What the GDPR means for HR 1 hour Gary Shipsey | Managing - - PowerPoint PPT Presentation

Tick this data protection box? What the GDPR means for HR

1 hour

May 2017

Gary Shipsey | Managing Director

Your computer audio When the webinar begins, you will be connected to audio using your computer's microphone and speakers (VoIP). A headset is recommended. Problems? If you are having trouble hearing me please let me know by typing in here Your telephone If you prefer to use your phone, you must select "Use Telephone" and call in using the numbers below:

• +44 (0) 20 3713 5012
• Access Code: 368-226-253
• Audio PIN: Shown after joining

the webinar

• Webinar ID: 704-594-907

Choose one of the following audio options

Does your college have the governance, policies and training records to support your employees?

• 1. What’s changing…and what’s not?
• 6. How will you manage mandatory

breach reporting – and the related disciplinary issues?

• 5. Can you meet the GDPR’s

increased Subject Access and data portability provisions?

• 4. How should you handle a request

to delete personal data?

• 3. What changes need to be made

to your privacy policies / notices?

• 2. Can you still rely on consent? And

if not, what can you rely on?

4

• 1. What’s changing…and what’s not?

Our College Name Data Protection Policy

“Our policy is to comply with the

responsible for and be able to demonstrate compliance with the principles

[Art. 5(2)]

• 1. What’s changing…and what’s not?

Health Warning Derogations Article 88 Processing in the context of employment

• 1. Member States may….provide for more specific rules to ensure the

protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of

• the recruitment, the performance of the contract of employment, including discharge
• f obligations laid down by law or by collective agreements,
• management,
• planning and organisation of work,
• equality and diversity in the workplace,
• health and safety at work,
• protection of employer's or customer's property and
• for the purposes of the exercise and enjoyment,
• n an individual or collective basis, of rights and benefits related to employment, and for

the purpose of the termination of the employment relationship.

• 2. Those rules shall include suitable and specific measures to safeguard the

data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

• 1. What’s changing…and what’s not?

Any organisation can appoint a DPO.

Regardless…you must ensure you have sufficient staff and skills to discharge your obligations under the GDPR… Data Protection Officer

carry out large scale systematic monitoring of individuals

(e.g. online behaviour tracking)

public authority

(except for courts acting in their judicial capacity);

carry out large scale processing of special categories of data or data relating to criminal convictions and offences. Can appoint a single DPO to act for a group of companies / group of public authorities

• 1. What’s changing…and what’s not?
• Art. 37-39

Existing employee (if professional duties are compatible with DPO duties / no conflict of interests)

• r

contract out externally.

Minimum tasks:

• Inform and advise
• Monitor compliance (managing internal DP

activities, advise on DPIAs; train staff and conduct internal audits).

• First point of contact for ICO and individuals

Employer duties:

• DPO reports > to the highest management level.
• DPO operates > independently (not sacked/penalised for doing job).
• DPO adequate resources > so they can meet their obligations.
• 1. What’s changing…and what’s not?

[you] shall be responsible for and be able to demonstrate compliance with the principles

[Art. 5(2)]

Notification Records of processing activities

[you] shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation…. shall include the implementation

• f appropriate…policies…

[Art. 24(1)+(2)] [Art. 30]

• 1. What’s changing…and what’s not?

any information relating to an identified or identifiable* natural person …one who can be identified, directly or indirectly, …such as a name, an [ID] number, location data, an online identifier

• r

to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Art 4 (1)

* Consider “all the means reasonably likely to be used…either by the controller or by another person to identify [them] directly or indirectly.”

Recital 26

• 1. What’s changing…and what’s not?

Sensitive personal data = special categories of personal data

• 1. Processing of personal data revealing

racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

• 2. Paragraph 1 shall not apply if one of the following applies:

Art 9

• 1. What’s changing…and what’s not?

2. Can you still rely on consent? And if not, what can you rely on?

HR

“…obtained only for one or more specified and lawful purposes, and shall not be further processed in any

manner incompatible with that purpose or those purposes.

“…collected for specified, explicit and legitimate purposes and not further processed in a manner that is

incompatible with those purposes…

GDPR

Purpose A

2. Can you still rely on consent? And if not, what can you rely on?

Direct Marketing(?)

• Alumni / Development services
• Benefits – via 3rd party?

Provision of student services

1. Performance 2. Attendance 3. Welfare 4. Careers

“HR purposes” ??

Management of staff

1. Recruitment 2. Payroll* 3. Pension* 4. Performance 5. Disciplinary 6. Welfare (Occupational health)* 7. Benefits (vouchers, healthcare, helpline)*

2. Can you still rely on consent? And if not, what can you rely on?

Lawfulness B

Linked to individual rights e.g. can someone

• withdraw their consent?
• object?
• insist on erasure?

Document lawful basis for each purpose Legal requirements Consent Legitimate interests Contractual requirement

2. Can you still rely on consent? And if not, what can you rely on?

Dear HR / payroll… I withdraw my consent to your processing of my data. It causes me significant distress, especially your sharing it with HMRC, leading to removal of cash from my salary.

