Workshop course

Workshop helps Bermuda deal with data access requests – The Royal Gazette

Updated: May 13, 2022 08:04

Taheera Lovell of The TLC Group (Photograph provided)

When data protection legislation came into effect in the UK in 2018, some businesses were overwhelmed with requests for personal data files.

The European Union’s General Data Protection Regulation and UK Data Protection Act guarantee the right of an individual to request access to any personal records an organization maintains about them, in a timely manner. .

At the time, Bermudian Taheera Lovell was working for a major British university.

“They were getting at least 50 access requests a day,” she said. “They struggled to cope.”

Today, Ms. Lovell is Managing Director of The TLC Group, a company operating in Bermuda and the UK, which offers courses related to privacy and technology.

She fears that when the Personal Information Protection Act 2016 comes into force, granting Bermudians similar personal data access rights, local entities will also be overwhelmed.

“Bermuda’s Privacy Commissioner is holding community sessions to tell people that these rights exist,” Ms Lovell said. “It is likely that once people know their rights, more private entities will receive access requests.”

To help local businesses prepare, The TLC Group is hosting a virtual workshop on managing access requests tomorrow.

Ms Lovell recounted how when the EU’s GDRP and the UK’s DPA started operating, she requested her data from several companies, mostly out of curiosity.

“Some organizations responded quickly and others did not have a process in place or were overwhelmed with other access requests and did not respond in accordance with GDPR stipulations,” she said.

She was shocked to find that a company still had her credit card details, including her CVC code and expiration date, even though she was no longer a customer. She asked that they destroy this information.

Under the regulations, an organization must have a legal basis to retain data about an individual. If he cannot justify it, the individual has the right to request its deletion or restriction.

“A current employee can ask to see what’s in their HR file, for example,” Ms. Lovell said. “This could include emails communicated by the manager about a member of staff.”

But the law also prevents information about other people from being revealed by the access request. The business or organization should ensure that other people’s names and emails are removed. In a large entity, this may be simple, but in a small company with a handful of employees, it becomes more complicated.

Ms Lovell said that to deal with this, some companies have strict procedures in place on what goes into an HR file.

“They said that unless it’s part of a very specific performance review, personal opinions don’t go into an HR file,” Ms Lovell said.

To deal with access requests, an organization can appoint a privacy or data protection officer, but staff at all levels need to understand access requests.

Ms Lovell said some companies have been caught off guard because a receptionist taking a call about an access request misunderstood and sent the person their last invoice instead of their file.

“That’s not what an access request is,” Ms Lovell said. “Their file could include all the notes in CRM. This could include financial information and personal information. All of this would be included in an access request.

She said local businesses that do a lot of business with the EU and UK are likely to be better prepared for PIPA than those that don’t, as they have already been dealing with UK DPA and EU GDPR directives for several years.

Ms Lovell said organizations should also be careful to verify the identity of the person making the access request.

“If an organization doesn’t have strong verification procedures in place to ensure the applicant is who they say they are, they could inadvertently give personal information to the wrong person,” she said.

Under PIPA, local organizations will be able to charge “reasonable” fees for access requests.

“They should justify what they charge,” she said. “In the EU under GDPR, there are no charges unless there are excessive demands from an individual.”

Ms Lovell said no one was sure when PIPA would finally be enacted.

“It will be up to the government of the day and the privacy commissioner to decide,” she said. “But there’s a big privacy conference next year in Bermuda. It would be nice to see us have something in place before that.

The access request workshop will take place tomorrow from 10 a.m. to 11 a.m. via Zoom. The cost is $150 per person. The event is aimed at privacy officers and managers.

“This workshop can be considered a ‘must do’ for any organization holding information about people to ensure they fully understand the policies, procedures and best practices needed to effectively manage access requests,” Ms Lovell said.

To register for the workshop, go to