GDPR - 5 Things HR Must DoPosted in : Supplementary Articles NI on 23 January 2018
The GDPR will apply in the UK from 25 May 2018 and the Information Commissioner's Office strongly recommend your organisation is ready, are you? With possible fines of €20 million or 4% of global annual turnover do you want to be responsible for a data breach? Do you know what employee sensitive data you hold? Is your application form GDPR complaint?
This webinar recording will help HR professionals remove the fog surrounding GDPR and clearly explain what it is you need to be doing to ensure your department is fully compliant.
Presenters Deirdre Allison and Gillian Acheson:
- Explain the GDPR and the impact it could have on your organisation.
- Share real-life examples of HR departments that got data protection wrong and paid the price.
- Help your HR Department prepare for the introduction of the GDPR
- Give you action points to take away and implement.
- Give you the opportunity to ask questions
Kellie: Good morning and welcome to our webinar here this morning with Legal-Island "GDPR - 5 Things HR Must Do!" I must say, I'm delighted this morning to be joined by over 200 people. It's obviously a very important hot topic for the HR people of today. And this is the second time we've run and it's obviously very high up on everybody's priority list.
And just to let everybody know, we have the ability to answer and to ask questions today. Just feel free to type them into the chat box. I see we already have a couple coming in there, so I know that there's going to be a lot of questions asked today.
And we have two experts with us today from Yearn2Learn, both with over 20 years' experience. So it's a great opportunity to pick their brains. If we don't get through every question today, fear not. They have agreed that they will respond to the questions afterwards and you will receive them in an email afterwards.
And to make sure everybody is awake and with us this morning I want to start by a very quick poll, so you all know how to use the system. The question I'm asking here is, who is responsible for training in your organization? Is it yourself, is a Finance, IT, or the Office Manager? I see we already some people here putting in there answer.
Deirdre and Gillian, that's 67% here are saying that it's HR. So that's good. We've got a good audience this morning they're going to listen to you. That's great. Thank you to everybody for that.
Also just to let you know that we will be mentioning throughout the webinar . . . It's going to take 30 minutes today. We're going to be mentioning lots of helpful resources. We're going to be pointing you in those directions. We'll also be talking to you about two events that are coming up, local events. They'll be very worthwhile for you. And also the opportunity to do some eLearning and to take our free-trial of eLearning after this webinar.
But, first of all, let's get down to business. I know there's lots to cover. As I say, we've got two experts here today. We have Deirdre Allison, owner and training consultant of Yearn2Learn. We have Gillian Acheson who is the associate consultant of Yearn2Learn. Deirdre has over 20 years' experience as Corporate Records Manager. She is a keynote speaker at U.K. conferences as well as winning the IRMS New Professional Award and U.K. Team of the Year Award 2014. Deirdre also recently presented at the ICO Data Protection Practitioners Conference in Manchester.
Gillian has presented at a number of conferences for the Information Commissioner's Office, Information and Records Management Society, and the Archive and Records Association U.K., and is also an associate consultant for Yearn2Learn. Again, she also has over 20 years' experience. I'm sure you'll agree with me that we have lots of knowledge in the room and we'll be delighted to hear what they have to say. On that note, let me pass over.
Gillian: Okay. Thank you very much, Kellie, for that. I suppose it's worth starting off to look at what the general data protection regulation is. And I'm sure you're all very aware. I know there's been a lot of publicity around it, but it does represent a significant shift in European Data Protection Legislation since the directive was enacted in the 1990s.
I suppose it's there to try and harmonise the legislation throughout the EU. It will completely replace the Data Protection Act 1998. So that will go and everything else will fall under the GDPR. This comes into force on the 25th of May. And it's also worth noting that with Brexit and so on, we still have to implement this and even when we come out of the EU we will still have to implement the Data Protection Act, which is the bill is currently going through the process, but that will apply and that will embody a lot of the requirements of GDPR as well and giving a specify further definitions in certain aspects.
And so, Kellie had given us the title really about HR's five steps to GDPR. And it was actually quite difficult to try and break it down to just five things that you have to think about. So we picked these particular things. And I think we said is 196 days ago, but it's actually less than that.
First thing is really understanding on information you hold and we'll say a bit about that. Looking at data breaches. Again, many of you will maybe be familiar with the process around that. Be aware of increased rights of employees. There are other things we have to consider within that. Ensure accountability. And again, this is one of the core areas of GDPR, is you have the data protection principles, but underpinning all about is this idea of accountability. It's no longer enough just to say you'll comply with it and the principles you actually have to demonstrate that. So that is quite a shift from the current legislation.
