GDPR – 5 things HR Must Do! YEARN2LEARN TRAINING, GILLIAN ACHESON, DEIRDRE ALLISON
GENERAL DATA PROTECTION REGULATION What is it? • GDPR represents the most significant shift in European data protection legislation since the Data Protection Directive • Will harmonise data protection laws throughout the EU • Will replace the Data Protection Act 1998 • Applies from 25 May 2018 • UK’s decision to leave the EU will not effect the commencement of the legislation.
HR’S 5 STEPS TO GDPR • 1. Know what information you hold • 2. Manage Data Breaches • 3. Be Aware of increased rights of employees • 4. Ensure Accountability • 5. Make staff aware – 122 days to go and counting!
1. KNOW What data you hold? • What personal data you process, • Why you process it • How and who processes it • Importantly the legal basis used to qualify the processing May need to think about • Privacy Notices • Review information collected • Information asset audit • Looking at the data protection principles underpinned by accountability • If you use data processors their responsibilities are enhanced
PRIVACY NOTICES
INFORMATION ASSET AUDIT TEMPLATE Asset Name of asset What does Volume Personal Key number Location Owner Access Shared Format Retention Risks / impact it do data asset or ID What does your organisation do? What information do you have? Where is your information kept? Do you have duplicate information? Document what you know. Keep it up to date.
2. MANAGE PERSONAL DATA BREACHES • A staff member was unable to format a spreadsheet at work. He sent it to his spouse for help, ultimately causing a data breach that could have exposed the personal data of 36,000 Boeing employees in four states over America • In 2014, a leak of personal data by a former employee of Morrisons resulted in a lawsuit brought by 5,500 current and former Morrisons workers. In 2015 the employee was jailed for 8 years for fraud, securing unauthorised access to computer material and disclosing personal data
BREACH MANAGEMENT • GDPR introduces a general obligation to notify data breaches. • As a rule it must notify the regulator within 72 hours. If not, there has to be a justification for this delay. • If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms. • Fines up to € 20m or 4% of annual worldwide turnover, whichever is greater! • Training for staff is key to avoid the significant fines that can be imposed
3. BE AWARE OF INCREASED RIGHTS OF EMPLOYEES • The GDPR significantly enhances the rights of data subjects. • Employers will need to provide more detailed information as to how and why HR related data is processed • Transparency as to the processing • Right of access to their data and a right to have inaccurate data rectified • Right to be forgotten – how will you achieve this? • Changes to the subject access process includes:- No fee, reduction in time taken to process request
4. ENSURE ACCOUNTABILITY • Companies must be able to demonstrate compliance • Shift from paper-based compliance to actual and demonstrated compliance. • Appointment of a (mandatory) Data Protection Officer, • Carrying out (mandatory) privacy impact assessments • Keeping records of all their processing activities.
5. Make Staff Aware • Update relevant IG Polices • Build requirements of GDPR into DP training • Review your breach management protocols • Involve staff in information asset audits • Communication through intranet, IG newssheets etc
RESOURCES AVAILABLE • Preparing for the GDPR – 12 Steps to take now (updated) • ICO Guidance: What to expect and When • ICO - Conducting PIA • ICO - Privacy Notices • Information asset audit – National Archives • Outputs from the Article 29 Working Group • ICO blog!
ADDITIONAL RESOURCES - GDPR EVENTS LOCALLY Yearn2Learn Legal-Island an ILM Recognised Provider • Date: Wednesday 14 March 2018 • Date: Tuesday 30 January 2018 • Time: 9.20 – 4.30 pm • Time: 9.30 – 4.30 pm (Registration 9.30) • Venue: Belfast • Venue: Belfast Early bird offer still available To book, visit www.legal-island.com To book, contact dallison.yearn2learn@live.co.uk Email Vanessa@Legal-Island.com or or Tel: 07761586390 Tel: 02894463888
CONTACTS Yearn2Learn Legal-Island an ILM Recognised Provider To claim 25% off data protection eLearning training or For further information or to arrange a site visit for advice, arrange FREE TRIAL access contact debbie@legal- guidance or support, contact: island.com. Or 028 9446 3888 Deirdre Allison – dallison.yearn2learn@live.co.uk Tel: 07761586390 The offer ends 5pm on 28th February. Gillian Acheson – gacheson.yearn2learn@outlook.com Visit our website at www.yearn2learntraining.com
Legal-Island Services Employment Law Northern Ireland eLearning Modules • Conferences & Employment Law Hub Data Protection • Workshops Equality & Diversity • Child Safeguarding Check out our upcoming Over 2,500 in-depth articles Cost-effective training for your events: and case law reviews: whole organisation: www.legal-island.com/events www.legal-island.com/register www.legal-island.com/e-learning
Recommend
More recommend