5 Things HR Professionals Must Do in the Role of Data Protection OfficerPosted in : Supplementary Articles NI on 20 March 2018
The GDPR will apply in the UK from 25 May 2018. Does your organisation need a Data Protection Officer, and is that you?
This webinar recording for the HR professionals helps remove the fog surrounding the role of Data Protection Officer and clearly explain what it is you need to do to ensure your organisation is fully compliant.
In this webinar recording, our presenters:
- Explain what is a Data Protection Officer
- Advise what the Data Protection Officer is responsible for
- Help you prepare for the role of Data Protection Officer (DPO)
- Give you action points to take away and implement.
NOTE:Don't forget, Legal-Island has worked with a team of data protection experts and lawyers to develop a GDPR Compliance in the Workplace eLearning module, specifically for Northern Ireland organisations. Find out more and get instant access here:
Kellie: Good morning. Welcome to our webinar, "5 Things HR Must Do in the Role of the Data Protection Officer." My name is Kellie Shields. I'm eLearning Operations Executive here in Legal-Island. I'm delighted to be joined this morning by two consultants from Yearn2Learn, Deirdre Allison and Gillian Acheson.
Our webinar today will be approximately 30 minutes. Please take the opportunity to use the chat facility to ask your questions. We will try to answer as many as we can, but I'm sure you understand that there will be quite a few questions and it's very content-rich here today, for the next 30 minutes. So if we don't get to address them all, we will contact you with the answers.
During the webinar, also listen up carefully for some additional resources available to help you in your role. We will send some additional resources in the post-webinar email.
Okay, [inaudible 00:00:53], let me introduce our speakers. First of all, we have Deirdre Allison. Deirdre is the owner and training consultant for Yearn2Learn, a corporate records manager with over 20 years' experience in records management archiving. Deirdre's responsibilities also include policy development, creation and delivery of training programmes, processes, and procedures. She's recently achieved [inaudible 00:01:14] accreditation, and has been a keynote speaker in key conferences, including the ICO Data Protection Practitioners' Conference in Manchester in March, 2016.
We're also joined by Gillian Acheson, who's the Assistant Consultant for Yearn2Learn. Over the last number of years, Gillian has presented at a number of conferences for the ICO, for the Information and Records Management Society, and the Archives and Records Association UK. She's also an assistant consultant for Yearn2Learn. Gillian also has over 20 years' experience in IT, information management, and research in the health and social care sector.
Kellie: I hope everybody now understands the wealth of experience that's sitting in the room with me, and I'm not at all concerned with that. Well, I hope they're not going to ask me any questions. So now what I'm going to do now is pass them over. So don't forget, ask your questions, and we will try to get those answered for you.
Gillian: Okay. Thanks very much, Kellie, for that. Today we're looking at the role of the data protection officer within HR. Just to say, and I'm sure you know all of this already, about the new GDPR coming in on the 25th of May. But it does represent a significant shift in European data protection legislation. We were just counting there, how many days have we got left, so finding it's 66 days and 13 hours. So it's really coming quickly now.
It will replace the Data Protection Act 1998 and the current Data Protection Bill will become the Data Protection Act 2018. And this will fill in the gaps with the GDPR, so it'll address these areas within GDPR, whether it's flexibility and where derogations are permitted. Just to emphasise again, UK's decision to leave the EU will not affect the commencement of the legislation.
Key points of the legislation, I think you're probably hopefully all aware, it strengthens the principles of data protection by putting more focus on accountability and security. I will be mentioning accountability a couple of times throughout this morning's webinar.
If you process personal data, you are obliged not only to comply with the new law, but to demonstrate that you comply. If you are the DPO for your organisation, if this has been bestowed upon you, as we seem to hear a lot about when we're out training, you need to be thinking about how you will actually demonstrate actually are complying with the legislation. We'll be talking about this later on in the webinar.
In terms of things that HR must do, I suppose you've highlighted five things. There's lot of things, and [inaudible 00:04:05] developing the other things you should do as well, so it's not really five.
The first thing is know the legislation. It impacts on organisations in different ways, so it's understanding what it'll actually do for your organisation or what you have to do in the role of the DPO.
I think understanding what the legislation says about the data protection officer role is very important as well. Just what you are responsible for is important to understand.
Thirdly, understanding what information you hold, and this is something that's mentioned in a lot of the ICO guidance, so being very aware of what you process, what you store, and so on.
What does accountability mean? What's being accountable mean as well? Again, this is a key word and a big change in the legislation.
Then finally we just [inaudible 00:05:02] about developing an action plan to meet some of the key tasks to be carried out.
[Inaudible 00:05:09] just about legislation and what's available.
Deirdre: Okay, Gillian, thank you very much. Well, the good news is that there is lots and lots of information out there, and the ICO website is the best place to go to for it. You should start off with the 12-step guide, which I hope many of you will already have bought and are working your way through it. And if not, that's where you should go after this session is over.
