Our Blog

Are you protected from your own employees under GDPR?

Are you protected?

Subject Access Requests (SARs) under the General Data Protection Regulation (GDPR) have become a challenge for any organisation that handles and processes personal data.

The amount of information organisations have about their workers can be vast, ranging from personal data records, as well as information collected during their daily activities, such as voice calls, SMS, and correspondences within internal apps such as Skype for Business and Bloomberg. Of course, an employee has the same rights as a customer when it comes to SARs.

Employees have the right to know whether or not their enterprise is processing data on them, what data is being processed, for what purpose, who sees that information, and the extent to which that data is being used to make automated decisions on the employee and under what logic.

So, understanding from the outset how to respond to an employee SAR is crucial, as failure to respond to any request can leave the organisation open to claims, fines and reputational damage.

Protection from unauthorised access

Furthermore, and equally important, it’s essential that businesses have secure access control to protect themselves from unauthorised access. Logging, audit trail and warnings (notifications) are essential features in any service containing personal data.

On receipt of an employee SAR, enterprises are required under GDPR to respond by providing copies of the personal data held, and any information regarding the sources of that data – all of which has to be presented in ‘intelligible’ form within 30 calendar days.

Recent cases have shown that an employee’s purpose for the request is not relevant and so employers cannot ignore this type of SAR, regardless of whether an employee has an ulterior motive. In fact, an enterprise can only refuse these requests when providing the information would involve a ‘disproportionate’ effect. It cannot charge a fee, unless the request is manifestly unfounded or excessive. It means that organisations cannot ignore this aspect of SARs under GDPR.

Permission-based control

This is where Touch Call Recording Service can help. Touch Call Recording captures and securely stores fixed and mobile calls, as well as digital communications from more than 46 different channels, including Skype for Business and Bloomberg. Access to, and retrieval of, files from the database is enabled by an easy-to-use, intuitive web interface and portal.

More importantly, access to the portal – and therefore data retrieval – is permissions- and policy-based, meaning that different rights can be granted to employees, restricting or broadening access according to staff position and role.

Touch automatically takes care of these aspects, protecting both employee and employer. It allows organisations to focus on their daily activities, secure in the knowledge that they can quickly, efficiently and securely meet all of their compliance obligations, while safeguarding against unauthorised access.

Employees, meanwhile, get to understand how their personal data is held and processed by their enterprise – and compliance officers can be confident that they have met all of their obligations under GDPR.

Contact Touch now to see how we can help you to efficiently and securely cover all of your compliance obligations.

Written on 16 May 2019
Stay in touch...
  • Linkedin
  • Twitter
  • blog