Written Procedures
Procedures for sharing data internally
It is common for employees to share personal data between each other within the work. Therefore it is good to establish procedures for sharing data internally.
Common mistakes when sharing data internally between employees
Many internal data sharing activities between employees within a company take place quickly or under time pressure. For example, when an employee sends an email or text message to another employee. It is not uncommon for mistakes to happen. To prevent mistakes and personal data breaches, it is good to have procedures that are clear and easy to follow.
Oral sharing of data internally
It is important not to forget that data can be shared orally and can happen to be heard by someone unauthorised. Therefore, it is good to regulate in the procedures where such conversations may be conducted. For example, it is not allowed in public spaces during the lunch break at a restaurant. If the data relates to sensitive personal data, it is particularly important to regulate how it may be shared, and it may be necessary that it may only be discussed within private workrooms at the workplace.
Procedures are a good way to demonstrate compliance with the principle of accountability
The GDPR requires that companies can demonstrate that they comply with the GDPR, which means, among other things, that companies must hold certain documents and agreements. In other words, the burden of proof is on the company to be able to show that they comply with the GDPR in practice, not data subjects or regulators who need to show that the company is in breach of the regulation. Written procedures can thus be good to have to create a clear structure, minimise mistakes and be able to demonstrate compliance with GDPR.
Not everyone at the company usually needs access to all personal data
It is important to keep in mind that just because a company processes personal data, not everyone in the company needs to have access to them. The more important the personal data, the more important it is to limit access rights. The starting point shall be that only employees who need access to the personal data in order to fulfil their tasks shall have access. For example, a Chief Financial Officer may need to process personal data about all employees, even sensitive personal data such as information about sick leave. However, it is not necessary for other employees to have access to that information.
Examples of personal data breaches when sharing data internally
An email containing personal data is sent to the wrong colleague, who is not authorised to process it.
Some employees may access personal data “just in case they might need it for some reason”.
An employee who works with sensitive personal data in an open office landscape has no automatic screen lock installed on the work computer, and leaves his workplace to refill a cup of coffee. In the meantime, sensitive personal data on the computer screen remains visible to other, unauthorized, bypassing employees.
Examples of what internal data sharing procedures should include
Categories of personal data
The procedures should include the types of personal data processed by the company and those requiring additional protection, such as special categories of personal data or other types of privacy-sensitive personal data.
The sharing requirement
Include the analysis of the need to share the personal data in the procedure. The main rule should be that if a member of staff does not need the personal data to perform his or her duties, he or she should not have access to them.
Communication channels
There are several different communication channels that employees usually use on a daily basis. For example, SMS and e-mail. The procedures for sharing data internally should specify which channels employees should use. If it concerns sensitive personal data, it is important that the communication channel meets the security requirements of the GDPR.
Eligibility management
It is good to include who gets to know what personal data in the procedures, so that employees know who they can share certain data with. Also, remember to never share personal data for preventive purposes.
Specify which processes require documentation
Some processing is good to document, especially if the processing relates to sensitive personal data. It is good to specify which data sharing needs to be carried out and why.
Regulate oral disclosure of personal data
Many people forget that personal data can be disclosed orally by employees of a company. It is important that it happens in places where unauthorized people do not hear what is being disclosed. In addition, it is good to regulate that employees are not allowed to talk about certain things outside the workplace, such as at a restaurant during lunch.
Remote work
When employees of a company work remotely, there are often more transfers of personal data and the risk of unauthorised exposure is greater. Especially if the work is done in public places. The procedures should include how employees should work remotely.
Incident management
The procedure should also include what employees should do if they detect a personal data breach. For example, who to contact and how to document the incident.
Learn more
Procedures for obtaining and withdrawing consent
If companies use consent as the legal basis for a particular processing, it is important to be able to demonstrate that the consent is valid and obtained correctly. This means, among other things, that the consent must be actively and freely given. In addition, it shall be as easy for the data subject to withdraw his or her consent, as to give it. Therefore, it is good to put in place procedures to ensure this.