On the ICO website you will find information that is really helpful, and templates. You'll get information about privacy statements, about other areas, such as impact assessments. You will also be able to access the Article 29 DP Working Party guidance, which is specifically on the DPO role, and that is probably an area that you are particularly interested in.
There are lots of ICO freebies on there. You will be able to get information about data sharing checklists. You'll be able to get information on the new principles, which we will all have to get our heads around, because we have been used to talking about Principle 1 and Principle 3 and Principle 5. That is actually going to change.
Another interesting area is the myths section of the website. These are all the scary stories that you will have heard. If you go onto the myths, they're updated every week and some of them are quite amusing. But basically, they are very, very useful, and they will actually provide a huge amount of clarity for you.
The Commissioner also does a monthly blog, which will bring you bang up to date and explain to you where things are.
In November, the ICO launched a special helpline for small businesses because they do recognise that small businesses really want to be ready when the time comes, but they often struggle to know exactly where to start. They also acknowledge that small businesses will have less time and less money to invest in actually getting to the point where they are fully compliant. So the ICO website is a really excellent place for you to start this journey.
Over to you, Gillian.
Gillian: Okay, thank you. I suppose firstly, understanding the role of the data protection officer, does your organisation need a DPO? You can see more about this in Article 37, but it does if . . . the GDPR requires designation of a DPO in three specific cases.
Firstly, where the processing is carried out by a public authority or a body, and it will be mandatory for controllers and processors, for all public authorities and bodies. You can see further guidance about this in, as Deirdre said, the Article 29 data protection Working Group guidance on this, in terms of the terminology used within this. Even private organisations carrying out public tasks or exercising a public authority task should designate a DPO.
Secondly, where the core activities of the controller or processor consist of processing operations which require regular systematic monitoring of data subjects on a large scale, it's a bit wordy. But the guidance and data protection officer document defines things like core activities. What does that actually mean? That's deemed to be key operations necessary to achieve the controller or processor's goals.
I think it recognises that all organisations do carry out certain activities. For example, they pay staff and they might have an IT support function. These are necessary support functions for an organisation, but these may be the only processing that's done around personal information, and these are ancillary functions to the core tasks of the organisation. So you might want to check the guidance to see, do you need a data protection officer in the first case.
The third point there is really talking about the special categories of data. So if you're processing information, racial, ethnic origin, political opinions, religion, sexual orientation, health, and so on, that's how special categories are defined, and you may need a data protection officer in that case.
Certainly when we're out training, some of the frequently asked questions, can an organisation appoint a DPO jointly? The legislation says yes, as long as he's accessible, the individual be accessible from each establishment.
Can you appoint an external DPO? Yes, again. They should fulfil the tasks and duties set out in Section 4 of the GDPR. It's important with somebody coming in from the outside that there aren't any conflicts of interest. This is really linked to the requirement for the DPO to act in an independent manner. So you'll have to think about that.
What professional qualities should a DPO have? When you read the legislation, it talks about being designated on the basis of professional qualities and particular expert knowledge of data protection law and practices, so you're hoping to appoint somebody into that position.
"He can't be a DPO." This often comes up as well, and really, if there are conflicts of interest, they can't be a DPO. And it can't be somebody who determines the purpose and the means of processing personal data. So again, if you're looking around your organisation, deciding who the DPO is going to be, you'll need to bear that in mind as well.
In terms of the position of the DPO, what will they actually be doing or what do they need? The GDPR is quite specific about this as well. They should be involved in all issues relating to the protection of personal data.
So if you're doing something different with information, if you're collecting information in a different way, your DPO should be involved in that at an early stage. I think we've seen lots of examples where something's going to be launched and at the last minute somebody thinks, "Oh, maybe you should check out the privacy issues around this." Suddenly there's lots of things haven't been resolved.
The opinion of the DPO must be given due weight, and if an organisation chooses not to do what their data protection officer decides, the DPO will have documented what their advice has been.
In terms of data breaches, a DPO will have to be involved in that, and very promptly if your organisation has a data breach. Within the regulation now, there's only 72 hours to report a breach to the ICO. This is incredibly tight, so you need to make sure you've got some sort of accountability or some sort of structures in place to allow that to happen.
As DPO, as well, you have to have the necessary resources to do your job effectively. So that could be things like having the active support of your senior management, having sufficient time to do your job. If you're doing it as part of another job, you need to make sure you've enough time to dedicate to your DPO role...adequate financial, legal, or IT resources as well, adequate training. So it's expected that the DPO does have resources to do their role.
One of the big things is acting in an independent manner. You're really there to advise the organisation, but you're also there to advise data subjects as well. So it is a role that requires a degree of independence.
