced with the question “can I just get the info about so-and-so’s meeting schedule” where we usually just want to help out, and inform the caller about the schedule.

However, that is a major breach of GDPR and personal confidentiality. The employee who is asked this question might not have asked for a verification of the caller’s ID, and thus give out personal information to a stranger and unauthorized person.

That is why security comes first, helpfulness comes second. Hackers use many tactics to get personal information and usually use social engineering to appeal to our emotions - they know how kind-hearted and helpful people want to be and thus exploit it.

Tips for when you provide personal information

You want to stay compliant with GDPR, which you can do both with a data protection officer (DPO), but also by informing your employees of the rules and regulations connected with processing personal data.

Implement awareness training

First of all, you should educate the people who handle any requests to access personal data. Every employee within an organization should know of the guidelines and laws that GDPR entails, so they won’t breach any laws and thus result in a GDPR fine.

By raising awareness of the security concerning personal data, you ensure that people are cautious when they handle it. Cybersecurity starts with people, and processing personal data is no exception.

The employees of an organization should not pose a threat to the safety of personal data - they should be the best protector of it.

Limit access

Another important thing you can implement to improve your safety around personal data is to limit who has access to the sensitive information. Here technology can be a great helper in limiting access, and thus establish the principle of privilege among the employees.

By limiting access, you also limit the risk of people unintentionally sharing information without the right to.

So, a good rule of thumb is to only give access to the data concerning the employee’s customers, and not give access to all customers of the company.

Make clear guidelines

Clear guidelines ensure that you minimize the doubt and/or confusing there could be when it comes to sharing and accessing personal information.

In these guidelines you should define how you can verify customer’s identity, what personal data is and what they should do, if they’re not sure how to act in certain situations. This will make it easier for employees to comprehend the complex world of GDPR and personal data.

Use your DPO

You should remember that you either have a DPO or the person responsible for your company’s compliance with GDPR.

When people know that you have someone responsible and knowledgeable about GDPR and compliance, they hopefully feel that they can ask and clear any questions they might have.

Compliance and data protection

It’s always important to stay vigilant when you deal with sensitive data. This includes knowing what sensitive and personal information is, and also about knowing when someone requests access to it.

We may not consider that a meeting schedule or customer registrations are personal data, but they are. So now, in case someone asks for information about it, you know that it is personal data.

It’s great to use the tools and people around you, so if you should have any questions or concerns about a certain case or problem, you should feel comfortable to ask, e.g. your company’s DPO or the person responsible for your compliance and data protection.