How employers should comply with GDPR

Similar documents
Guidance on the General Data Protection Regulation: (1) Getting started

EU General Data Protection Regulation (GDPR)

The Sage quick start guide for businesses

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

St Mark s Church of England Academy Data Protection Policy

EU GENERAL DATA PROTECTION REGULATION

A Parish Guide to the General Data Protection Regulation (GDPR)

WSGR Getting Ready for the GDPR Series

The General Data Protection Regulation: What does it mean for you?

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

General Data Protection Regulation

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

Data Protection. Policy

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Data Protection Policy

DATA PROTECTION POLICY

General Optical Council. Data Protection Policy

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

Regulates the way data controllers process personal data

EU data protection reform

General Data Privacy Regulation: It s Coming Are You Ready?

GDPR Compliance Checklist

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

The Top 10 Operational Impacts of the EU s General Data Protection Regulation

The (Scheme) Actuary as a Data Controller

AmCham s HR Committee s

GDPR: Is it just another strict regulation or a great opportunity for operational excellence?

Data protection (GDPR) policy

Data Protection Policy & Procedures

The Data Protection Regulation for Europe

ARTICLE 29 DATA PROTECTION WORKING PARTY

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

GDPR Webinar 4: Data Protection Impact Assessments

Preparing for the General Data Protection Regulation (GDPR)

Data Protection Policy

Conducting privacy impact assessments code of practice

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

Data Protection Policy

Conducting privacy impact assessments code of practice

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

Colleges and public authority status under data protection legislation

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

DATA PROTECTION POLICY

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

Data Protection Policy

CANDIDATE DATA PROTECTION STANDARDS

Preparing for GDPR 27th September, Reykjavik

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (89) 2 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES

Data Protection Act Policy And Operational Procedures For the Trust, Its Academies, And Essa Nursery

Data Protection Policy

Syntel Human Resources Privacy Statement

OFFICE OF THE DATA PROTECTION COMMISSIONER. Official Languages Act Language Scheme

General Guide to Employment Law Introduction

Data Flow Mapping and the EU GDPR

New General Data Protection Regulation - an introduction

DATA PROTECTION POLICY

Data protection. The employment practices code

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

ARTICLE 29 Data Protection Working Party

DATA PROTECTION POLICY

Data Protection Policy and General Data Protection Regulations (GDPR)

What is GDPR and Should You Care?

Rexel Shredding. Why a paper security policy is integral to GDPR compliance.

Compliance with South African POPI Acts

Data Privacy Policy for Employees and Employee Candidates in the European Union

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

Cloud Computing Policy and Guidelines Release: 1.51

WORLD MEDIA GROUP THE IMPLICATIONS OF GDPR FOR THE ADVERTISING INDUSTRY

Unfair Dismissals Acts, 1977 to 2001

PRIVACY IMPACT ASSESSMENT (PIA) TEMPLATE

Tallinn, Estonia. Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011, OJ L 286,

KRONOS WORLDWIDE, INC. SAFE HARBOR PRIVACY POLICY Effective December 1, 2009 Amended and Restated as of July 20, 2012

SME guide to the personal data protection act 2012

GDPR - HOW IS INDUSTRY ADDRESSING THE LEGISLATION

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

Guideline Leaflet L13: Data Protection

Data Protection/ Information Security Policy

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

MTA EMPLOYMENT RELATIONS FACT SHEET

Data Protection Audit Self-assessment toolkit

Guidelines on the management body of market operators and data reporting services providers

Privacy governance survey. The state of privacy management in Belgian organisations

FIXED TERM CONTRACT POLICY. Recruitment and Selection Policy Secondment Policy. Employment Policy. Officer / CSP

Whistle Blowing (Draft)

The new EU data protection Regulation: The business opportunity beyond legal compliance. Kalliopi Spyridaki Chief Privacy Strategist, Europe

GUIDANCE REGARDING CONDUCTING INVESTIGATIONS FOR SCHOOL BASED STAFF

Health Service Executive

Terms of Reference. Quality and Value Audits

Humber Information Sharing Charter

The Essential Guide to the Public Sector Equality Duty

Gwybodaeth Dan Reolaeth. Gwynedd Council DATA PROTECTION POLICY FINAL 2.0. September Information Management Service. Approved

Data Protection Policy

Thomson House School Freedom of Information Policy

Contents. Introduction 1. Territorial scope 3. Supervisory authority 4. Data governance and accountability 5. Export of personal data 14

Transcription:

02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR

The scope of the impact of the GDPR cannot be overstated. The GDPR will impact most if not all areas of your business. Key employees and decision makers across your business must be aware of and trained on the GDPR so that they can consider how to ensure compliance and appropriately allocate resources.