Legal requirements Consent Legitimate interests Contractual requirement

2. Can you still rely on consent? And if not, what can you rely on?

Consent Legitimate interests Legal requirements

“consent here

• r else”

(enforced consent)

Contractual requirement

2. Can you still rely on consent? And if not, what can you rely on?

any freely given, specific, informed and unambiguous indication of [their] wishes…[either] by a statement or by a clear affirmative action

Art 4 (11)

…given consent to the processing…for

• ne or more specific purposes

Art 6 (1)(a) 2. Can you still rely on consent? And if not, what can you rely on?

…the right to withdraw [their] consent at any time.

[This] shall not affect the lawfulness of processing based on consent before its withdrawal.

Art 7 (3)

…[you] shall be able to demonstrate that [they] consented

Art 7 (1)

…should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Recital 42 2. Can you still rely on consent? And if not, what can you rely on?

Consent Legitimate interests Legal requirements

“consent here

• r else”

enforced consent

Contractual requirement

• Terms and

Conditions of employment

• H&S@Work
• E&D
• Tax
• Pension

2. Can you still rely on consent? And if not, what can you rely on?

Fairness / Transparency C

Is there any difference between getting consent and being transparent? “…fundamental difference between telling a person how you’re going to use their personal information and getting their consent [to do it].”

Yes

Q

3. What changes need to be made to your privacy policies / notices?

3. What changes need to be made to your privacy policies / notices?

A. the identity of the data controller, B. if he has nominated a representative for the purposes of this Act, the identity of that representative,

• C. the purpose or purposes for which the data are intended

to be processed, and

• D. any further information which is necessary, having regard

to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

3. What changes need to be made to your privacy policies / notices?

Tell them…

Directly Indirectly 3. What changes need to be made to your privacy policies / notices?

3. What changes need to be made to your privacy policies / notices?

Tell them…

Directly Directly Indirectly Indirectly

• House-style language
• Just-in-time notices
• Many notices, at appropriate times

Awareness of employee monitoring (note: need process for authorising employee monitoring)

3. What changes need to be made to your privacy policies / notices?

Employee Notice Student Notice

Rectification If disclosed the personal data to third parties, must inform them of update….

• btain from the controller without undue delay the rectification of

inaccurate personal data concerning him or her

• Art. 16
• Art. 19

4. How should you handle a request to delete personal data?

Erasure (“right to be forgotten”) the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies….

• Art. 17

a) data are no longer necessary (for the purposes for which they were collected / processed) b) withdraws consent…and there is no other legal ground for the processing c) objects to the processing…and there are no overriding legitimate grounds for the processing

4. How should you handle a request to delete personal data?

5. Can you meet the GDPR’s increased Subject Access and data portability provisions?

Subject Access Requests

• Free
• One month
• Electronic request = electronic response
• Best practice: provide secure self-service

in order to be aware of, and verify, the lawfulness of the processing.

Recital 63 Article 15

Clear process – reviewing (and balancing third party interests / applying exemptions) Finding accurate information = records management (rude emails).

Data portability Obtain and reuse your personal data for your own purposes Grades / attendance / performance / pensions data / training record / entry logs? Only applies: personal data they provided to you where processing based on their consent or performance of a contract; Where processing is automated.

+ +

e.g.:

• Free
• CSV / machine readable format
• Exchange DC to DC if technically possible

5. Can you meet the GDPR’s increased Subject Access and data portability provisions?

Mandatory Breach Notification

Without undue delay… not later than 72 hours

[Art. 33(1)] [Art. 34(1)]

if likely to “…result in a risk to” person’s rights/freedoms if likely to “…result in a high risk” to person’s rights/freedoms

6. How will you manage mandatory breach reporting – and the related disciplinary issues?

Staff awareness Internal reporting and incident management procedures Assessment of risk / external reporting

+ +

Disciplinary process / proof

+

6. How will you manage mandatory breach reporting – and the related disciplinary issues?

Does your college have the governance, policies and training records to support your employees?

Suffered material or non-material damage

[Art. 83(5)] [Art. 83(4)]

10m Euro / up to 2% total worldwide annual turnover 20m Euro / up to 4% total worldwide annual turnover

[Art. 82(1)]

• IT (“appropriate technical and organisational measures”)
• Procurement (Data Processors)
• Facilities (Physical security)
• Operations (delivery of policies in practice)

NOT an HR issue alone Top down,

• rganisation

wide

• Accountability – who should be your DP lead (DPO if PA)?
• Cultural change
• Risk-based decision making – evidence of informed decisions
• “Taking into account the state of the art, the costs of implementation and the

nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons…”

• Data Protection by

Design and by Default

• Disclosure procedures

(e.g. DWP; Immigration; Police) Processes Training

• Must be effective:

ticking the 'done training' box not enough if not absorbed + applied

Newsletters

• Insights
• Events
• Services

020 3691 5731 | @protectureDPO | www.protecture.org.uk

…you need to make sure you’re following the law as it stands – which is a blueprint for responsible data practices. Shine your own light on your services and projects. Demonstrate to customers how you’re following the law. And then stand ready to demonstrate your program to my office.

Elizabeth Denham, Information Commissioner, September 2016

For those with responsibility for data protection compliance across your

• rganisation.

Our service supports you to deliver compliance. Preparing for the GDPR | Audit | Training | Policies | Entry to our seminars | Ad-hoc advice | DP Impact Assessments IRMS Retention Toolkit

We are your DPO's DPO