GDPR - 5 things HR must do [Webinar Recording]

Posted in : Supplementary Articles NI on 14 November 2017
Legal Island
Legal Island
Issues covered:

Data Protection experts Gillian Acheson & Deirdre Allison discuss the 5 key things that HR departments must do to comply with the General Data Protection Regulation (GDPR) in this 30-minute webinar recording with questions and answer.



Barry: Good morning to everybody and welcome to this webinar on the GDPR. My name is Barry Phillips, I'm the Chairman of Legal-Island, and I'm delighted to be joined today by Gillian Acheson and Deirdre Allison of Yearn2Learn Training. As everybody will know, GDPR is the topic of the moment as we prepare for its introduction in May of next year. It's really topical. I'm delighted to have two data-protection experts with us to be doing this webinar this morning.

Before we set off, we'd just like to deal with a number of housekeeping matters. The first is this webinar is expected to last no more than 30 minutes, just in case that's helpful for anyone to know. There is planned a Q&A session, which is going to take place towards the end of the webinar, but you can ask a question at any point. To do that, what you just need to do is to use the chat facility, which is on the right-hand side of your screen. I'm told by our technician here that the questions come in anonymously, and that might be something you'd like to know as well.

But without further ado, what I plan to do now is to pass you over to Gillian.

Gillian: Thank you very much, Barry, and thank you for setting up the very hard challenge of finding only 5 things that we have to do as part of GDPR. I'm sure your listeners know what it is, it's been on the agenda for quite a while now. It is about a significant shift in data-protection legislation. It is there to harmonise data-protection laws throughout the EU and it will replace the Data Protection Act completely. So all of us here are very familiar with the legislation, although I have to look at the GDPR and the data-protection bill that's currently out at the moment.

It applies from the 25th May 2018, and obviously, the U.K.'s decision to leave the EU will not affect the commencement of this legislation. I think that's been very clear. It is about making data protection laws, it's for the digital age. We know with ever-increasing amounts of data being processed and so on.

HR's 5 Steps to GDPR

Have a look at the five steps to consider for HR. This is what we sort of thought would be the top five things, and there's still quite a lot of information within this.

Step 1: Certainly important to know which information you hold. We'll look at that in a bit more detail.

Step 2: Obviously, managing data breaches is a key area. You're familiar with the very high and significant fines that are going to be in place from next year, and there is quite a lot that departments will have to do, HR departments or whatever, to mitigate against those particular breaches.

Step 3: Also be aware of the increased rights of employees.

Step 4: Looking at accountability, and that's a key feature now within the data protection principles.

Step 5: According to Siri (we checked this morning) we've 196 days to go, and counting.

Know what information you hold

So if we look at maybe knowing what data you hold, and this is about looking... HR hold and manage endless amounts of employee information, lots of personal data. You also will process what we would have called sensitive personal data, but it's now in a special category, so things like trade union membership, ethnic origin, or whatever. So you will need to assess what information you hold, what you process, why you process it, if you process it, and importantly, that the legal basis used to qualify the processing.

One of the big things I suppose as well is that if you outsource your HR, recruitment or whatever, the regulations are much more stringent for processors, who will find themselves having to meet regulatory obligations within that. That's something probably that we wouldn't have had to look at under the current legislation. So fines could apply on your processors as well, and you will need to have your contracts in place.

As we look at some of the things to, I suppose, review, that the type of information that we hold, things like privacy notices, we'll take a quick look at that. Looking at how you will review your information, your information assets, the data-protection principles, underpinned by accountability. And then, as I say, your data processors and the enhancements of their responsibilities as well.

So I'm not going to say a terrible amount about privacy notices, but this is really around making sure your organisation tells people what they do with their information. This could be as an organisation or it could be for your staff as well, telling your staff what people do with their information. It could be things like the legal basis upon which personal data will be processed, how long you will hold data, how people will access their information if they wish to receive copies of it.

Now I've just given you a sort of a privacy notice checklist from the ICO website. This is a longer document, but it's a very straightforward way of looking at your privacy notice, of going through that, and seeing whether what you tell people at the moment complies with what the GDPR regulations or the regulations are saying. So that does offer a, I suppose, a challenge for the employer in relation to the employer/employee relationship, and also the types of information that's reflecting as well. So I would recommend to you that at what's available on the ICO website. It is done in a principal way to help you, by providing checklists and so on.