New data protection requirements (GDPR) are coming The privacy rights of individuals are safeguarded in relation to the processing of their personal data by organisations. n Personal data is any information related to an identified or identifiable natural person ( data subject ). This definition not only includes names and other factors specific to the identity of the individual but also online identifiers such as an IP address and location data. n Sensitive personal data are specific categories of personal data related to a person s: race or ethnicity; political, religious or philosophical beliefs; sexual life or sexual orientation; health; genetic or biometric data; criminal record; or trade union membership. There are additional requirements for the protection of sensitive personal data. Processing of personal data can cover the many different uses of that data, including: collecting, recording, storing, adapting, using, disclosing and deleting data. n The General Data Protection Regulation (GDPR) applies to both data controllers and data processors. A data controller is a person/company/other body, who either alone or with others, controls the contents and use of personal data. A data processor is a person/company/ other body, who processes personal data on behalf of a data controller but does not include an employee of the data controller who processes such data in the course of his/her employment. n The rights cover data related to identified or identifiable persons (e.g. customers or employees) held either electronically or physically this includes physical files, emails, Customer Relationship Management (CRM) systems, images or recordings of individuals. The EU has recently reformed its rules on data protection. The GDPR will be directly applicable in all EU Member States, including Ireland, on 25 May 2018. Many existing regulatory concepts on data protection will be retained, but there will be significant changes under the GDPR that require consideration and advance preparation. Data protection is a key business consideration. In this context Ibec is delivering a series of short guides to help raise awareness and understanding of the GDPR. The objective of this specific guide is to provide recommendations to assist employers as they begin their preparations for the arrival of GDPR in May 2018. These guides are not exhaustive and are not intended as definitive analysis or advice legal or otherwise on compliance with data protection requirements. Ibec reserves the right to update this guidance as the implementation of the GDPR progresses. 1

How employers should prepare for GDPR 10/Keep abreast of developments between now and May 2018 09/Consider whether you will need to appoint a DPO 08/Consider whether you will need to carry out data protection impact assessments 07/Review your data security procedures 06/Review your data access request procedures 2

01/Spread awareness of the GDPR within your organisation 02/Conduct a data protection audit 03/Consider the basis on which you have collected personal data 04/Review your data protection notices 05/Review your data protection policies 3

Recommendations for employer compliance with GDPR Recommendation 1 Spread awareness of the GDPR within your organisation The first step is to understand the scope of the GDPR and the extent to which it will impact your organisation. For example: n Are you a data controller or a data processor? n Where is your main establishment for the purposes of GDPR compliance? The scope of the impact of the GDPR cannot be overstated. The GDPR will impact most if not all areas of your business with such impact likely having budgetary implications for various parts of the business. The GDPR provides for fines of up to 20 million or 4% of annual global turnover and permits individuals to sue for both material and non-material damage. Key employees and decision makers across your business must, therefore, be aware of and trained on the GDPR so that they can consider how to ensure compliance and appropriately allocate resources. As the business progresses with its preparations, all staff training workshops should be organised so that employees are aware of the main effects of the GDPR on their work. For example: n Staff should understand how to respond to requests from data subjects and Data Protection Authorities (DPAs) in relation to GDPR requirements; n Data processing contracts should meet the requirements of the GDPR. The scope and allocation of risk between processors and controllers in such contracts should be appropriate and understood. Recommendation 2 Conduct a data protection audit As a first step, employers should review all personal data they hold, whether that data relates to current or former customers, current or past employees, unsuccessful job candidates or other third parties. The Data Protection Commissioner (DPC) has suggested examining all such personal data under the following headings: a. Why are you holding it? b. How did you obtain it? c. Why was it originally gathered? d. How long will you retain it? e. How secure is it, both in terms of encryption and accessibility? f. Do you ever share it with third parties and on what basis might you do so? 4

