GDPR – 5 things HR Must Do!YEARN2LEARN TRAINING, GILLIAN ACHESON, DEIRDRE ALLISON

GENERAL DATA PROTECTION REGULATION

What is it?

• GDPR represents the most significant shift in Europeandata protection legislation since the Data Protection Directive

• Will harmonise data protection laws throughout the EU

• Will replace the Data Protection Act 1998

• Applies from 25 May 2018

• UK’s decision to leave the EU will not effect the commencement of the legislation.

HR’S 5 STEPS TO GDPR

• 1. Know what information you hold

• 2. Manage Data Breaches

• 3. Be Aware of increased rights of employees

• 4. Ensure Accountability

• 5. Make staff aware – 122 days to go and counting!

1. KNOW What data you hold?• What personal data you process,

• Why you process it

• How and who processes it

• Importantly the legal basis used to qualify the processing

May need to think about

• Privacy Notices

• Review information collected

• Information asset audit

• Looking at the data protection principles underpinned by accountability

• If you use data processors their responsibilities are enhanced

PRIVACY NOTICES

INFORMATION ASSET AUDIT TEMPLATE

Asset

number

or ID

Name of asset What does

it doLocation Owner Volume

Personal

dataAccess Shared Format Retention Risks / impact

Key

asset

What does your organisation do? What information do you have? Where is your information kept?

Do you have duplicate information? Document what you know. Keep it up to date.

2. MANAGE PERSONAL DATA BREACHES

• A staff member was unable to format a spreadsheet

at work. He sent it to his spouse for help, ultimately

causing a data breach that could have exposed the

personal data of 36,000 Boeing employees in four

states over America

• In 2014, a leak of personal data by a former employee of Morrisons resulted in a

lawsuit brought by 5,500 current and former Morrisons workers. In 2015 the

employee was jailed for 8 years for fraud, securing unauthorised access to

computer material and disclosing personal data

BREACH MANAGEMENT

• GDPR introduces a general obligation to notify data breaches.

• As a rule it must notify the regulator within 72 hours. If not, there has to be a justification for this delay.

• If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms.

• Fines up to €20m or 4% of annual worldwide turnover, whicheveris greater!

• Training for staff is key to avoid the significant fines that can be imposed

3. BE AWARE OF INCREASED RIGHTS OF EMPLOYEES

• The GDPR significantly enhances the rights of data subjects.

• Employers will need to provide more detailed information as to how and

why HR related data is processed

• Transparency as to the processing

• Right of access to their data and a right to have inaccurate data rectified

• Right to be forgotten – how will you achieve this?

• Changes to the subject access process includes:-

No fee, reduction in time taken to process request

4. ENSURE ACCOUNTABILITY

• Companies must be able to demonstrate compliance

• Shift from paper-based compliance to actual and demonstrated compliance.

• Appointment of a (mandatory) Data Protection Officer,

• Carrying out (mandatory) privacy impact assessments

• Keeping records of all their processing activities.

5. Make Staff Aware

• Update relevant IG Polices

• Build requirements of GDPR into DP training

• Review your breach management protocols

• Involve staff in information asset audits

• Communication through intranet, IG newssheets etc

RESOURCES AVAILABLE

• Preparing for the GDPR – 12 Steps to take now (updated)

• ICO Guidance: What to expect and When

• ICO - Conducting PIA

• ICO - Privacy Notices

• Information asset audit – National Archives

• Outputs from the Article 29 Working Group

• ICO blog!

ADDITIONAL RESOURCES - GDPR EVENTS LOCALLY

Yearn2Learn

an ILM Recognised Provider

• Date: Tuesday 30 January 2018

• Time: 9.30 – 4.30 pm (Registration 9.30)

• Venue: Belfast

To book, contact dallison.yearn2learn@live.co.uk

or Tel: 07761586390

Legal-Island

• Date: Wednesday 14 March 2018

• Time: 9.20– 4.30 pm

• Venue: Belfast

Early bird offer still available

To book, visit www.legal-island.com

Email Vanessa@Legal-Island.com or

Tel: 02894463888

CONTACTS

Yearn2Learn

an ILM Recognised Provider

For further information or to arrange a site visit for advice, guidance or support, contact:

Deirdre Allison – dallison.yearn2learn@live.co.uk Tel: 07761586390

Gillian Acheson – gacheson.yearn2learn@outlook.com

Visit our website at www.yearn2learntraining.com

Legal-Island

To claim 25% off data protection eLearning training or arrange FREE TRIAL access contact debbie@legal-island.com. Or 028 9446 3888

The offer ends 5pm on 28th February.

Legal-Island Services

Employment Law Conferences & Workshops

Check out our upcoming events:www.legal-island.com/events

Northern Ireland Employment Law Hub

Over 2,500 in-depth articles and case law reviews:www.legal-island.com/register

eLearning Modules • Data Protection• Equality & Diversity• Child Safeguarding

Cost-effective training for your whole organisation:www.legal-island.com/e-learning