Blog, Konica Minolta

Data protection and access to personnel files: GDPR

Whether internal or external, regarding an employment or business relationship: recently, the number of enquiries relating to the storage of personal data, known as Data Subject Access Requests, or DSARs for short, has been increasing sharply. More and more employees are using their right to information. In the United Kingdom, for example – even though it has not been part of the scope of the European General Data Protection Regulation (GDPR) since leaving the EU on 31 January 2020 – the number of DSARs has doubled in the two years since the General Data Protection Regulation came into force.

The desire for information and increasing demands regarding customer data and data processing can be expensive for SMEs for two reasons. Firstly, many companies are not prepared for such legitimate enquiries from data subjects; the resulting workflows are not clear and can quickly rack up many extra hours of work.

For example, if the employer does not have a process in place for this purpose and several employees make requests for information at the same time, all existing data must be searched manually within a short period of time. A procedure that is time-consuming and error-prone.

Secondly, the cost of a data breach could be very high. For example, the GDPR provides for penalties of up to 20 million euros or up to 4% of a company’s global annual turnover in the event of a breach of data protection

In principle, workplace data protection applies to all employers and employees. The GDPR requires that certain principles for the processing of personal data must be met. For example, even in personnel files, it may only be processed for defined, clear and legitimate purposes

It is important for every employer to be prepared with regard to the right to access and the associated data viewing, and to be able to react quickly both in the case of upcoming data requests and of data breaches.

Whether it relates to employees or customers, employment or business relationships: data protection needs to be respected. Back to our head of department and her enquiry for information from the HR department. What happens now? The biggest challenge is to quickly and securely find out what data regarding the subject is stored where.

  • The process starts with the receipt of the enquiry and the formal confirmation of the request for information.
  • The request must then be checked for legitimacy.
  • The next step is: all information and documents regarding the subject are compiled and checked.
  • Finally, the request for information is answered and the information report is provided – this includes the possibility to securely download the data.

If the personal data – i.e. personally identifiable information, known as PII for short – has to be compiled manually, the processing of the information report quickly becomes the main cost driver for SMEs.

After all:

  • There are many data sources (systems, servers) and different file formats to search through
  • PII can also be hidden in image files and PDFs
  • The work often involves a large number of staff members
  • And: manual activity is very error-prone

The solution to the problem is provided by clever software solutions: dokoni FIND makes company data searchable in one place, and dokoni FIND Insight identifies the relevant data in those documents, extracts it and in future can create your information reports with just a few clicks.

The first step towards GDPR compliance is to control the data in your company. dokoni FIND can be used to search all the company data stored in a variety of systems. Based on this information, the dokoni FIND Insight add-on module finds out where personal data is stored in the company. It identifies the desired information from those documents, extracts it and in future can create your information reports with just a few clicks.

This solution allows data protection officers to keep track of personal data at all times. On this basis, automated reports can be created to always stay one step ahead of potential data breaches.