The GDPR explicitly requires organisations to be in a position to demonstrate compliance with its requirements. Documenting the above review and any subsequent action will enable employers to: 1. Identify any gaps in its compliance with data protection rules 2. Put in place processes to ensure all gaps or errors are rectified 3. Produce evidence of its compliance on the coming into force of the GDPR When carrying out this data protection audit, employers should pay particular attention to outdated data which it may no longer justify retaining. The GDPR does not specify any particular retention periods for personal data. However, it states that personal data may only be kept in a form which permits identification of the individual for no longer than is necessary for the purpose for which it was processed. When considering retention periods, employers should be guided by statutory retention periods, limitation periods, individual business needs and, of course, data protection principles. For employee data, employment legislation dictates retention periods for certain data. Some of these statutory retention periods are set out below. Statutory Retention Periods for HR Data Wage information Working hours and related information Collective redundancy information Parental leave records Carer s leave Employment permit records Employment records of young persons Accident records 3 years 3 years 3 years 8 years 3 years 5 years or period equal to duration of employment (whichever is longer) 3 years 10 years Other data may need to be retained to defend any actions against the employer. In this regard, account should be taken of the six year limitation period to take a breach of contract claim and the two year limitation period to take a personal injuries claim. Crucially, all retention periods should be evidence based and the period chosen cannot seek to cover all possible eventualities where personal data may be useful to the business. Outsourcing activities should also form a key part of your data protection audit. If, in the course of business, you transfer, or intend to transfer, an individual s personal data to another organisation for data processing ensure that the data processing contract addresses GDPR requirements and clearly sets out the responsibilities and liabilities of all parties. If, in the course of business, you transfer, or intend to transfer an individual s personal data outside the EU, ensure that approved transfer mechanisms are in place to do so. Guidance on international transfer mechanisms is expected to be published over the course of 2017. However guidance on current rules regarding international data transfers can be found on the websites of the Data Protection Commissioner and the UK s Information Commissioner. 5

Recommendations for employer compliance with GDPR / continued Recommendation 3 Consider the basis on which you have collected personal data Businesses must be able to identify and document the legal basis for processing personal data. Some of the legal bases of most relevance to employers include the following: n Consent of the data subject n Processing is necessary for the performance of a contract to which the data subject is a party n Processing is necessary for compliance with a legal obligation to which the data controller is subject n Processing is necessary for the legitimate interests of the data controller unless such interests are overridden by the interests or rights of the data subject. Businesses should, in particular, note the GDPR s provisions on consent when carrying out their review of personal data held or processed. The GDPR provides that consent must be freely given, specific, informed and unambiguous and crucially, consent may be withdrawn at any time. Silence, pre-ticked boxes or inactivity will not constitute consent. For employers, there are question marks over whether employee consent can be freely given because of the imbalance of power which can exist between employer and employee. While employers are, for the moment, still advised to seek employee consent for any processing of data, they may also need to be able to rely on one of the other bases outlined above. Where employee consent is relied upon, it should be obtained by way of a separate data protection document rather than a data protection clause in the employment contract. Employees should also be told that they may withdraw their consent at any time. Recommendation 4 Review your data protection notices Employers should review their data protection and/or privacy notices and analyse whether they require any updating to ensure compliance with the new rules. For employers that do not currently have data protection or privacy notices, they should start to put these in place as the GDPR reemphasises their importance. When first collecting personal data, the GDPR requires businesses to provide information such as the following to individuals: n The business s identity n Contact details for the business and for the data protection officer (DPO), if applicable n The reasons for collecting the data n The use(s) to which the data will be put n To whom the data will be disclosed 6

n Whether the data will be transferred outside of the EU n The legal basis for the processing of the data n The period for which the data will be stored, or the criteria to be used to determine retention periods n Where the processing is based on the legitimate interests of the business, the legitimate interests concerned n Where the processing is necessitated by a statutory or contractual requirement, the consequences for the individual of not providing the data n Whether the data subject will be subject to automated decision making n The rights of the individual under the GDPR When preparing notices, businesses must set this information out in a clear, concise and easily accessible manner. Further guidance on the contents of data protection notices can be found on the UK Information Commissioner s website. Recommendation 5 Review your data protection policies The GDPR contains enhanced rights for individuals. These include the right to: n Receive certain information on the collection of personal data n Access his/her personal data n Rectify inaccurate personal data n Be forgotten n Restrict the processing of his/her data n Transfer data from one organisation to another n Object to direct marketing n Object to automated decision making or profiling. Automated decision making occurs when decisions are taken solely by automated means involving no human intervention. Further guidance can be found on the UK Information Commissioner s website. Employers should review their current data protection policies and consider whether they can currently facilitate these rights. For employers that do not currently have any data protection policies in place, they should introduce these over the course of 2017. 7

