GDPR 2021: data protection and access to personnel files

Dealing with personal data, such as that of employees and customers, is often an unforeseen difficulty for SMEs. After all, more and more people want to know what information about them is retained.

6 minutes 6 minutes
Table of Contents
Imagine a company with 250 employees, for example. It receives an enquiry from a former head of department. They would like to make use of their right to information, gain access to their personnel file and receive an overview of all the data collected by their former employer.

More and more employees are using their right to information

Whether internal or external, regarding an employment or business relationship: recently, the number of enquiries relating to the storage of personal data, known as Data Subject Access Requests, or DSARs for short, has been increasing sharply. More and more employees are using their right to information. In the United Kingdom, for example – even though it has not been part of the scope of the European General Data Protection Regulation (GDPR) since leaving the EU on 31 January 2020 – the number of DSARs has doubled in the two years since the General Data Protection Regulation came into force.

Access to personnel files can become expensive for SMEs

The desire for information and increasing demands regarding customer data and data processing can be expensive for SMEs for two reasons. Firstly, many companies are not prepared for such legitimate enquiries from data subjects; the resulting workflows are not clear and can quickly rack up many extra hours of work.

For example, if the employer does not have a process in place for this purpose and several employees make requests for information at the same time, all existing data must be searched manually within a short period of time. A procedure that is time-consuming and error-prone.

Secondly, the cost of a data breach could be very high. For example, the GDPR provides for penalties of up to 20 million euros or up to 4% of a company’s global annual turnover in the event of a breach of data protection.

Data protection in the HR department includes the right to information

In principle, workplace data protection applies to all employers and employees. The GDPR requires that certain principles for the processing of personal data must be met. For example, even in personnel files, it may only be processed for defined, clear and legitimate purposes

It is important for every employer to be prepared with regard to the right to access and the associated data viewing, and to be able to react quickly both in the case of upcoming data requests and of data breaches.

Information requests can be costly

In our example, a former head of department makes an enquiry about all the personal information on them that has been stored by the organisation. However, other employees and different data subjects, such as disgruntled customers, interested parties or authorities, can also make enquiries.

More and more such information has to be processed by companies month after month. Reasons for this include increasing cases of cyber fraud and changes in workplace or redundancies due to the coronavirus pandemic.

The problem: in order to identify the personal information of data subjects, many data silos often have to be searched – i.e. data sets and content that are located in different locations and to which only certain departments or user groups have access.

If there are no coordinated processes for data searches, manual searching can cost an employer several employees and many extra hours of work under certain circumstances.

Personal information – how to comply with Data Protection Policy

Whether it relates to employees or customers, employment or business relationships: data protection needs to be respected. Back to our head of department and her enquiry for information from the HR department. What happens now? The biggest challenge is to quickly and securely find out what data regarding the subject is stored where.

  • The process starts with the receipt of the enquiry and the formal confirmation of the request for information.
  • The request must then be checked for legitimacy.
  • The next step is: all information and documents regarding the subject are compiled and checked.
  • Finally, the request for information is answered and the information report is provided – this includes the possibility to securely download the data.

The main cost driver for SMEs: compiling and processing the information report

If the personal data – i.e. personally identifiable information, known as PII for short – has to be compiled manually, the processing of the information report quickly becomes the main cost driver for SMEs.

After all:

  • There are many data sources (systems, servers) and different file formats to search through
  • PII can also be hidden in image files and PDFs
  • The work often involves a large number of staff members
  • And: manual activity is very error-prone

The solution to the problem is provided by clever software solutions: dokoni FIND makes company data searchable in one place, and dokoni FIND Insight identifies the relevant data in those documents, extracts it and in future can create your information reports with just a few clicks.

dokoni FIND and dokoni FIND Insight: take control of your data

The first step towards GDPR compliance is to control the data in your company. dokoni FIND can be used to search all the company data stored in a variety of systems. Based on this information, the dokoni FIND Insight add-on module finds out where personal data is stored in the company. It identifies the desired information from those documents, extracts it and in future can create your information reports with just a few clicks.

This solution allows data protection officers to keep track of personal data at all times. On this basis, automated reports can be created to always stay one step ahead of potential data breaches.

This may also be interesting for you:

Safe workplace – well-protected, secure working

Whether your new office is at home, you have a conventional office at the...


How remote work is transforming cybersecurity

As organizations of all sizes extend their commitment to supporting remote...


Information security: what’s the latest on international standards like ISO 27001?

Cyber-attacks on governments and corporations, data scandals surrounding...

For you from us: