GDPR 5 things HR Must Do! YEARN2LEARN TRAINING, GILLIAN ACHESON, DEIRDRE ALLISON

Transcription

1 GDPR 5 things HR Must Do! YEARN2LEARN TRAINING, GILLIAN ACHESON, DEIRDRE ALLISON

2 GENERAL DATA PROTECTION REGULATION What is it? GDPR represents the most significant shift in European data protection legislation since the Data Protection Directive Will harmonise data protection laws throughout the EU Will replace the Data Protection Act 1998 Applies from 25 May 2018 UK s decision to leave the EU will not effect the commencement of the legislation.

3 HR S 5 STEPS TO GDPR 1. Know what information you hold 2. Manage Data Breaches 3. Be Aware of increased rights of employees 4. Ensure Accountability 5. Make staff aware 122 days to go and counting!

4 1. KNOW What data you hold? What personal data you process, Why you process it How and who processes it Importantly the legal basis used to qualify the processing May need to think about Privacy Notices Review information collected Information asset audit Looking at the data protection principles underpinned by accountability If you use data processors their responsibilities are enhanced

5 PRIVACY NOTICES

6 INFORMATION ASSET AUDIT TEMPLATE Asset number or ID Name of asset What does it do Location Owner Volume Personal data Access Shared Format Retention Risks / impact Key asset What does your organisation do? What information do you have? Where is your information kept? Do you have duplicate information? Document what you know. Keep it up to date.

7 2. MANAGE PERSONAL DATA BREACHES A staff member was unable to format a spreadsheet at work. He sent it to his spouse for help, ultimately causing a data breach that could have exposed the personal data of 36,000 Boeing employees in four states over America In 2014, a leak of personal data by a former employee of Morrisons resulted in a lawsuit brought by 5,500 current and former Morrisons workers. In 2015 the employee was jailed for 8 years for fraud, securing unauthorised access to computer material and disclosing personal data

8 BREACH MANAGEMENT GDPR introduces a general obligation to notify data breaches. As a rule it must notify the regulator within 72 hours. If not, there has to be a justification for this delay. If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms. Fines up to 20m or 4% of annual worldwide turnover, whichever is greater! Training for staff is key to avoid the significant fines that can be imposed

9 3. BE AWARE OF INCREASED RIGHTS OF EMPLOYEES The GDPR significantly enhances the rights of data subjects. Employers will need to provide more detailed information as to how and why HR related data is processed Transparency as to the processing Right of access to their data and a right to have inaccurate data rectified Right to be forgotten how will you achieve this? Changes to the subject access process includes:- No fee, reduction in time taken to process request

10 4. ENSURE ACCOUNTABILITY Companies must be able to demonstrate compliance Shift from paper-based compliance to actual and demonstrated compliance. Appointment of a (mandatory) Data Protection Officer, Carrying out (mandatory) privacy impact assessments Keeping records of all their processing activities.

11 5. Make Staff Aware Update relevant IG Polices Build requirements of GDPR into DP training Review your breach management protocols Involve staff in information asset audits Communication through intranet, IG newssheets etc

12 RESOURCES AVAILABLE Preparing for the GDPR 12 Steps to take now (updated) ICO Guidance: What to expect and When ICO - Conducting PIA ICO - Privacy Notices Information asset audit National Archives Outputs from the Article 29 Working Group ICO blog!

13 ADDITIONAL RESOURCES - GDPR EVENTS LOCALLY Yearn2Learn an ILM Recognised Provider Legal-Island Date: Tuesday 30 January 2018 Time: pm (Registration 9.30) Venue: Belfast Date: Wednesday 14 March 2018 Time: pm Venue: Belfast To book, contact dallison.yearn2learn@live.co.uk or Tel: Early bird offer still available To book, visit Vanessa@Legal-Island.com or Tel:

14 CONTACTS Yearn2Learn an ILM Recognised Provider Legal-Island For further information or to arrange a site visit for advice, guidance or support, contact: Deirdre Allison dallison.yearn2learn@live.co.uk Tel: Gillian Acheson gacheson.yearn2learn@outlook.com To claim 25% off data protection elearning training or arrange FREE TRIAL access contact debbie@legalisland.com. Or The offer ends 5pm on 28th February. Visit our website at

15 Legal-Island Services Employment Law Conferences & Workshops Check out our upcoming events: Northern Ireland Employment Law Hub Over 2,500 in-depth articles and case law reviews: elearning Modules Data Protection Equality & Diversity Child Safeguarding Cost-effective training for your whole organisation: