With the arrival of the deadline for the General Data Protection Regulation (GDPR) enforcement, companies across the globe are updating privacy policies and procedures to avoid heavy fines and penalties.
In a nutshell, the GDPR says that people have the right to their own personal data; that individuals have the right to request access that data, understand how it’s used, and “request to be forgotten”. The broad stroke regulation works to tackle the fact that new technology emerges by the year and until legislation catches up, personal data can be leveraged without the affected individuals consent.
Organizations are cleaning up their act when it comes to consumer data subjects. However, many have overlooked an entire group of data subjects—employees. They possess the same rights as consumers to make subject access requests, and employers need to be ready.
This 'nightmare letter' by Constantine Karbaliotis shows what a subject access request under the GDPR could look like. Lets dive into this nightmare:
I am writing to you in your capacity as data protection officer for your company. I aman employee of yours, and in light of recent events, I am making this request for access to personal data pursuant to Article 15 of the General Data Protection Regulation. I am concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to <latest nasty cybersecurity event or thing in the news>.
I am including a copy of documentation necessary to verify my identity. If you require further information, please contact me at my address above.
I would like you to be aware at the outset, that I anticipate reply to my request within one month as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to the <appropriate data protection authority>.
Please advise as to the following:
1. Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, collaboration platforms, or voice or other media that you may store.
…and unfortunately, this is only the beginning. Continue reading the rest of this letter.
The first thing you need to do is understand all the sources of data your company has on a given employee. This includes personal information, employee communications, or anything that can be matched to an identified person.
In addition to understanding what data your company has regarding an employee, it’s important to understand who has access to this data. This could be internal or external (e.g. partners, vendors) players.
In addition to these employee rights, the Article 29 Working Party also recommends not to ‘retain [personal data] any longer than necessary’.
When employees transition in and out of the company, there is a natural transition of formal employee information – personal information, insurance data, tax information. But what about all of the informal records an employee leaves behind? Who audits or deletes these records over a period of time? This is where company record retention policies are instrumental.
During your audit of employee data, it’s also a great time to identify arenas of employee data that you may not be using (including that data that has exceeded your record retention policy) that you can delete as well as revoke data access from parties who no longer need it.
This helps mitigate risk of breach and limits the scope of future data access.
Now that you understand the sources of your employee data and who can access it, it’s important to prepare in the event that an employee files a data subject request. This includes sorting through your sources and confirming that you have the procedures in place to both extract employee data and delete, if necessary.
Companies around the world are adopting increasingly innovative pieces of technology at a rapid pace to encourage employee collaboration. Over 230,000 companies worldwide connect their workforce to a collaboration platform such as Workplace by Facebook or Microsoft Teams.
More informal, frequent correspondences are taking shape in private and public forums. This does introduce a new set of potential risks to the enterprise security ecosystem. This data is a set that should be monitored, secured, and destroyed at the appropriate times, just like any other source of employee data.
“Employers should always bear in mind the fundamental data protection principles…irrespective of the technology used, [and] the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications…” – Article 29 Working Party
The ‘contents of electronic communication’ applies to the conversations that take place in collaboration tools. Meaning that employees have the right to, as with all other records: request their own data, understand how it is being used, and act on their ‘right to be forgotten’.
Built on the innovative Aware platform, Wiretap's latest Aware Data Management Module gives Data Protection Officers around the world a solution for compliance within enterprise collaboration platforms, such as Microsoft Teams, Microsoft Yammer® and Workplace by Facebook.
Learn how Aware by Wiretap enables GDPR compliance for collaboration content: