SARs ex-employee fishing expeditions

An interesting post by By Sarah Thompson, employment lawyer, McGuireWoods.

By Sarah Thompson, employment lawyer, McGuireWoods.

SARs are often used by employees or former employees as a “fishing expedition” to obtain information in the context of disciplinaries, grievances and litigation, rather than for verifying/correcting their personal data. Previous court decisions have held that making an SAR in this context was an abuse of process and not the purpose of the legislation. However, recent cases and the ICO Code have clarified that an employee’s purpose for making the request is not relevant and employers need to respond regardless of whether the employee has an ulterior motive for making an SAR.

  • Disproportionate effort

Employers can refuse to provide information where doing so would involve disproportionate effort. Difficulties throughout the process (from finding, analysing and providing the data) can be taken into account. However, employers must be able to show that they have taken all reasonable steps to comply with the request and, as the ICO Code notes, “should be prepared to make extensive efforts to find and retrieve the requested information.

The DOVE is GDPR for employees!

Why call it the DOVE? Well doves are pretty peaceful and symbolise harmony. This is basically what GDPR privacy awareness training should bring your organisation, an awareness and tranquility.

Sorry for the sales pitch, but I’m pretty proud of the Privasee GDPR privacy awareness training !!!

So far we have it in English, Swedish and Portuguese!

GDPR panic?

There is a mad GDPR panic now. All those companies which haven’t started, or started very late, i.e. end of 2017 or beginning of 2018 are starting to realise that GDPR is not about security, or about fixing the privacy notice, or even responding to the rights of the data subject. It’s much more. It’s about doing it right. It’s about doing what should have been done before in order to benefit from business efficiencies.


Of course, they are starting to realise for example, that in order to achieve the 72 hour personal data breach notification requirement, that an incident management process needs to be in place and effective. That in order for this to work, even if you are using ITIL/ITSM the industry standard in incident management, it’s useless if you haven’t fixed your logging, i.e. what are your systems logging, how is it captured and correlated into something which means something. If you haven’t a baseline on what is ‘normal’, how do you know what is an anomaly?

The problem of testing on live data, not anonymised test data has reared its ugly head. How far can you go to anonymise before you lose utility? Or maybe pseudonymisation is the way forward, and then the test environment needs to adhere to the same GDPR demands as production.

In order to control the flow of personal data, they are starting to realise that you need to think on how the business process flows, over internal operations and processors. What are your processor agreements looking like? Have you placed strong requirements in the form of SLOs and metrics into your contract?

And, in order to achieve data protection by design, by default, every employee needs to know what is personal data, what is processing, and why should they care? This is needed in order to capture ‘invisible personal data’. Personal data which is being collected and processed by employees, and even they don’t know they are doing it wrong.

The challenges are multifaceted, and every company has different priorities depending upon their business, and how they have evolved. For example, why spend time getting legal to review a 100 contracts for GDPR compliance, when maybe you should be looking at how your business grew, was it through acquisitions? In this case maybe it’s time to look at taking a central governance approach to how you do business from here-on?

GDPR is a change management journey, it is about people, processes, and in the best situations, it’s about empowerment of every individual, and every nuance of business operations. It is enablement. It is a time to think new, and do it right!

Did you know that privacy is a human right?

Quote from a LinkedIn feed:

Has anyone written a LinkedIn/Medium-post on why GDPR is a waste of billions of euros and will be the equivalent of the “I accept cookies” button on every website or do I need to write it myself?

I responded of course, commuting between places with nothing better to do. A Privasee partner had Shared privately with me, so I felt a duty to respond. But how to response to someone who clearly is quite clueless without getting dragged into a stupid discussion? I decided to start with basics. So my response was:

GDPR enforces the rights of the individual. It is to bring to law something which has been declared as a human right (Human Rights Declaration, Article 12) a right to a private life. This hasn’t answered your question, but maybe has given you a new perspective?

So if you end up getting dragged into these kind of stupid threads, you could be kind enough to remind people that the heart of the GDPR is ‘a right to a private life’. There are still some countries globally which do not have privacy laws, and their citizens do not have this basic right.


To be liked

Somebody very old and wise told me more than 30 years ago “Karen, it is better to be loved or hated, over indifference”.

This gives me energy in difficult times, especially now, when I seem to inspire love, but sporadically strong hate. Still, I the feel hate more than love. Hate makes me feel I failed. I still don’t understand how people can feel so.

What is a GDPR expert?

First, there is no such thing as a ‘GDPR expert’ per se. I like to call myself a ‘GDPR Practitioner’, because this is what I do!

I do get called an expert from others, including Privasee marketing 😉

The fact, as I’ve said a hundred times, is that I know enough to know when to call in other experts in. e.g. legal, ITIL/ITSM, Six Sigma, Test data management, infosec, etc., because there is a load of work that can be done without GDPR expertise, just to get the groundwork right.

This is great, because there is no shortage of these competences, at least not on the level of GDPR competences, and well they are less expensive. Although maybe they will figure out pretty soon how important they are to GDPR compliance and start upping their rates 😉

Of course there is loads of GDPR specific work that needs to be done too, but you’d be surprised how much you could fix yourself with just a little guidance from a GDPR Practitioner 😉

CIPT training

Last week I’ve been, at the request of JUC in Denmark delivering 2 days Certified Information Privacy Technologist (CIPT) training created by the International Association of Privacy Professionals (IAPP).

It was the first time I delivered this training, previously I’ve delivered the CIPP/E, which is the privacy training specific for the EU. What I’ve noticed is that if I deliver this training to learners which are predominately business, IT and security, it works great. I do great!

On the other hand if they are pure legal, it does not work optimal. Even though I’m pretty legal savvy for a non-legal professional, legal professionals have a different mindset. They have a different focus on what is important for them, often at a legal depth, places where I’ve never been. I know enough to know when I need to call in legal, but I’m not a legal geek.

Now, delivery of the CIPT was great fun. The room was full of IT guys, and a couple of ladies, one with a legal focus, who worked a lot across business operations. As a trainer I felt that this for me was a great IT privacy training. It was a little too much US focus, of course with IAPP, but I actually had lots of fun during 2 days delivering this content. It was just an awesomely fun 2 days for us all!