GDPR and the Right to Access: Evaluating the Risk Factor

Every organization carries some level of risk in its operational activities. In the Digital Era, information gathering, handling, and access presents significant challenges to companies – especially when it comes to data protection and data availability.

Almost every company, whether in the private or public sector, collects customer or personal data. This information can be stored in various repositories such as databases, file shares, email, collaboration systems like SharePoint, and even the cloud. As information flows from one system to another, organizations face some big questions:

  • How can you keep track of what data is where?
  • What’s the minimum level of risk required to place protection controls over personal data?

This means that risk assessment is an essential element of risk management, which is directly responsible for establishing appropriate policies and applying cost-effective techniques to enforce these policies.

Risk Assessment and Accountability under GDPR

The fundamentals of every risk assessment process dictate that organizations must:

  1. Identify threats that could do harm and thus indirectly affect company assets. Such threats could be intruders, breaches, criminals, and even disgruntled employees.
  2. Identify and rank the value, sensitivity, and criticality of data by determining the level of risk that data carries if threatened
  3. Apply cost-effective actions to mitigate or reduce the risk

With the EU GDPR, organizations are mandated to include provisions that promote accountability and complement the EU GDPR’s transparency requirements. Organizations are also expected to apply extensive but proportionate data governance measures to minimize risk factors. Some of the EU GDPR’s accountability principles require companies to:

  • Maintain of relevant documentation on processing activities
  • Implement measures that meet the principles of privacy by design and by default, such as:
    • Data minimization
    • Pseudonymization
    • Transparency
    • Allowing individuals to monitor processing
    • Creating and improving security features on an ongoing basis

Right to Access under GDPR

Under the new EU GDPR, individuals (customers) have the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information usually found in a privacy notice

What does all of this mean for both the individual and organizations?

Individuals now have the “right to be forgotten” or the “right to erasure”. This right means that an individual may request the deletion or removal of personal data regardless of having a compelling reason. If an individual withdraws consent, the organization must take action to delete personal data collected or processed for this specific individual. Take, for example, a customer service online chat system:

  • To look up customer information and provide assistance, a representative may ask for name, address, birthdate, and even credit card information.
  • To review customer service performance and support ticket volume, a manager extracts records with customers’ personal information to an Excel sheet.
  • To share performance indicators, the manager uploads it to SharePoint Online and sends it to a third-party contractor, who may save a copy to its file share.

If a customer exerts his right to be forgotten, the company can easily locate and delete records within its own databases. However, the GDPR requires that the company also contact its contractor and ensure the deletion occurs there as well. If personal information is not identified and classified in advance, organizations will have a challenging time pinpointing an individual’s personal data in its systems.

When the EU GDPR goes into full effect, organizations will have to provide individuals’ information within one month of collection. This requires organizations to have a data inventory, ongoing data mapping system, and risk assessment throughout all data management or collaboration systems in place. In case an individual requests to be forgotten, organizations will have to undergo a thorough data discovery to identify the individual’s personal data and successfully remove it.

What’s the best way to prepare for right to access requirements and right to be forgotten requests?

  • Data Discovery and Data Analysis: Understand where your sensitive data lives to identify potential risk and protect confidential information.
  • Data Classification: Classify data based on content sensitivity, criticality or confidentiality. Develop a security awareness that protects organizational assets via accountability, classification, and inventory.
  • Sign up for our GDPR Response Guide.