GDPR - Practical Changes, Practice and Documentation for HRPosted in : Seamus Says - Employment Law Discussion on 17 April 2018
Q. Could you please provide more information on the GDPR around the practical changes and practice and documentation for HR professionals whether employed within companies or as external professional advisors handling sensitive information?
Seamus: Well, good afternoon, Scott. And yes, GDPR is the very topical matter at the moment. In relation to this, obviously, GDPR will come into play on the 25th of May, 2018. So everybody is trying to gear up in relation to their obligations. I think the first thing that I want to say about it is that and the big view will be that post its introduction. We are looking at a new playing field in relation to data protection, and there will be certainly a lot of considerations to be given for things like tougher sanctions and the expectations are greater and they're more increased.
So it's a really good time now to be starting to review your processes, and we'll just go through some of those in relation to what I think you can do, but first of all, just to highlight, and I might talk about the Uber case that just came out today a wee bit at the end, but obviously the big one is the tougher sanctions that are coming along and we have fines up to €20 million or 4% of the annual worldwide turnover. So, big difference in relation to what the current fines and sanctions are that could be issued by the regulators.
And the first thing I would say really about is looking to put together a record of your data processing activities, and what information, what data it is that you're holding in relation to your end or that your staff, your suppliers, your clients across the board, what data it is that you have . . .
Scott: Any personal data, if you don't make a list, you're going to miss something.
Scott: And that's the trouble.
Seamus: You won't know until you sort through and look at it, and if you look at some of the guidance that's out there in relation, there's lots of guidance in terms of people accessing that, but they talk about creating this data map or a data flow analysis of what information that you're capturing, how you're capturing and why. And I think it's a good time to look at to say all this information that we have, do we need it all? Is it something that we really do require? And if not, get rid of it, I think, is the best thing, because it reduces your risk and your liability then.
And the second thing is really starting to review your IT systems and your procedures, and you want to make sure that there are appropriate privacy settings in relation to your IT and really give a general review of your documentation on how data is accessed within your office or your business. We had it in here, we did specific training for staff back in the summer, and we looked at things like a privacy impact assessment whereby we asked our attendees just to consider briefly at the start what type of information that they're holding and what's the risk of that information being lost.
So it's just simple things for us, like we have a few shred cupboards, where we take our information that we have that we print off from e-mails and we'll make sure that we're disposing it, that we're putting that into the shreds, the company come and take it away. That it's been appropriately disposed of and that we're not putting it into general waste that goes outside the front of the building to be collected. Things like if we're sending personal information, medical notes and records, HR advisors will be well used to very personal information, sick lines, bank details, and you know…
Scott: Or your salary details, all that good stuff. It's all very highly sensitive information.
Seamus: Highly sensitive information. Anybody that would breach that, there would be a big concern there. And making sure that your passwords are updated whether that's done quarterly or if the system is to do it every six months.
Scott: You do it quarterly at O'Reilly Stewart.
Seamus: We do a quarterly update.
Scott: Do you get a prompt every quarter to update?
Seamus: We do indeed and the prompt comes out, and then it's about the notifying the appropriate protection officer in terms of your passwords so that they're retained and that they're also retained very safely as well, and only certain people can access that. I think it's about looking at development of your policies, training your staff, and really bringing into the mind and the focus of your staff the type of data that they are dealing with and where are the potential breaches of that could be. Are they carrying around information in a briefcase or a suitcase that they could leave on the seat of the train or on the bus, documentation in relation to client information or employee information sitting in the boot of your car in your briefcase and your car gets stolen. It's really about acting smartly.
Another query as well is just in relation to people bringing work home from the office, taking information out of the office, taking it out of the security of your office and bringing it home and what happens in terms of that information, how do they bring it back or if they're travelling on trips.
Scott: Well, a lot of people, of course, on the internet, they automatically have a setting that's stored to the cloud.
Scott: And how safe is that? So they lose it when . . . as soon as they leave the office, so they're not on a VPN.
Seamus: Exactly. So it's about reviewing your systems, and sometimes people will say you have a company laptop and you have an access key and a code for it and that's all that you're getting. And reviewing that and making sure that people are abiding by your policies and procedures. The other thing is just consent in relation to data processing and making sure that you're getting the appropriate consent. It's not satisfactory any longer when GDPR hits us that you can just rely on if you don't come back to us within five days, then we're going to take it that you're consenting.
You should be getting an express consent in terms of having documents signed, and again that's not just a scenario what you can say it's broad consent for everything. It might be that you need specific consents for specific types of documents.
Scott: Okay. We've got a question just come in there from a listener.
Q. We've got a member organisation and they're wondering would our existing members have to give you written consent.
Seamus: In terms of the documentation that you're holding, I think that you need to do a review of the documents that you're holding and make a decision as to whether or not a general consent is applicable to everything. Under GDPR, it's likely that you're going to have to get new consents for the different types of documentation that you're processing. So it's about doing a review, and I wouldn't just rely on the fact that you have a consent now. I think you'll be looking at to review all those and those different types of processing and be safe, maybe go ahead and get the consent signed.
Scott: Okay. We're talking about the GDPR. I'm Scott Alexander from Legal-Island, and Seamus McGranaghan is answering the questions. I see quite a lot of people have arrived just a little bit late. Don't worry too much. We are recording this, and we will put it up on the internet and we'll also send a transcript there, so you can look at all the answers that we've been dealing with later on. So we'll have that done within the week or so if you've arrived a little bit late and missed that question.
There's another question just come in on the GDPR.
Q. Who would be the best person in an organisation to be the data protection officer?
Seamus: Well, I suppose the big point is that, under GDPR, you probably have to have a data protection officer, so there has to be somebody appointed as your DPO. Again, look within your organisation to decide who is the most suitable person for that. You don't necessarily have to appoint someone internally. It can be a third-party consultant. And sometimes that might be the safer way of doing it, because what this person is going to have to be, they're going to have to be independent. They have to be accessible, they have to have expert knowledge, and they have to be able to report to senior management, and they have to be able to give it to senior management as to what it is they can't pussyfoot around where there may be breaches or there are problems.
So you need a strong character that I think is going to be your DPO, and it's looking at your organisation and deciding who within this organisation is a person that would be reflective of those qualities. If there isn't someone then, fine. I think then you go to outsourcing it. And there will be plenty of consultants out there that will be happy to take the work on, and sometimes just taking it out of the organisation can facilitate that aspect of maybe an employee feeling that they can't raise the issues or that they're worried about drawing certain things to management's attention. If it's done outside, it might be the cleaner way of doing it.
Scott: Well, the downside is they're not always there to remind people of their responsibility. So it's a question of balance again, I suppose.
Seamus: That's it. And the other thing just to point out in relation to that is that you need to be careful about conflicts whenever you're appointing your DPO. It really shouldn't be anybody on the IT team or security personnel in case they have a conflict. The guidance tells us that you can't be poacher and gamekeeper when it comes to this. So you are looking for someone that is independent.
Scott: Okay, another question just came in here. Does your organisation have to be a certain size for registration regarding the GDPR? It covers every organisation.
Scott: But it's all of the public sector, and certain organisations that have a lot of data processing that will have to have a statutory data protection officer.
Scott: But everyone is covered.
Seamus: Everyone is covered, and the reality is the larger your organisation, the bigger the expectations will be, I think, in terms of it. So I'm not saying that smaller organisations get off the hook in any way. If there's a breach, there's a breach, but certainly, I think the penalties will be potentially heavier for the larger organisations out there.
Just maybe one point to flag up, just because it has been a topic of matter on news this morning in relation to this concealment of the data breach that the Uber case has come up today, really important to identify that where there has been breaches that they are reported to the appropriate regulators at the time and that it's not a matter that you're hiding behind it.
I think that the reality is and my experience has been, prior to GDPR as well, that if you engage with the likes of the Information Commissioner's Office and if you report to them, if you tell them that you're having difficulties, there is something happening, they will come in and they will assist you. They don't necessarily just come into beat you with a penalty or a fine. They may do that, and there are risks and that's the double-edged sword, but just be clear about your reporting obligations in terms of this. We can see here that Uber had left it for over 12 months, and it seems to be an absolutely massive breach of data protection that happened to them and it hasn't been reported and it will reflect badly on them and it will be interesting to see what develops in terms of . . .
Scott: If there's any listeners are out there and you haven't seen the news, have a look at BBC, and you'll see about Uber have concealed a breach. Now, presumably again, if that were to happen post-May 2018, you'd be looking at sizeable fines. There's hundreds of thousands of people involved.
Seamus: Absolutely. I think it's talking about affecting 57 million customers, and I think that's on an international basis, so they could be facing a number of different types of fines or claims from different countries. But definitely I think that there is probably a bit of a benefit in them notifying of the breach now before GDPR comes in, because I think the fines will be certainly larger.
More on Data Protection & Freedom of Information
- López Ribalda v Spain 
- Data Protection – Disclosing Witness Statements
- Our disciplinary policy includes a penalty of gross misconduct for covertly recording meetings. Is this lawful?
- 5 Key steps in establishing an effective data protection compliance programme
- Is personal data held on a workplace messenger disclosable under a SAR for an ex-employee?
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.