And then the other thing I think is very important is to make staff aware. So you have to think about what you're going to put in place so that staff know what's coming when it's implemented in May. As Kellie said, the ICO is a very good source of information. You'll pick up a lot of policies, guideline standards, and so on that will help you. And we'll talk a little bit about that throughout the webinar.
Okay. Knowing what information you hold. This is probably a key thing within HR. You obviously hold lots of information. You manage endless amounts of employee data. Some of this will fall into what's classed, what would have been sensitive personal data that's now classed as special categories data. So if you hold things like trade in your membership, if you hold information, medical information maybe through your occupation health, there'll be other things you may have to consider before you process that information.
So it's worth trying to understand the flows of data within HR, how you process it, what you do with it, or who you share that with. Probably the big thing is understanding that the legal basis used to qualify the processing. Obviously, there is some cases where you don't need consent. You have a contract with the individual, you have to pay individual, you have a contract in place and consent isn't necessary. But you may have other areas of information within HR where you may need to have consent of the individual and that's something that you will need to look at. So by looking at some of your information flows I think that helps to try and focus on that particular issue.
The other thing probably that's quite useful in this is that for outsourced HR and recruitment, the regulation will present a new legal burden, a presence suppliers as data processors enjoyed limited liability with contractually arrangements with data controllers. But under the legislation, such processors will be required to comply directly with GDPR, and that's very different. So they will have, I suppose, direct liability if something goes wrong. So that's worth considering as well if you outsource any of your processing of information.
So I'm going to just look at basically just Privacy Notices. I think this is . . . And there was a question came in about . . . Sorry, I'm just reading it here. Do you need to comply a checklist and get staff to sign off as to what information is kept in the personnel file? I would say on the whole you probably process information for statutory purposes, contractual purposes to pay somebody. So you may not need to have consent for all of that but that's where I talked about the data flows and it might be useful to review that.
It may also be really useful to think about privacy notices, and this is really telling staff what to do with your information. So at a very early stage you may advise staff, you collect information for the following purposes and so on. And if you look at the checklist on the screen there, this is one from the ICO. Well, it gives you a good, I suppose, a good checklist to look at your information against and to see, do you tell people about this, do you tell them about what you do with their information. How you do that? How can they get copy of information and things like that? And again if you look at the ICO website, you'll get a lot more information around how you would devise a privacy notice.
It may also include things like, if you're processing information on behalf of patients, clients, customers or whatever, you may need to think about how long you hold information for and, Deirdre, you're probably more of an expert on the retentions schedules that organization should have.
Deirdre: Yes. I have schedules on to some [inaudible 00:09:15] have been around for many, many years. However every organization should actually have one. If you don't have one, you need to ask yourself why you don't have one, and you need to consider establishing one very quickly.
If your organization has got different schedules and different departments, you would need to get those sort of standardized because I have worked in some areas where each department does its own thing, but you need to have one single one for the whole sort of organization. It should be accessible, it should be up to date, it should be tied into the legislation for your specific area of work. So the schedule is a very key area. It has always been around. That is not new. But if you don't have one or if you've never had one, you really need to get one now. And that's something we can talk about later on.
Gillian: Okay. So that's privacy notices and that's about telling people what to do with the information. I see we have a question. Is there anywhere I can find an information asset audit template? My next slide is really giving you an example of a template. Now, this isn't a statutory requirement of the legislation, but it certainly will give you a very good basis to demonstrate how you've looked at flows within your organization.
This particular audit it's taken from the National Archives. And again, if you go on to their website, you'll be able to pick it up. And it's a good basis to look at each of your main information assets and sort of track through who manages it, what the asset is, what you do with it, who you share it with, and so on. And any risks associated with that as well. So you can do it with systems as well with your particular computer systems. Again, you can look through and see who your system manager is. Is it a system that's going to be obsolete in a couple of years' time? What sort of risks are there around that? So it is a good way of demonstrating accountability.
I said earlier on there about the principles and about having to demonstrate accountabilities and evidence that on your information asset is a good way of showing that you've been through the process and understanding maybe where some of your information risks are and help you to understand things like the cycle of technology, you know, knowing when the system is coming to the end of its useful life and so on for upgrades.
So it is a good way of, I suppose, streamlining the information and understanding it. And also understanding maybe if you have records in offsite storage, and again, this is something that, Deirdre, you've probably have come across a lot.
Deirdre: Yes. It's a very, very common problem that may in the past, you know, some services or some areas of work have actually send records off to offsite storage and perhaps have not kept any sort of archiving list. Newer people . . . You know, those people they move on, new people come in and aren't even aware that those records are actually at offsite. So those records which pose a huge risks to you.
You need to have a complete overall view of your records, your live records, and your closed records, what stage they're at, whether they have moved on to the final destination that they have been shredded and not let them build up at some offsite storage place.
Few organizations pay monthly storage fees which are also at risk of a data breach, and that means a fine as well. So it's very important to know not to forget about your closed records. Sometimes we focus very much on the live records that we have now and sometimes forget that we do have records that are [setting patiently 00:13:24] ready to be destroyed, and someone forgets about them.
Gillian: That's also where the HR records are hold generally for a very long . . .
Deirdre: For a very long time, yes.
Gillian: Time. And we'll [inaudible 00:13:35] a bit about that later. Somebody's asked about privacy notice is for applicants. Again, it may be good policy to tell people what you do with your information. And I know in some organizations we have had such access request where people have wanted to go back and get information on their application for whatever reasons. So it's good to say to people, "You know, this is . . . We hold your information for three years and after that it's destroyed or whatever." So it is good to say that when it's within the privacy notice or an online application. You can tell people if they complete an application where the information goes and so on.
Okay. If I just move on to managing personal data breaches. And again, I mean, I'm not going to go through these two particular incidences, but there is lots of examples of incidents where information is lost, where information is left behind on these buildings, [inaudible 00:14:36] emails sent to the wrong person. You only have to look at the ICO website to get a feel of the types of data breaches that occur. We're giving just two examples there. Again, there's people sending information in spreadsheets that have hidden columns that can be [deformed 00:14:55] hidden and so on. So, obviously, the ICO put up all their fines that they have done for the last couple of years. And they're still learning from that. I supposed that's a good message from that.
In terms of the breach management . . . Oops. Sorry. There we are at Breach Management. The GDPR introduces a general obligation to notify data breaches. And that's probably its imaginary requirement now which it wasn't under the Data Protection Act. And as a rule, it has been notified to the regulator within 72 hours. And that's pretty tight. If something happens, you may need a better time to investigate something, but the regulator expects you to have that reported within 72 hours. And in fact, they possibly can fine you if you don't do that.
What is a personal data breach? Again, organizations may not be aware of what constitutes a breach. In terms of GDPR, it's a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. And when you read through some of the guidance from the Article 29 Data Protection Working Party, it's actually quite interesting to see how far they extend a data breach or security breach. It can be something like not being able to access the system for a period of time which is something that's, I suppose, we wouldn't have thought about in the past. If your system goes down and it has an impact on individuals, maybe it affects from being paid, it affects . . . It's a high risk of the individual's rights and freedoms. You may have to report that.
That will also apply to processors if they are . . . And, you know, sometimes there's a system there, they are treated in the same way. Now as I said earlier, they have the same liabilities. I'm just trying to think of some of the other key things around that. So, that's something you need to think about. And in your organization, how do you manage a breach at the moment? Who do you report it to? And I know when we've been doing training sessions in the past, maybe just ask a very general question. There's sometimes a blind click or [probably reported 00:17:18] my line manager.
But do you have a structure within your organization that will actually manage your data breach if it occurs? Who will you tell? Who then authorizes it to be reported to the ICO? Who prepares the information for that? So that's something to think about as well. What process would you have in place? Even in 72 hours, what can you find out in that time?
The fines to pay. Do you have some sort of data breach? At the moment there at half a million, but the ICO they gone up to 20 million or 4% of gross turnover, whatever is greater. So, I suppose one of the key things within this is training for staff. If you've ever had to report a data breach, one of the things that you're asked is, "Was that staff member or those staff members trained?" And if you're filling out the breach and you have to answer no that, it immediately puts you in the back of it. If you haven't trained your staff and you've had an incident, the likelihood of a fine could be greater. So training is a key thing to avoid fines for staff.
Okay. I think the other thing, maybe we're often are asked is, "Do individuals have to be notified when a breach occurs?" And again, it's interesting looking at the Article 29 Data Protection Working Party guidance. They do talk about not all breaches having to be communicated to individuals? Otherwise people would suffer from notification fatigue where they're getting all these letters, people send or have done something with their data. So you have to assess it how much risk it puts that person out and is there, what can be done about that if you do or inform them about the data breach?
