UK GDPR and the Recovery Sector, people v process

Back in 2018, the Guardian wrote an article New Europe law makes it easy to find out what your boss has said about you.  The piece went on to state “If an employee files a “subject access request” – an email, fax or letter asking for their personal data – their employer will have to collate a cache of all the information stored about that person; this includes any email that refers to the worker, as well as performance reviews, job interviews, payroll records, absence records, disciplinary records, computer access logs, CCTV footage, and recordings of phone calls to, from or about the person”.

Three years on from its appearance, it is clear that GDPR or UKGDPR is still an issue for organisations, especially those in the recovery sector whose primary focus is the person and the person’s wellbeing.

“We were recommended to TalkRisk Ltd through one of our legal partners to assist with the issue of GDPR.  in short, TalkRisk has helped us to comply with GDPR with regards to processes and approaches to storing and sharing personal data and managing events like a subject access requests. We found them collaborative and useful to have in our corner”. Abbeycare Scotland.

GDPR and Recovery services almost always seem at odds with each other.  Fundamentally , they  are aimed at individuals who are trying to change their life or at least arrest a habit which has become a problem in their lives which involves having to consider the personal data rights seems to be at odds with the human element.

The difficulty is this: the organisation dealing with individuals at a delicate point in their journey are not always focused on the processes that support that person’s legal right to access personal data.

According to David Reilly, director at TalkRisk Ltd “ After working with a number of organisations that provide recovery services, the three key areas of concern include,

  • how to store personal data safety
  • how to share personal data safety
  • how best to dealing with subject access requests

He continues, “after intimately working with a person, a lack of process with regards to personal data (GDPR), can lead to all sorts of difficulties as professionals retrospectively try to protect their organisation, especially when a subject access request is submitted as this usually comes from an ex-employee or resident or a person who received support from their organisation”.

To talk to someone about how best to approach GDPR or how to handle Subject Access Requests well, get in touch.


Would you like to chat through your options and get your queries answered? Arrange a call with David using the calendar below and he will be delighted to connect with you.