When data protection legislation went into action in the United Kingdom in 2018, some companies were overwhelmed by requests for personal data files.

The European Union’s General Data Protection Regulations and the United Kingdom’s UK Data Protection Act guarantee an individual’s right to request access to any personal records an organisation keeps on them, in a timely manner.

At the time, Bermudian Taheera Lovell was working for a large UK university.

“They were getting at least 50 access requests a day,” she said. “They struggled to cope.”

Today, Ms Lovell is chief executive officer of the The TLC Group, a company operating in Bermuda and the UK, that offers privacy and tech-related courses.

She worries that when the 2016 Personal Information Protection Act comes into effect giving Bermudians similar personal data access rights – local entities will also be overwhelmed.

“The Privacy Commissioner in Bermuda is doing community sessions to tell people that these rights exist,” Ms Lovell said. “It is likely that once people know their rights, more private entities will get access requests.”

To help local companies prepare The TLC Group will be holding a virtual workshop tomorrow on managing access requests.

Ms Lovell recounted how when the EU GDRP and UK DPA began operating, she requested her data from several companies, mostly out of curiosity.

“Some organisations responded promptly and others didn't have a process in place or were overwhelmed with other access requests and did not respond according to the GDPR stipulations,” she said.

She was shocked to find that one company still held her credit card details including her CVC code and expiration date, even though she was no longer a client. She requested they destroy that information.

Under the regulations an organisation has to have a lawful basis for keeping data on a person. If they cannot justify it, then the individual has a right to request its removal or restriction.

“A current employee can ask to see what is in their human resource file, for example,” Ms Lovell said. “That could include e-mails communicated by the manager about a staff member.”

But the legislation also prevents information about other people being revealed by the access request. The company or organisation has to make sure that other individual’s names and e-mails are removed. In a large entity that might be simple, but in a small company with a handful of employees, that becomes more complicated.

Ms Lovell said to deal with this, some companies have enacted strict procedures about what goes into a human resource file.

“They have said that unless it is part of a performance review very specifically, personal opinions do not go in a human resource file,” Ms Lovell said.

To cope with the access requests, an organisation can appoint a privacy or data protection officer but staff at every level need to understand access requests.

Ms Lovell said that some companies had been caught out because a receptionist taking a call about an access request misunderstood and sent the person their last bill instead of their file.

“That is not what an access request is,” Ms Lovell said. “Their file could include any notes in CRM. It could include any financial information and personal information. All of that would be included in an access request.”

She said local companies that do a lot of business with the EU and UK will probably be better prepared for PIPA than those that do not because they have already been dealing with UK DPA and EU GDPR guidelines for several years.

Ms Lovell said organisations also had to be careful to verify the identity of the person making the access request.

“If an organisation does not have strong vetting procedures to make sure the requester is who they say they are, they could inadvertently give personal information to the wrong person,” she said.

Under PIPA, local organisations will be able to charge a “reasonable” fee for access requests.

“They would have to justify what they charge,” she said. “In the EU under GDPR, there is no fee unless there are excessive requests from one individual.”

Ms Lovell said no one really knew when PIPA would finally be enacted.

“That will be up to the government of the day and the Privacy Commissioner to decide,” she said. “But there is a big privacy conference next year in Bermuda. It would be nice to see us have something in place before that.”

The access request workshop will be tomorrow from 10am to 11am via Zoom. The cost is $150 per person. The event is aimed at privacy officers and managers.

“This workshop can be considered a ‘must attend’ for any organisation holding people's information to make sure they have a good understanding of the policies, procedures and best practices required to manage access requests efficiently,” Ms Lovell said.

To sign up for the workshop go to www.thetlcgroup.pro/accessrequestsworkshop.