Okay. Some of the other, I suppose, the third big thing for HR is the increased rights of employees with the new legislation. And it does significantly enhanced the rights of data subjects which in turn presents critical compliance obligations for employers. And I suppose some of these things go back to the privacy notice, telling people about what you will do with their information, how it's processed, what mainly concerns it and so on. And it's to try to give transparency to the processing of their information.
The big thing for, I think, some organizations is the whole right of access to their information. And at the moment if you're an organization that deals with a lot of subject access requests, you're able to charge a fee. You have 40 days to respond to that particular request. Under the new legislation there's no fee, so anybody can write and say, "I would like my personal information." They obviously still have to provide appropriate ID and so on. And you have less time to process it. You have a month to process the information. Now that might be difficult for some organisations if they're particularly large or complex, but that certainly will have an impact at the end. If you're dealing with a complex request, you can extend the time frame by further two months.
A lot is being made about the right to be forgotten, and, you know, people write in and say, "I want my information removed from systems." And again, it depends in the business of your organization. If you have a statutory requirements to hold information, that will have to remain. You need to keep that information for a period of time. But if you're asked to remove information and you have a purpose for keeping it, then that information can be removed. So again, as Deirdre said earlier, your retention period is very important within that in terms of having a schedule in place maybe, yes.
Deirdre: Yes, it does. And a good example of that is at the staff member and does have a complaint made against them, and that's investigated and it's unfounded. And nothing should be held in that staff member's file because that is deemed to be detrimental to your staff member. And I'm not sure if everybody will be aware of that, but that is actually very, very important to know that that's followed the through.
Gillian: Things like the right to rectification exist again if somebody disagrees with what's held about them, they can ask for information to be changed if it's facutally incorrect or in some cases you may have to annotate a record and put the employee's view of a particular circumstance. And again, it's having the right procedures in place to do that. Much like rectification rights, a data subject's right to have their personal data deleted on request should prompt all employers to consider how would this be practically achieved.
Man: Okay. I found this on the web development . . .
Kellie: The joys of live webinars.
Gillian: I know. I'm trying to check the time here. If you go on to the next slide, Ensure Accountability, again, this is, I suppose, the key part of the GDPR and ensuring that new evidence achieving up the principles and not just saying, "Yes, we do that." And there is a sort of shift from sort of paper-based compliance to actual and demonstrated compliance.
And one of the things that GDPR mandates in certain circumstances is the appointment of a Data Protection Officer. And again, it depends on the processing of information that you currently do whether or not you will need a data protection officer. And again that's set out in the legislation. You can see what they expect within that.
There are sort of other things that are mentioned. GDPR expects companies to implement a number of measures such as the DPO, carry out privacy impact assessments as well. And if it's something that's going to be of high risk, actually liaising with the ICO about the data processing activities would be expected as well. And keeping records of all your processing activities, so keeping records of your data breaches, records of your training, who you've trained, data training and so on. Very often if you do have a breach, the ICO will ask you for that information.
There's also the whole sort of a notification side of things. If you register with the ICO, you would have provided a summary of your processing. From May, that's not required, but there is an expectation that you will hold that yourself within your organization. So it's not completely abolished. I think that's . . . Yeah. And here's your DPO. It's interesting and there's a lot of queries around to the Data Protection Officer should be. And the guidance really says it should be designated on the basis of professional qualities and expert knowledge. So if you're the Data Protection Officer for your organization, I do recommend you get yourselves up to speed with the legislation, you know, the Legal-Island seminar and so on. They're generally excellent at getting a thorough understanding of legislation and so on.
Kellie: Okay. Gillian, there's a quick question there. Does the DPO need to be external or kind of be someone within the company?
Gillian: It can be somebody within the company. Again, it depends on the information that you're processing. If you're doing a lot of processing of personal data, you may want to have somebody in-house who understands the processes. It's quite hard to get somebody external that'll be good at maybe coming up with a policies, coming up with what you should be doing. But maybe understanding the business will be more difficult. So if you have somebody internal who has a good knowledge of the business you can train up, that's certainly a possibility.
Gillian: Okay. Making staff aware. Again, I suppose this is one of the key things within GDPR, is making sure your staff know what to do in terms of breaches, how they should be looking after information. Have they updated your relevant IG policy for GDPR? Do you build data protection into induction training when staff start? And that's something that the ICO are very keen on that people don't come in to an organization and start processing information without having some sort of understanding of the value of the information and the importance of keeping it secure.