The other thing that's, I think, caused quite as lot of confusion is it talks about that the individual must report directly to the highest level of management within the organisation. This is something that I think quite a lot of people have had confusion about. Does this mean they should be at board level? Should your DPO [inaudible 00:13:58] senior of member of staff?
We did ask the ICO about this and I think they clarified to say that it should be somebody who has access to senior management, who fulfils the roles in GDPR. And they may be able to demonstrate this by producing an annual report every year.
Oh, I think we're got a question through here. Let me just read it. Can you see that?
Kellie: Yeah, [inaudible 00:14:25]. Are the data protection officers personally responsible [inaudible 00:14:30] comply with GDPR?
Gillian: Yep. That's a very good question, and it does say in the legislation that DPOs are not personally responsible if there's a case of noncompliance with GDPR. And they've been very clear that it's the controller or the processor who's required to ensure and demonstrate processing is performed with the necessary provisions. So data protection compliance is the responsibility of the controller or the processor, not the DPO. So I hope that's a bit of reassurance for any of you out there, if you have that role.
In terms of data protection officer role tasks, this is defined in Article 37. You can see the various things that are listed there. So it's things like monitoring compliance, and I'll be saying a wee bit more about that in a minute. Informing and advising staff on processing information or performing privacy impact assessments. Cooperating with the supervisor, and the supervisor in this case is the ICO. So it is working alongside the ICO, making records available on request. And then acting as a single point of contact for data subjects, providing information on data subjects' privacy-related rights, and so on.
So that's sort of very high level what the DPO tasks would actually be. [Inaudible 00:16:01] a wee bit about knowing what information you hold.
Deirdre: Okay. This is one of the first key steps in the 12-step programme, and it's basically about finding out exactly what you have. Many, many organisations may hold facts, of data, of records, and they don't even know that they actually have it.
So the first thing that you should do is to ask yourself what do we do? Why do we collect all this data? Understanding the big picture will be extremely, extremely helpful to you.
What sort of information do you have? This is normally collected or known as information survey or else information — well, they say audit, but we don't particularly like that word, audit, because people get very scared about things like that.
But some sort of an asset register would be extremely helpful, where you would want to list what your asset number is, as well as the number of the asset. What does it do and where is it held? Who actually owns it? And the volume. Is it personal data? Who has access to it? Is it shared, and if so, is it shared internally, is it shared externally? And the format that it is in, how long it should be held for. What sort of risk does that actually present to you? Is it a minor asset, is it a major asset? If you lost the asset, what would that mean to you? You need to be thinking about things like that.
You also need to know, where is your information kept, and the answers to that could be extremely broad. You need to know what sort of systems do you have in place, what sort of life cycle is there. Is it some sort of an IT system? Is it going to be coming to the end of its life cycle? You need to know, does it talk to other systems or is it like a stand-alone system? And perhaps some of your IT people can actually help with that.
Another good way to know exactly what's going on and how information is actually being processed is to carry out a very simple self-assessment. The ICO do, and do have templates for this. But if you're going to do that, you need to know exactly what you're going to measure that against.
So when you carry out self-assessment, one of the big pluses is that that can actually give you reassurance that there are many things that you are doing well. But it will also identify any gaps or perhaps risks in your area of work, and it does give you the chance to actually put them right at that point.
So the ICO are big, big fans of self-assessment. If they are involved with you and they see that you have actually carried that out, that's a big tick from the ICO.
Gillian, back to you.
Gillian: Okay. Just maybe on in terms of accountability, I mentioned earlier on, just a wee quote here from the Information Commissioner, and just how they see the new legislation as creating an onus on companies to understand the risks that they create for others and mitigate those risks. It's moving away from seeing the law as a box-ticking exercise. She talks, really, about developing a culture of privacy within an organisation.
And reading through some of the ICO information talks about GDPR being the cornerstone of organisations, accountability sits alongside the six data protection principles and really underpins all of those. As I was saying earlier, that's the bit you really have to try and demonstrate, that you are accountable in your organisation.
I suppose one of the big things within this is that you will require documentation under GDPR. You must keep information on processing purposes, data sharing, retention, and so on. If you're registered with the ICO at the moment, you would have provided a summary of your process and activities. Come the 25th of May, that's not going to be required anymore, but you will have to hold that locally. So if you have that at the moment, at least that's a starting point. You can use your existing register entry as the basis from which to create your record of processing activities.
So you will need to look at what sorts of things you can demonstrate under this new accountability. Do you have data-sharing agreements? Deirdre talked a bit about there, about information assets. If you identify [you're 00:21:09] sharing information with organisations, do you have a data-sharing agreement? Do you process subject access requests? Can you demonstrate that? Can you demonstrate compliance within the time frames? Do you have a retention schedule? Can you demonstrate that you follow that? How do you manage data breaches, and so on? There's a lot there that you can capture as part of your documentation.