Just sort of taking that on a wee bit further, information assets, that I thought this would be useful just to mention. This isn't a statutory requirement within the GDPR, but it is a very good way to get a clear understanding of what your organisation does. There are lots of templates on the internet. You can go and look at it. This particular one is from the National Archives. But it does give you quite a good idea if you can map through your assets, looking at your assets, looking at your information, what you hold, where you hold it. And Deirdre, you've been involved with organisations that don’t know where they hold a lot of their information?

Deirdre: Yes, certainly. One of the other aspects is that what I have found in the past is that in some organisations, while there are main kind of corporate databases, and I have often come across people who will say and I have created my own wee database for my personal use, just in case the big one fails or something happens to it.

So now you have someone else who has got one that they consider is their own, and no one else in the organisation knows that that's there. So when that person leaves, that database is sitting there, storing all that information is on, and there has been no control over the type of information that has actually been gathered and added to it. So that would be a concern, because that's an unknown asset. There could be many unknown assets.

Gillian: Yeah, and I think we certainly have experienced where somebody's worked at an organisation for 30 years and they leave, and all of a sudden “who was looking after that information?” “That was Joan, she's away.” All of a sudden you have no idea… that whole corporate memory is gone, in terms of what information was there. So at least if you can document your key assets you can see where they are. It begins to identify risks for you as well.

Intrinsically, under the data-protection principles, there is this paragraph that says the controller shall be responsible for and be able to demonstrate compliance with a paragraph 1 which state your principles, and that's all about accountability. So it is very good practice to have this in place. It will help you to identify your risks. It also, if the ICO come to you looking for, if you've reported a data breach, and they ask you, did you know about this flow, you are able to sort of demonstrate you have this document, that you have considered it.

I think probably fairly important to do a live audit. It's not something you do as a one-off exercise because systems change. As Deirdre says, systems appear as people respond to changing information needs as well. So it's something that needs to be kept live within the organisation. Okay?

Manage Personal Data Breaches

A big area, I suppose, of the legislation is about breaches. Deirdre, did you want to pick up from this?

Deirdre: Yes. Well, we could be here all day if we started to look at all of the breaches that have happened. But I am going to highlight two breaches. You can see up on your screen the first breach there by the staff member and the spreadsheet. Unfortunately, this is very common practice and you can easily see where the risks are there. Staff sometimes don't think that it's a bad thing to do, but it can cause very, very serious issues for, you know, for business.

You'll probably be familiar with the Morrisons leak in 2014. That's where a member of staff who was actually dismissed decided to take some information out of the company. That case was actually in court on the 9th of October, 2017, and that it's gone for, and for legal judgement. The person who had carried out this deed, he was jailed for eight years for fraud and for securing unauthorised access to computer material and disclosing personal data. The other side of that is that the Morrisons employees, 5,500, have now taken a case against Morrisons.

So you can see how the breaches can spin off into other areas. There are lots of examples on the ICO website. You should be aware of them because if a breach has happened somewhere, there's nothing to say that it couldn't happen with your business. If it's happened in one part of your business, it could happen somewhere else, and you need to make staff very much aware of it.

Gillian: If we move on to breach management within GDPR, and I suppose one of the big concerns is it does introduce this general obligation to notify data breaches. As a rule, this should be with the ICO within 72 hours, and if not, you have to justify the reason for this delay. I do recommend you look at the Article 29, Data Protection Working Group Party, on personal data breach notification. There's some quite scary information.

Firstly, looking at what a data breach is? It's defined as a breach of security leading to loss of data, etc., etc. So any sort of personal data breach is considered a breach of security. You are required to notify within 72 hours of becoming aware of the breach and if the breach is likely to present a high risk to individuals' rights and freedoms.

Again, just within the guidance, it's interesting to look at some of the examples that they have highlighted. One I thought was particularly interesting was to do with if medical records on a computer system aren't accessible for a period of time and that leads to the cancellation of operations or clinics or something, the fact that you've had downtime may be reportable if it has prevented people from attending a clinic or getting an operation. That was, it's recommended that that's reported as a breach. So unavailability is a breach.

Barry: That's interesting.

Gillian: Yeah, and that's, I suppose, I haven't thought of. So if you're an HR department and you can't pay your staff, I think you're going to have to report that something is wrong with your system and there's a delay maybe in staff getting their salary. That could be at high risk to individuals' rights and freedoms, potentially.

Barry: That's interesting.

Deirdre: So the impact on staff or users? That's what that's viewed as.

Gillian: That's basically what they're looking at. So availability, that's one area certainly that's, I suppose, I wouldn't have thought of before. So various full guidance within that particular piece of legislation. It also stresses when a breach is detected, that it needs to be reported to the highest level of management to be addressed.

Again, I know just from our own experiences within training, when we ask organisations what happens if there is a data breach, firstly, they don't know what a data breach is. Some organisations will not have that defined. Who do you actually report it to? Is there a level of accountability within your organisation who will actually take it on and deal with it? Given the 72 hours now for reporting breaches, that's going to be really tight in organisations. You're going to have your levels of accountability well defined so that there are no time delays when you come to actually reporting a breach.

Deirdre: So that does actually focus on the need have someone actually there, to have someone in place, and that there is one nominated person.

Gillian: Yes, it's not everyone running around like a headless chicken when something goes wrong. I think it will have to be very tight. We've said about the fines, currently sitting at €500,000 up to €20 million. So that's something you certainly don't want to be hit with.

I think another interesting thing is about when you notify individuals that a data breach has occurred. Again, within the Article 29 guidance, there is this word, they do talk about notifications fatigue, and that not all breaches need to be communicated to individuals. We do give examples within that, so it is worth looking at that because that, I think, will pose a dilemma for organisations, deciding when they do have to notify individuals.

If we go on to look at the increased rights of employees, the GDPR significantly enhances the rights of employees, which in turn presents greater compliance obligations for employers. I think that this again falls into giving employees information about how their information is going to be processed. So it may be you think about privacy notice for your staff, so you're very clear about what you will be doing with their information.

Secondly, employees have a right of access to their data, and of course, this is nothing new, really. They have a right to have an accurate data corrected as well, or rectified. But some of the things, I suppose, within this that are quite interesting are the changes to the subject-access process. If you're an organisation that does a lot of . . . responds to a lot of subject-access requests, you're going to find that firstly, there's no fee, which will hit some organisations quite hard. Secondly, that the time to actually process requests is reduced to 30 days unless it's complex. Again, we're still waiting to see what that will actually mean in real terms.

The other big thing for, and probably more for some organisations, is the right to be forgotten. This will present particularly significant challenges for employers, particularly if an employee has information backed up on other systems and we have to find ways of actually deleting that information. I think that's going to be quite a consideration for organisations, how will you achieve that.

Did you have any examples you wanted to share?

Deirdre: I had an example last year where there had been a staff member who had had a complaint against him and there was a full investigation and the complaint was not upheld in any fashion at all. The following year, this gentleman was going for a job in the same organisation, and a colleague had said to him, oh, and you would need to check that that complaint doesn't come against you, even though it had, you know, it had fallen.

So he actually contacted his HR department to ask about that because he was concerned that that could be on his file. But the HR department had acted very, very efficiently and they had said because the complaint was unfounded, there was no documentation on his file at all, so it would not have come against him. The reason for that is if that information had been held on his file, that could be deemed to be actually something detrimental to him in the future.

I just wonder, does every organisation know that? Are they aware like that? Do they know that there's information that they can only hold in a staff member's file for a certain period of time? That's where their schedules will come into being. If you don't have a good sort of retention schedule in place, people will draw their own conclusions, people will make their own kind of timelines. It is really essential, it always has been, but even more so for the future, to ensure that you have a very, very good retention schedule in place. If you don't have one, you really need to get onto that very quickly.

Gillian: There also is an issue, though, if you do keep, and for an organisation is to keep records 100 years, HR records for 100 years, you have to ask what's the relevance of holding all of that information. There are issues there about keeping relevant information within the file. But we'll maybe move on to our next slide, about accountability.

Ensure Accountability

This is a key feature underpinning the data protection principles. A controller shall be responsible for and be able to demonstrate compliance with the data-protection principles. This is a quote from Article 5 of the legislation, and it does say accountability. So in this case, companies must be able to demonstrate compliance. It's not enough now, it's a move from a paper-based compliance to actual and demonstrated compliance.

As a result, the obligations to notify processing activities to the data protection to ICO has been abolished, but there will be an expectation that organisations will implement a number of measures to ensure that there is evidence to show accountability. So you will see things like the appointment of a mandatory Data Protection Officer, and if data-protection breaches are being notified, it will ask for the main contact details of the Data Protection Officer.

Other things, carrying out privacy impact assessments, and again, we haven't time to go into the details in that. There's lots of information on the ICO website. Organisations, they'll also have to keep records of all their processing activities. So this could be things like documenting all your data-protection breaches, and that's very clearly laid out in the Article 29 Working Group paper that I talked about earlier on.

So there are quite a lot of areas there for consideration. Again, if you're looking to see about whether you need a Data Protection Officer, that's a lot of, open question we get asked all the time. It is somebody, a Data Protection Officer is designated on the basis of their professional qualities and expert knowledge. So if you're thinking of appointing somebody as a Data Protection Officer, you're going to have to train them. You're going to have to make sure they have the right skills to deal with the tasks as detailed out in GDPR.

Deirdre: This also brings us to self-assessment.

It’s really important that you do carry out a self-assessment of what is actually happening now. Self-assessment, that's certainly something we do a huge amount of work on. Self-assessment should give you assurance of your processing in terms of all of your DP work and should assess your compliance with the eight principles, how you manage them and how you make sure that you meet them. It should also help you to get ready for GDPR, and it should be designed to help you get your house in order.

It should include an assessment of your information security to ensure that you have the proper systems in place for cyber-security, policy and risk, for mobile and home-working, for any sort of portable media that happens within your business, access controls, and malware protection. A big part of it also is about records management.

It's looking at your policies, if you have them, which we hope you do, and if not you have to create them. It will look at how you actually hold and secure PII, personally identifiable information. It should include the whole process of creating records, using records, storing records, and disposing of them, or else keeping them at off-site storage. That is where your schedule will actually come into play. So self-assessment is a good way to start to look and see where do we stand at the moment and where we want to get to.

Make Staff Aware

Gillian: Okay. The final thing I would say is make your staff aware. Deirdre's talked about updating your relevant IT policies, so do you have a policy for social media, do you have a policy for data protection, ICT security, I suppose all the standard policies that we would now expect. Do you actually do data-protection training? Certainly from experience, we would know one of the first questions if a data breach is being reported, the ICO will ask you was that member of staff trained in data protection. If you have said no, you will immediately sort of highlighted the risk. So you don't want that. You want to make sure your staff are well aware. It may still happen, but if you can demonstrate you have the policies, you trained the staff, it still happened, you've taken all the appropriate steps. Certainly I think managing, reviewing your breach management protocols, are key. You need to identify your accountability lines throughout your organisation.

Involve your staff in information asset audits because as Deirdre said, you find these little sets of information or sets of records somewhere that maybe you weren't aware of that somebody has created. Communicate to your staff, okay, you may have updated them, but we have found out that is not enough - you have continually tell staff this is what you should do, this is good practice. Communicate that through your intranet and to your IG newssheets or whatever.

She just highlighted there is a helpline that's just been launched by the ICO for small businesses?

Deirdre: It was just launched on 1st November, and it’s aimed at small businesses. The ICO do actually recognise that these people may well struggle in something because of the size of the organisation. If you only have a few people, do you need to have a Data Protection Officer? There have been some thoughts that that's going to be based on the amount of information that you process, and the yardstick may be around that. But I think that that helpline will probably be a very busy resource for people.

I'd just like to mention in terms of the training Gillian mentioned there, and if it's mandatory training, that's a big tick for you in terms of the ICO. If it's not mandatory, data-protection training does not float a lot of people's boats and you can see their eyes glazing over when you mention it. If it's mandatory, it will have a higher level of attraction, let's say. People know that they have to do it, and you need to, you get interesting interactive as well, but certainly the ICO would view that in your favour if it is needed as mandatory training.