Is GDPR training mandatory in your organisation? They review on your breach management protocols. Do you have a good way of ensuring that people know what to do if there's a breach and who they should go to? Involving staff in information asset audits, very much . . . Very often staff they grow into the ones that know the information the best. And then how do you communicate information? Do you put up information on your website, in your intranet site? Do you IG newssheets and so on?
If you look at the resources . . . Oh, what does IG stand before somebody ask? Information Governance. Sorry about that. When you're working in this way, you assume everybody knows all these abbreviations. And in terms of looking for further information, I would recommend going on to the ICO website. There is a very good document, "12 Steps to Take Now," that summarizes the key things for organisations to do, and it's a very straight forward guide. It's very helpful in identifying these 12 steps. There's also . . . Deirdre, do you want to mention the helpline that's . . .
Deirdre: Yes, on the 1st of December the ICO set up a telephone helpline for small businesses. They are very much aware that this is very daunting. And what's happening is very, very daunting for maybe a very small business for charities, and it's a great line. I'm sure it will be swamped with many, many enquiries. And I think people should actually make as much use of that as they can and . . .
Gillian: Just to say it's for organizations with 250 staff.
Deirdre: Or less.
Gillian: Or less, yeah. Okay. Just in terms of other resources available quickly. Sorry. Somebody has just asked a question. Is there specific guidance regarding how long to keep certain documents that are not governed by legislation, e.g., doctors and medical certificates?
Gillian: Disciplinary records?
Deirdre: Yes, absolutely. And that's contained within your schedule. It's usually tied into some area of the law, however, there are some areas which are very standard. And there are many schedules available online and that's something we can help you with further if you want to contact us and directly about that we can give you some more and data on that.
Gillian: Okay. And in terms of events? Kellie, do you want to mention?
Kellie: Yep. We wanted to make everybody aware. I'm sure there's a huge amount of information, Gillian, that you've went through there and with help of Deirdre. I'm sure there's a lot of people out there and . . .
Kellie: Slightly overwhelmed. Slightly overwhelmed. As I said previously you guys have a lot of experience and this has come second nature, but to a lot of us this is new and can be quite scary. So there are two events that I wanted to mention. One, is your own that you two are running?
Deirdre: Yes. We're running [inaudible 00:29:39] on GDPR where we're running a full-day event. This is our second event. The third event will be there 30th January. And it's from to 4:30 to 4:30 p.m. It's going to be held in [children 00:29:51], our Northern Ireland unit on [inaudible 00:29:53] road in Belfast. And it is pretty fund by the INN, so you're getting on the front of holiday. It is a very practical session, and there's lots of theory out there, but we found that the majority of people who come to us and say, "Let's walk through what I have to do. Tell me what I have to do." And this event will actually give you that. So if you want to enquire about dates, it will be in the slides. Don't be . . . I'm sure you are anxious and terrified. We can understand that. We'll give you lots and lots of help here for you.
Kellie: Okay. And the other event is . . . It will be best of me to avoid the Legal-Island event.
Kellie: I will get my knuckles wrapped. The Legal-Island event is on 14th of March. And the full program for that is on our website. The early bird offer still available. And we also have an eBook quite often there about training and, you know, needing the records to prove history and all of that in pre and training everybody in induction loss history right.
We do have conveniently enough some eLearning that's Legal-Island to purchase on GDPR. So if anybody wants that, then they're certainly available to get a free-trial of that and they just need to contact firstname.lastname@example.org or give us a call here into the office.
We will be providing all of these slides. There will be an email that will go out and our webinar email it will have the helpful resources from the ICO, it will have a recording of the webinar, it will have slides, it'll have information here about your event, our event, and also that opportunity to be able to get a discount and a free-trial for the eLearning too. And that's eLearning for all employees, not just HR here on with us this morning.
And finally, we also have our hub and there are some data protection and GDPR and information articles on that as well. So there's a lot. There's a platter of information out there to help people, and of course they can also contact yourselves if they have any specific questions.
I know that there are a lot of questions that have come in here today. We didn't get to attack all of them. I'm sure that you guys will be very happy to drop them an email again post-webinar. We'll send them out to everybody. I appreciate it. It's my 11:01 and I'm sure everybody is dying for their cup of tea. And then . . .
Gillian: And the problem will go after all that.
Kellie: They will indeed. Or rush off to another meeting as the rest of us will. All I have to know is just thank you, Deirdre, thank you, Gillian. Thank you for sharing your experience with us this morning. As I said, it's been extremely popular with over 200 people attending. And I'm sure we will and hear more from you to the future. So thank you very much.
Gillian: Thank you.
More on Data Protection & Freedom of Information
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.