Recommendations for employer compliance with GDPR / continued Recommendation 6 Review your data access request procedures The GDPR provides that a data access request must be responded to within 1 month of receipt of the request. This is a reduction on the 40 day period provided for by current data protection legislation. This 1 month period may be extended for up to 2 further months where necessary, taking into account the complexity and number of requests. In another slight change, documents will have to be provided free of charge, unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged. Guidance on the circumstances in which a fee may be so charged, and the level of the fee which may be charged, is awaited. Employers will also be obliged to provide further information to individuals making data access requests. This includes: n The purposes of the processing n The categories of personal data concerned n To whom the personal data has been or will be disclosed n Whether the data will be or has been transferred outside of the EU n The period for which the data will be stored, or the criteria to be used to determine retention periods n The right to make a complaint to the DPC n The right to request rectification or deletion of the personal data n Whether the data has been subject to automated decision making Even under current data protection rules, responding to data access requests can be a costly and time consuming process. Employers should, therefore, review their procedures for responding to requests now to ensure that this process is as smooth as possible for the arrival of the GDPR. 8

Recommendation 7 Review your data security procedures The GDPR contains new rules regarding mandatory security breach reporting for which employers should prepare. The GDPR requires organisations to notify the DPC of a data security breach within 72 hours of becoming aware of the breach, unless the risk to rights and freedoms of data subjects is unlikely. The notification must contain the following information: n The nature of the data breach including where possible, the categories and approximate number of individuals and personal data records concerned n The name and contact details of the DPO or other contact within the organisation n The likely consequences of the breach n The measures taken or proposed to address the breach, including measures to mitigate possible adverse effects. Organisations that are late in reporting breaches must provide a reasoned justification for the delay. If there is a high risk to the data protection rights of individuals affected, they must also be informed promptly. Any such communication to individuals must be in clear and plain language. Given the every increasing risk of data security breaches, employers that have not already done so, should put in place clear and adequate procedures for their detection, reporting and investigation. For employers that have data security procedures in place, these should be reviewed to ensure that the timelines and information requirements set out above are encompassed. Recommendation 8 Consider whether you will need to carry out data protection impact assessments Once the GDPR comes into effect, employers may have to carry out data protection impact assessments in respect of projects which pose a high risk to individuals data protection rights. Examples of projects which are likely to require an impact assessment include the adoption of new technology, introduction of CCTV monitoring or profiling. Employers should consider whether any current or planned projects will require a data protection impact assessment. Where projects do require such assessment, businesses should begin to carry them out to determine whether the activity can continue in light of data protection requirements. Further information and template impact assessments can be found on the UK Information Commissioner s website. 9

Recommendations for employer compliance with GDPR / continued Recommendation 9 Consider whether you will need to appoint a DPO Although many larger businesses already have a DPO in place, it is not currently required by data protection law. The GDPR provides that all public authorities must appoint a DPO. Private sector organisations must appoint a DPO if they: n Carry out regular and systematic monitoring of data subjects on a large scale; or n Carry out large scale processing of special categories of data. The European Article 29 Working Party has published draft guidance to assist organisations to determine whether they are required to appoint a DPO. This guidance can be found on their website. For employers that will require a DPO, or choose to appoint a DPO, they must allocate an adequate budget, whether they decide to recruit internally or externally. As the GDPR makes clear that DPO s must have sufficient expertise, independence and security of tenure, businesses must be careful to appoint suitable candidates to the role. Once appointed, the DPO will report to top management and will serve as the contact point for data subjects and the DPC. They will also have to be allocated adequate resources to carry out the role effectively. Recommendation 10 Keep abreast of developments between now and May 2018 Although the GDPR will be directly applicable from May 2018, a bill setting out some further detail on its implementation is expected to be published over the course of this year. The DPC has also promised to publish further guidance on how best to ensure compliance with the GDPR between now and its coming into effect. Businesses should, therefore, continue to monitor developments and guidance in this area as they prepare for May 2018. In particular, businesses may wish to visit the websites of the DPAs (ODPC, the ICO and the Article 29 Working Party) who are producing guidance to help your awareness and understanding of data protection and the upcoming GDPR. 10

About us Ibec represents Irish business; home grown, multinational, big and small, spanning every sector of the economy. The organisation and its sector associations, work with government and policy makers nationally and internationally, to shape business conditions and drive economic growth. It also provides a wide range of professional services direct to members. Further information Ibec s digital economy policy committee and GDPR taskforce www.ibec.ie/digitaleconomy Ibec s Employer Relations Division www.ibec.ie/employerservices Copyright Ibec, 2017 11

Notes 12

Ibec 84/86 Lower Baggot Street Dublin 2 T: + 353 1 605 1500 E: membership@ibec.ie W: www.ibec.ie Disclaimer This publication is for general information purposes only and not intended as detailed legal analysis or advice. Ibec assumes no responsibility for any use to which the information may be put, or for any errors.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback