A customer calls asking for details about how they are registered in your company’s database so they can make sure their information is updated. You get a phone call from a business partner who needs to contact your colleague and asks you to check her calendar to see when she’s free. Although in essence quite different, both of these scenarios are requests to access personal data.

But what if the person requesting access to personal data isn’t who he or she claims to be? In general, there are two things you must consider when asked to give out somebody’s personal information: the identity of the person asking for the data, and whether they have the right to access that data. The technical term for this is “access control.” Various access control examples can be found in security systems in password-coded doors, fob-controlled gates, badges, biometric systems, motion detectors, and so forth.

 …