5 things hr must do in the role of the data protection
play

5 THINGS HR MUST DO IN THE ROLE OF THE DATA PROTECTION OFFICER - PowerPoint PPT Presentation

5 THINGS HR MUST DO IN THE ROLE OF THE DATA PROTECTION OFFICER GILLIAN ACHESON DATA PROTECTION DEIRDRE ALLISON RECORDS MANAGEMENT YEARN2LEARN TRAINING GENERAL DATA PROTECTION REGULATION What is it? GDPR represents the most significant


  1. 5 THINGS HR MUST DO IN THE ROLE OF THE DATA PROTECTION OFFICER GILLIAN ACHESON – DATA PROTECTION DEIRDRE ALLISON – RECORDS MANAGEMENT YEARN2LEARN TRAINING

  2. GENERAL DATA PROTECTION REGULATION What is it? • GDPR represents the most significant shift in European data protection legislation since the Data Protection Directive • Will harmonise data protection laws throughout the EU • Will replace the Data Protection Act 1998 • Applies from 25 May 2018 • The current Data Protection Bill which will become the Data Protection Act 2018 fills the gaps in GDPR, addressing areas in which flexibility and derogations are permitted • UK’s decision to leave the EU will not effect the commencement of the legislation.

  3. TOP 5 THINGS HR MUST DO  1 Know the legislation – what is the impact on your organisation  2 Understand the Role of a Data Protection Officer  3 Know what information you hold  4 Understand what ‘accountable’ means  5 Develop an action plan to meet the key tasks to be carried out

  4. 2 . UNDERSTAND THE ROLE OF DATA PROTECTION OFFICER WHICH ORGANISATIONS ARE REQUIRED TO APPOINT A DPO? (ARTICLE 37(1)) The GDPR requires the designation of a DPO in three specific cases:  where the processing is carried out by a public authority or body (irrespective of what data is being processed);  where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;  where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

  5. Frequently Asked Questions  Can organisations appoint a DPO jointly? ‘ easily accessible from each establishment ’  Appoint an external DPO? ‘ fulfil the tasks on the basis of a service contract’  Professional qualities DPO should have (article 37(5) ‘Shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability of fulfil the task referred to Article 39’  Who cannot be DPO? DPO can not be someone who determines the purpose and the means of processing of personal data.

  6. POSITION OF THE DPO  Involvement in all issues relating to the protection of personal data  Opinion of the DPO must be given due weight  DPO consulted promptly once a data breach occurs  Must be given necessary resources - Article 38(2)  Act in an independent manner  Must report directly to the ’ highest level of management’ within the organisation’.

  7. DATA PROTECTION OFFICER ROLE TASKS

  8. 3. KNOW WHAT INFORMATION YOU HOLD Asset Name of What does Personal Risks / impact Key asset number Location Owner Volume Access Shared Format Retention asset it do data or ID An Information Asset Register (IAR) is a simple way to help your understand and manage your organisation’s What does your organisation do? information assets and the risks to them. What information do you have? Where is your information kept? It is important to know and fully understand what Do you have duplicate information? information you hold in order to protect it and be able to Document what you know. exploit its potential. Keep it up to date. Use of self assessments

  9. 4 ACCOUNTABILITY 9

  10. ACCOUNTABILITY CONTINUED:- Documentation is a new requirement under the GDPR . Records must be kept on processing purposes, data sharing, and retention. Will require internal records of your processing activities. Your obligation to ensure (and demonstrate) that what you do with people’s personal data is in line with the GDPR. Article 30 sets out the different types of information you need to document including the purposes of processing, categories of personal data and recipients of personal data. You can use your existing register entry for the 1998 Act as a basis from which to create your record of processing activities

  11. 5 DEVELOPMENT OF AN ACTION PLAN  Documenting your processing activities - it is a legal requirement. As a key element of the accountability principle, documenting your processing activities can also help you to ensure (and demonstrate) your compliance with other aspects of the GDPR.  Drafting your privacy notice – much of the information you have to document is very similar to what you need to tell people in your privacy notice.  Responding to access requests – knowing what personal data is held and where it is will help you to efficiently handle requests from individuals for access to their information.  Taking stock of your processing activities – this will make it much easier to address other matters under the GDPR such as ensuring that the personal data you held is relevant, up to date and secure.  Improve data governance – highlighting and addressing data protection matters through documentation will support good practice in data governance. This can give you assurance as to data quality, completeness and provenance.  Increase business efficiency – knowing what personal data is held, why you hold it is held and for how long, will help to develop more effective and streamlined business processes.  Data Breaches – how does your organisation deal with data breaches  Training – how will your organisation train staff to reduce data governance incidents occurring

  12. ADDITIONAL RESOURCES Legal- Island’s GDPR eLearning Yearn2Learn, an ILM Recognised Provider event for all employees For free access & 25% discount contact ‘ I’m the new Data Protection Officer – the First 100 Days ’ Debbie@legal-island.com  Date:Tuesday 24 April 2018 Time:10.00 – 4.30 pm (Registration 9.30)   Venue: Children in NI (CINI) Cost  Cost £169.00 per person To book, contact dallison.yearn2learn@live.co.uk or Tel: 07761586390

  13. Yearn2Learn are an ILM Recognised Provider and Accredited Member of IRMS (Information & Records Management Society) UK and ROI For further information or to arrange a site visit for advice, guidance or support, contact: Deirdre Allison – dallison.yearn2learn@live.co.uk Tel: 07761586390 Gillian Acheson – gacheson.yearn2learn@outlook.com Visit our website at www.yearn2learntraining.com CONTACTS

  14. ADDITIONAL RESOURCES Yearn2Learn, an ILM Recognised Provider event Legal- Island’s GDPR eLearning for all employees ‘ I’m the new Data Protection Officer – the First 100 Days ’ For free access & 25% discount contact Debbie@legal-island.com  Date:Tuesday 24 April 2018 Time:10.00 – 4.30 pm (Registration 9.30)   Venue: Children in NI (CINI)  Cost £169.00 per person To book, contact dallison.yearn2learn@live.co.uk or Tel: 07761586390

Recommend


More recommend