Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? www.thehrspecialists.co.uk Call Kerry on 01279 814888 Or email kerry@thehrspecialists.co.uk
Introduction Personal Data needs to be protected you should already be complying with current data protection legislation. The New GDPR will add to those regulations and will come into force in May 2018
The Information Commissioner’s office (ICO) The ICO has created a readiness 12 step plan. The 12 steps are: Awareness – off key decision makers Document what personal information you hold Communicate and amend your privacy notices Check procedures for individuals rights e.g. deleting and providing electronic access to info Subject access requests within the new timescales Update your lawful basis for holding personal data through privacy policies
The Information Commissioner’s office (ICO) The ICO has created a readiness 12 step plan. The 12 steps are: Refresh existing consent processes to meet new GDPR standard Verification on ages if you have any under 18’s in the workforce as new rules apply Right procedures are in place to detect, report and investigate data breaches Be familiar with ICO code of practice on Privacy Impact Assessments Designate someone senior to take responsibility for Data Protection Compliance If your organisation operates across EU borders and personal data is processed across borders who is the lead data protection authority
What is personal information Any personal information you hold (relating to an identified or identifiable person)
Special category data There is also a distinction between personal data and special category data which could be: • Racial or ethnic origin • Political opinion • Religious/philosophical beliefs • Trade union membership • Physical or mental health or condition • Sexual life or sexual orientation
Employee rights Ensure that the rights of people about whom information is held can be fully exercised under the GDPA 2018. These rights include: • The right to be informed • The right of access to personal information • The right to request rectification • The right to request erasure • The right to restrict processing in certain circumstances • The right to data portability • The right to object to processing • The Principles of Data Protection
The 6 principles Anyone processing personal data must comply with 6 principles of good practice. These principles are legally enforceable. 1. Lawful, fair and transparent processing of data 2. The purpose for which personal data is collected must be specified, explicit and legitimate and the data must be processed in a manner that remains compatible with the initial purpose of which it is collected 3. The data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed 4. Accurate data must be maintained 5. Kept in a form which permits identification of data subjects for no longer than is necessary 6. Processed in a manner that ensures appropriate security of the personal data
Data Breaches You will be required to notify the ICO of a breach where it is likely to result in a high risk to the rights and personal freedoms of individuals. i.e. a detrimental effect on an individual Breaches must be reported within 72 hours of becoming aware of it (you will have a short window to investigate). If you do not have an action plan to rectify breach you may face a fine. You have to notify individuals directly if there is a high risk to their rights and freedoms (the threshold is higher to notify individuals) What should you do? Train your staff to identify what constitutes a breach Create an internal breach procedure Create a breach notification form
What do you need to do – next steps 1. Appoint someone in the organisation to oversee the GDPR implementation 2. Create a Data Protection Impact Assessment (DPIA). A DPIA is effectively an audit or a map or what: personal data you hold Where it is stored (is it in one location or over many locations and formats) Who it is shared with Who processes it How the data is obtained and processed Risk reduction measures such as do you encrypt data Then you can create a traffic light action plan to work on the areas of risk within your organisation. Decide how you will hold all data going forward, are changes required such as creating an online HR platform to securely hold your data if you don’t have one.
What do you need to do – next steps 3. Keep relevant records of your processes 4. Update your data security policies, plans and procedures including your monitoring and privacy policies and procedures 5. Create a Privacy Impact Assessment (PIA) to identify and reduce privacy risks involved in projects and processes for example – recruitment processes or equality monitoring 6. Securely delete unnecessary data (seek advice form your HR representative if required) 7. Prepare a plan for handling subject access requests 8. Update your data consent form (separate to your contracts of employment) *Speak to your HR representative 9. Check if your data goes across EU borders if so identify supervisory authority
Data Protection Officer (DPO) It wont be a legal requirement for most small businesses to appoint a DPO but it will be beneficial to appoint a senior responsible person for the data obligations. If you do appoint a DPO it can be an internal or external person. Their tasks should include: To inform and advise organisation and its employees about their obligations to comply with GDPR To monitor your compliance with GDPR (including advising on impact assessments) Train staff and conduct internal audits To be the first point of contact for individuals and authorities Manage responses to subject access requests Create a data breach policy/plan and manage communication and notifications of breaches Staying up to date with developments on GDPR and codes of practice
Finally Communicate to employees Under the regulations the rights of individuals are extended to give them more control over their own data Explain to employees: The 6 data protection principles What is personal data What is sensitive/special categories of data What happens during processing of data What are data controllers and data processors How is their data filed e.g. manually and location or on an a centralised automated HR system How to make a subject access request and what they are entitled to request Data breaches What the organisation is doing to meet GDPR www.thehrspecialists.co.uk Call Kerry on 01279 814888 Or email kerry@thehrspecialists.co.uk