You should also have different levels of training for different groups of staff. If you have, for example, drivers in your organisation, they will not need the same level of training as your staff in corporate departments. So it's valuable to think about that was well.

Barry: All right, thank you very much, Gillian and Deirdre. We've now reached the part of the webinar in which we go to our Q&A session. So if I could just ask everybody in the webinar, if you have a question now and would like to send it in, it's a good moment to do it.

Just as we wait for the questions to come in, I just wanted to mention a couple of things to everyone in the webinar. The first of these is that we at Legal-Island of course have an e-learning module on the data-protection area and the GDPR. So if anyone would like some information about that, you just need to email At the moment we have a special discount of 25% for anyone who is actually in the webinar and would like to sign up for that before the 31st December 2017. As always, terms and conditions apply to that.

The other thing that I just wanted to point out to you, that there is a GDPR event which is taking place and being delivered by Deirdre and Gillian in Belfast on the 21st November, and that it's being held at NICVA in Belfast.

So Q&As, we've got quite a few questions. I don't think it's going to be possible in the time to cover all of them, but what we will do here is to get through a number of them. Any that we don't deal with, we will answer in an email to everybody afterwards.

So the first question that has come in is as follows.

"When are you aware of a data breach?"

Gillian: Yeah, that's a very good question. I guess that I would recommend you look at the Article 29 guidance on this. There is a whole sort of section on awareness, when you're aware. Obviously, if something happens you may get scant bits of information. There is a period of time, we do actually do a short investigation to establish some facts, but once you have determined there was some sort of data breach, you have to report it. Your 72 hours start ticking. They also say that you can report what you know and then follow it up, so there is this sort of phased reporting as well. The guidance documents give you quite a lot of examples that might help you make that decision. But yes, aware is as soon as you can suddenly determine. If you don't report it, unless you have a good reason, that could also get you into trouble as well.

Barry: Okay, thank you very much for that, Gillian. Another one in that reads as follows.

"Data breach reporting is all about punishing organisations. Do you agree?"

Gillian: Well, I can understand why people would actually think that. Maybe you have experience of a breach last year where that was very, very much came to mind. But actually, it isn't really about that. The ICO would like to get the message out that it is not to punish but it is to make businesses better and better equipped to actually deal with their security risks. So it's not about punishing them. The ICO can help you with any issues that come through. So we wouldn't want people to be afraid of the ICO. That's not what their role should be, and they are there to help you as well.

Are HR team members responsible for driving GDPR, or should we rely on the DPO to control progress?

I'd say your DPO should be the person you go to, but I would see you working very closely with the DPO for advice. Obviously, they're the expert. They're there to give you advice, but HR are experts in their own area. They know where their information's coming from, they know issues about consent, who they ask for consent, and so on. So I think it's really a joint role. In some ways HR should push it forward, but you have the DPO for the expert advice, and certainly that would be my recommendation.

"If you don't report in time, a fine will always be issued and the fines will be huge. Is that right?"

Deirdre: That is not actually correct. Organisations should be aware that the ICO can issue fines, which you all know, for failing actually come forward with it. However, fines can be avoided if the organisations are open and if they are honest and if they do actually report quickly. A good phrase to bear in mind is simply just to tell it all, and tell it fast, and tell the truth. Don't try to hide anything. It'll come back to haunt you, I can guarantee that.

Gillian: That's a quote from the ICO.

"Should we encrypt all data sent externally, referral forms, to occupational heath?"

Gillian: I would have said under normal data protection, the current data-protection act, that's yes, if you're sending information like it over the internet, we've always sort of been advised by IT departments that sending an email is like sending a postcard. It can be intercepted and so on. So certainly at this point in time I would recommend that you encrypt any such information. Obviously if it's occupational health data, it's going to be classed as sensitive personal information, and that if that goes to the wrong person, you've breached somebody's confidentiality.

Deirdre: Can I also add there, because I have come up against this before, when you are creating a password with the person that you're sending the information to, that you actually phone the password through. You do not email it because then you're actually emailing something which is just open-ended. So you phone it through. If you've sent the first document to the wrong person, then you're sending the password to the wrong person as well. So you phone the password through. You can agree a password for six months or a year, and then change it. But that is the safest way to actually do that.

