Tick this data protection box? What the GDPR means for HR 1 hour Gary Shipsey | Managing Director May 2017
Choose one of the following audio options Your computer audio Your telephone When the webinar begins, you will be connected to audio using If you prefer to use your phone, you your computer's microphone and must select "Use Telephone" and speakers (VoIP). call in using the numbers below: A headset is recommended. • +44 (0) 20 3713 5012 Problems? • Access Code: 368-226-253 If you are having trouble hearing • Audio PIN: Shown after joining me please let me know by typing the webinar in here • Webinar ID: 704-594-907
1. What’s changing…and what’s not? 2. Can you still rely on consent? And if not, what can you rely on? 4. How should you handle a request 3. What changes need to be made to delete personal data? to your privacy policies / notices? 5. Can you meet the GDPR’s 6. How will you manage mandatory increased Subject Access and breach reporting – and the data portability provisions? related disciplinary issues? Does your college have the governance, policies and training records to support your employees?
1. What’s changing…and what’s not? Our College Name Data Protection Policy “Our policy is to comply with the 4
1. What’s changing…and what’s not? Health Warning Derogations Article 88 Processing in the context of employment responsible for 1. Member States may….provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of and employees' personal data in the employment context, in particular for the purposes of be able to demonstrate • the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, • management, compliance with • planning and organisation of work, • equality and diversity in the workplace, • health and safety at work, the principles • protection of employer's or customer's property and • for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for [Art. 5(2)] the purpose of the termination of the employment relationship . 2. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.
1. What’s changing…and what’s not?
1. What’s changing…and what’s not? public Data carry out large scale carry out large scale processing of special authority Protection systematic categories of data or (except for courts monitoring of Officer acting in their data relating to individuals judicial capacity); criminal convictions Art. 37-39 (e.g. online behaviour tracking) and offences. Any organisation can appoint a DPO. Can appoint a single DPO to act for a group of Regardless…you must ensure you have companies / group of sufficient staff and skills to discharge public authorities your obligations under the GDPR…
1. What’s changing…and what’s not? • Inform and advise Minimum • Monitor compliance (managing internal DP tasks: activities, advise on DPIAs; train staff and conduct internal audits). • First point of contact for ICO and individuals • DPO reports > to the highest management level. Employer • DPO operates > independently (not sacked/penalised for doing job). duties: • DPO adequate resources > so they can meet their obligations. Existing employee (if professional duties are compatible with DPO duties / no conflict of interests) or contract out externally.
1. What’s changing…and what’s not? [you] shall be responsible for [you] shall implement appropriate and be able to demonstrate technical and organisational compliance with the principles measures to ensure and to be able [Art. 5(2)] to demonstrate that processing is Notification performed in accordance with this Regulation …. shall include the implementation Records of of appropriate…policies … processing activities [Art. 24(1)+(2)] [Art. 30]
1. What’s changing…and what’s not? any information relating to an identified or identifiable* natural person …one who can be identified, directly or indirectly , …such as a name, an [ID] number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ; Art 4 (1) Recital 26 * Consider “all the means reasonably likely to be used…either by the controller or by another person to identify [them] directly or indirectly.”
1. What’s changing…and what’s not? Sensitive personal data = special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited . 2. Paragraph 1 shall not apply if one of the following applies: Art 9
2. Can you still rely on consent? And if not, what can you rely on? HR
2. Can you still rely on consent? And if not, what can you rely on? Purpose A “…obtained only for one or more specified and lawful purposes , and shall not be further processed in any manner incompatible with that purpose or those purposes . GDPR “…collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…
2. Can you still rely on consent? And if not, “HR purposes” ?? what can you rely on? Provision of student services Management of staff 1. Performance 1. Recruitment 2. Attendance 2. Payroll* 3. Welfare 3. Pension* 4. Careers 4. Performance 5. Disciplinary Direct Marketing(?) 6. Welfare (Occupational health)* • 7. Benefits (vouchers, healthcare, helpline)* Alumni / Development services Benefits – via 3 rd party? •
2. Can you still rely on consent? And if not, what can you rely on? Lawfulness B Document Linked to individual rights e.g. can someone lawful basis for • withdraw their consent? • object? each purpose • insist on erasure? Contractual Legal Legitimate Consent requirement requirements interests
2. Can you still rely on consent? And if not, what can you rely on? Dear HR / payroll… I withdraw my consent to your processing of my data. It causes me significant distress, especially your sharing it with HMRC, leading to removal of cash from my salary. Contractual Legal Legitimate Consent requirement requirements interests
2. Can you still rely on consent? And if not, what can you rely on? “ consent here or else ” (enforced consent) Contractual Legal Legitimate Consent requirement requirements interests
2. Can you still rely on consent? And if not, what can you rely on? …given consent to the processing…for one or more specific purposes Art 6 (1)(a) any freely given , specific , informed and unambiguous indication of [their] wishes…[either] by a statement or by a clear affirmative action Art 4 (11)
2. Can you still rely on consent? And if not, what can you rely on? …[you] shall be able to demonstrate that [they] consented Art 7 (1) …the right to withdraw [their] consent at any time. [This] shall not affect the lawfulness of processing based on consent before its withdrawal . Art 7 (3) …should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. Recital 42
2. Can you still rely on consent? And if not, what can you rely on? “ consent here or else ” enforced • H&S@Work consent • E&D • Terms and • Tax Conditions of employment • Pension Contractual Legal Legitimate Consent requirement requirements interests
3. What changes need to be made to your privacy policies / notices? C Fairness / Transparency Q Is there any difference between getting consent and being transparent? “…fundamental difference between telling a Yes person how you’re going to use their personal information and getting their consent [to do it].”
3. What changes need to be made to your privacy policies / notices?
3. What changes need to be made to your privacy policies / notices? A. the identity of the data controller, B. if he has nominated a representative for the purposes of this Act, the identity of that representative, C. the purpose or purposes for which the data are intended to be processed, and D. any further information which is necessary , having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
3. What changes need to be made to Tell them… Directly Indirectly your privacy policies / notices?
Tell them… 3. What changes need to be made to Directly Indirectly your privacy policies / notices? Indirectly Directly
Recommend
More recommend
