The number of reports of breaches of the GDPR is steadily increasing. We can now see that more than 5.000 reports in DK took place in the first year. Looking at 2018 alone, there were 3.100 reports. Far below the 15.400 in the Netherlands, but still some.
How do you actually handle a request for insight? Those who have now tried it know full well what is going to happen. At least until next time. But all of you who have not yet faced a request from a former employee, a customer in your webshop or others, have something in store. It is therefore a good idea to be prepared.
Fortunately, it's not rocket science. Datatilsynet has naturally formulated guidance that is so soft around the edges that it cannot necessarily be translated into pragmatics for ordinary people. But their templates can - they are suitably easy and yet thorough.
We therefore give you a short guide here, which makes it possible for you and your company - small and large - to respond to an inquiry.
- When your company receives an inquiry, you must have identified in advance who will be responsible for processing the inquiry. Please use a dedicated email address for the purpose such as persondata@virksomhed.dk
- Start by replying to the email with a confirmation and you want a clearer identification of the sender. Ask for information that only the sender can know about. If it is a former employee, an employee number as well as a recent image of the person can be used. If it is a webshop customer, customer number as well as. A copy of latest invoice may be an option. Do not ask for more than necessary, but enough that you are sure of the identity of the person approaching. Please call the person up.
Remember to communicate via an encrypted connection. Perhaps you have the option of using a third-party solution such as Secure Mail, Outlook encryption or something else.
- When the sender returns with the necessary documentation, you must reply with the types of data that you hold. We continue with the example of a former employee who resigned 3 years ago.
Feel free to use this standard template https://www.datatilsynet.dk/media/6889/bilag_a_og_b_-_skabelter_til_oplysningspligt_og_insigtsret.docx from Datatilsynet for answering. It ensures the correct disclosure obligation, and at the same time helps you to get all the way around.
You have probably already compiled your Article 30 listing (the actual data handling documentation for which the business is undertaking, purposes, retention period, legal secret, etc.). Here you can find where you have information about former employees. Typically a staff folder containing a copy of the employment contract, a copy of timesheets, paychecks etc.
- In the template from Datatilsynet you now fill in information about which data the company holds. And now it is important – you must be honest! So you have documented and previously informed your employees that you save time sheets for 24 months, but here after 36 months you still have copies lying around. Yes, then you MUST disclose this. Afterwards, you can have them deleted/shredded as soon as possible.
- You must secure the documentation in a machine-readable format. It can for example. be PDF files. Therefore, if you have physical time sheets lying around, they must be scanned and saved as PDF, which you attach to the recipient.
- Send the total information to the sender and wait for any further course.
Initially, you have one month to respond to the inquiry. However, it should preferably be done without undue delay.
The above is a simple approach but does the job.
If you need help to have the above preparedness in place - both templates, procedure and technical implementation of a secure communication solution - you are very welcome to contact us.