Barry: Okay. I understand on the internet there are these things that can actually sniff passwords. And what they do, they look for the word "password" in the email. So again, it's always better not to write out "password" . . .

Deirdre: Absolutely

Barry: We've got a large number of questions here, but unfortunately we've run out of time to respond to any more. So what I'm going to suggest now is that the majority of them I'm looking at, I think we can respond to these by email, which we'll do, to everybody that's joined the webinar and everybody that signed up for the webinar. There are one or two that are very, very detailed and they're very specific, and we think for those it makes sense if we get back in touch with the person that sent that in directly, just in case we've misunderstood something and there might be legal ramifications around that.

So in wrapping up, it just leaves me to say one other thing, I'll just pass to you…

Deirdre: Okay. One other thing I would like to say, our event on 21st of November is a very, very practical event. You've heard a lot of the theory today, you've heard a lot of information. What we find that people actually want to know is, okay, I know all that, but how do I actually do it on a day-to-day basis. So on the 21st November at our event in NICVA, we will be focussing on building your DPO, and what that DPO needs to have, what that role is going to look like. We're going to be looking at the training and awareness of staff, at the 12 steps to take now. We will be looking at case studies and how you will handle things in the future.

So it will be a busy day… it's a full-day event… but it will be a very, very practical day. If you're interested in finding out more about that, please contact, our data bits are there. And ILM registration is also available, which is a very nice spot of reassurance for your DPO. So we look forward maybe to seeing you at that event.

Barry: Okay, Deirdre, and just leaves me then to wrap up and say thank you very much to everybody for joining the webinar this morning. Thank you to Deirdre and to Gillian for covering some really useful points there. I hope everybody has enjoyed the webinar and found it useful. We will be in touch with a copy of the slides and the webinar, and I look forward to you joining us again at a webinar in the future. Thank you very much.

Supplementary Questions

Q1. With regard to the Data Breach and paying salaries - if the system crashes/ or someone is behind with processing resulting in a delay in wages by a few hours, do we report this or is it just notified if they aren’t paid on the day they were expecting payment?

Look at the advice given in the Article 29 DP working Party. Guidelines on Personnel Data Breach Notification under Regulation 2016/679. You will need to consider if it presents a risk to individuals’ rights and freedoms.  Also Article 33(5) recital 87 of GDPR.

Q2. Do the employee rights extend to job applicants, whether successful or otherwise?

If you are processing personal data on all job applicants this will fall under GDPR.

Q3. How do we balance the right to be forgotten with the statutory right to retain information i.e. finance information retained for 7 years by an employer?

Generally personal data should only be retained for as long as necessary. The retention periods can differ based on the type of data processed, the purpose of processing or other factors. Issues to consider include:

  • Whether any legal requirements apply for the retention of any particular data. For example:
    • Trade law;
    • Tax law;
    • Employment law;
    • Administrative law;
    • Regulations regarding certain professions, e.g. medical, social care
  • In the absence of any legal requirements, personal data may only be retained as long as necessary for the purpose of processing. This means data is to be deleted e.g. when:
    • the data subject has withdrawn consent to processing;
    • a contract has been performed or cannot be performed anymore; or
    • the data is no longer up to date.
  • Has the data subject requested the erasure of data or the restriction of processing?
  • Is the retention still necessary for the original purpose of processing?
  • Exceptions may apply to the processing for historical, statistical or scientific purposes.

Q4. Will we have to continue annual DP registration per individual sites with the ICO? If yes, will this be the responsibility of the Data Protection Officer to hold a central register of Company sites?

See ICO blog Article 39 of GDPR outlines the Tasks of the data Protection Officer you may require the DPO to hold the register of company sites.

Q5. What are the different retention periods?

If your Organisation has a retention Schedule, you should refer to it.  If you do not have a Retention Schedule, you should consider creating one. Retention periods differ greatly between records containing ‘personal identifiable information’ and corporate records, like Finance, Estates etc.  Please see information contained at Q17.

Q6. Does GDPR extend to customers / clients etc., or just employees?

GDPR will apply to all personal identifiable information that you process.

Q7. If an employee exercises their right to be forgotten but we still have a legal obligation to retain that information dos the legal obligation override the request?

See response above

Q8. Is there a self-assessment tool available? If so, where to access?

See link

Our event on 21 November in Belfast will include information on how to carry out self-assessment – there is a methodology involved and you need to know what you are looking for and what it is being measured against.  This is part of the work we do and we are very experienced at it.

Check out our website on or contact to find out more about self-assessment .

Q9. Will employment contracts need to be amended to reflect a more detailed wording regarding a data protection clause in a contract?

ICO may look for evidence of DP responsibility within a contract and having this detailed in an individual’s contract would be good practice.

Q10. Hi as a part of a group with multiple companies within the group, would a data protection officer need to be appointed for each company or would one for the group be suitable?

Look at Article 37 and Recital 97 of GDPR for further guidance.

Q11. Is there any guidance around what constitutes a "high risk" to an employee's rights/freedoms that would require disclosure of breach?

Recital 75 & 76 of GDPR suggests that when assessing risk that consideration should be given to both the likelihood and severity of the risk to the rights and freedoms of data subjects.  It may require that the risk is evaluated via an objective assessment. See page 20 of Article 29 DP working Party. Guidelines on Personnel Data Breach Notification under Regulation 2016/679.

Q12. Is one privacy statement sufficient or does each document have to be signed e.g. contract, health info etc?

Being transparent and providing accessible information to individuals about how their personal data will be used is a key element of the GDPR, the most common means is via a privacy notice.  It may not be effective to use a single document to inform users about now personal data will be used.  The ICO talks about a “blended approach”. See for more detailed information.

Q13. If we outsource staff pay - the consultant works from home on a web based system password protected - is this a breach?

Have you considered the technical and organisation measures in place to protection personal data (principle 7 of DPA). Is data encrypted when transmitted, will data be secured by consultant, have you a contract in place?

Q14. Re: DPO role. We are a small health service body and have an existing IGO (Part-time) who has knowledge and skills in this area. We would propose she is also the DPO is this an acceptable arrangement?

See the response to Q10.

Q15. I feel that there will be not only a financial implication with requests from solicitors but also impacts on administration time. Is there any cost to client at all?

At this stage there appears to be no charge to anyone requesting copies of personal data. Under GDPR the fee is removed and the processing time reduced.

Q16. Tell me more about what consent is needed, and how is this applied?

Employers should consider instead relying on a different valid ground for processing employees' personal data such as where the processing is necessary for the performance of the contract or for the purposes of the employer's legitimate interests. This is because an employee will be able to withdraw consent at any time to the processing if the employer relies on consent as a valid ground for processing data, which would create significant difficulties for the employer.

Where consent is still required, such as when obtaining occupational health reports, then employers should obtain separate consents outside of the contract of employment to deal with the processing of data (and particularly sensitive personal data - to be known as special categories of data under the GDPR) for specific purposes. Clear records documenting the consent and also how it was obtained (to be able to demonstrate the processing is in accordance with the GDPR) will become all the more important.

Q17: What about retention periods for payroll / hmrc records?

If your Organisation has a retention schedule, you should refer to it. Payroll records can usually be found in the HR Section.  If there is no Retention Schedule available, you should consider creating one.  Retention periods are usually included as part of a regulation or legal guidance.  If you are a public body you can refer to DHSSPSNI Good Records, Good Management (GMGR Revised 2011) Ref L35.  However, if you are not a public body, this document could help you create a retention schedule*.

*Creating a Retention Schedule will be included in our event on 21 November 2017 in Belfast.  ‘Keep Calm and Prepare for GDPR’ will cover all the practical aspects of how to manage the changes on a daily basis.  There will also be case studies with real practical solutions and it will be a very ‘hands-on’ day. You may wish to consider enquiring about it.  Go to our webpage at or contact


Legal Island’s Data Protection eLearning Training

Legal Island are delighted to offer all webinar participants 25% discount off the Data Protection eLearning training package, if confirmed before 31st December 2017. Please contact Debbie Wilson from our eLearning department on for access to trial the module on behalf of your organisation. She’ll be happy to discuss your training needs further.


This article is correct at 14/11/2017

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.

Legal Island
Legal Island

The main content of this article was provided by Legal Island. Contact telephone number is 028 9446 3888 / 01 401 3874 or email

View all articles by Legal Island