The big thing, I suppose, is trying to develop an action plan. Deirdre mentioned the 12 steps that the ICO have out, and this is probably a really good basis to start if you haven't already got an action plan. There's 66 days left, so you've a bit of time to do this.
But looking at your information, one of the other key things is looking at the legal basis for holding information. So you need to look at, as Deirdre said, the assets, but why are you holding that information? Do you have a legal basis for doing that? I know quite a lot of HR departments are looking to see what data they process. Do they need consent of the individual, or can they rely on other processing conditions to process that information?
So in terms of an action plan, document your processing activities. Look at your privacy notices. So what do you tell people about the information you hold? Do you have privacy notices already devised? The ICO will give you good guidance on that, and there are changes to what they expect you to tell people. So look at their guidance and their checklists and that.
How do you respond to subject access requests? You have less time to do it and you can't charge people, either. So will you have the resources to do that? If you're an organisation that process a lot of subject access requests, how are you going to manage that activity?
Taking stock of your processing activities, I think also hopefully will help you to streamline what information you do hold. This will link, I suppose, to the rights of the individual under the GDPR. There's quite a number of rights of the individual have been strengthened, the right to be informed, the right to be forgotten — which is a big one for some organisations — the right to rectification, data portability, and so on. So there are things there you'll have to think about as well.
Hopefully, through all of this, you'll start to look at how you will improve your data governance, how you can ensure that you collect the necessary assurance as to what you're doing with information, and also increase your business efficiency.
I mentioned already about data breaches. And again, if something does happen in your organisation, what do you do? Who do you tell? Who needs to know? How do you investigate it? Who will report it to the ICO? So getting lines of accountability are important with that.
Another big area is training. How do you train your staff to reduce any data governance incidents? If you've ever had to report an incident to the ICO, you'll be familiar with the templates. And one of the questions it does ask was whatever happened, you have to give an explanation on this. And then [it will 00:24:34] say, "Was that individual trained?" If you say no at that stage, you've already sort of, I suppose, fallen into the pit hole. So you want to avoid that. Make sure your staff are well aware of data breaches and what to do and so on.
Okay. We're just looking at the questions here. Is there a conflict of interest with HR being a data processor as well as a DPO? There may well be. You need to look at the legislation. Check the guidance and see. A data processor will be accountable in the same way as a controller, and that's a change within GDPR. So you might now have to look at the guidance and see if there are conflicts of interest within that.
There's also information here, somebody's asked about how long you keep information on former employees. Certainly within your organisation, you — well, Deirdre, maybe you want to pick that up, in terms of retention?
Deirdre: Yes, certainly. Some organisations will actually hold onto staff's files until they are age 100, and the reason for that is actually to do with all of the changes to do with our pensions. Other organisations will maybe set that at six years and then maybe review the files again at year seven. There are a number of schedules that we could direct people to which will give them some guidance on that.
But you do need to have that tied down and not have it loose. And you need to know where the information is going to be stored and who is actually going to review that when the time comes. So it's really important to have your schedule at hand and not to play the guessing game, as we call it. Have it written down. Make sure that everyone actually knows where that is and can actually look at it and apply.
Gillian: And I think that that's one of the big things when we're training and people ask about retention schedules.
Gillian: If you don't have a retention schedule, you're going to end up holding all your data forever, and that's going to impact on your subject access requests, potentially your FOI requests if you're a public organisation as well. So getting a good retention schedule in place is a key way of ensuring you're not holding information unnecessarily.
Deirdre: And it's really important, when you do have that in place, that it's actually reviewed every four years. It's not something that you bring in today and in 20 years, it's still sitting there. As time passes, we all create more records, and those records need to be added in. So it's always very good to have that built into it.
Gillian: Okay. Maybe this, too, [inaudible 00:27:36].
Deirdre: I'd just like to say, as a follow-up to today's webinar, and we've been asked about this by many different sorts of organisations. We are actually having a training day on Tuesday, the 24th of April, and it is, the whole focus is on, it's on the DPO role. And it's called "The First 100 Days in Office." So that's like being the prime minister or something like that, and it's all the things that you would want to do.
It will be a very, very practical day. Anyone who is going to have the honour of being the DPO and have it bestowed upon them — because I don't think many people will be sticking their hands up for this role — that would be an excellent day for them to come to. So if you want to know more about that, you can get in touch with us.
Kellie: Great. And these slides are [inaudible 00:28:28] an email today, so all those teachings will be there and your email address . . .
Kellie: . . . [inaudible 00:28:34]. We'll also make sure your contact details are on [inaudible 00:28:37] webinar. The other information resource there is the [Inaudible 00:28:41] join [inaudible 00:28:44] experts [inaudible 00:28:45] and we just recently launched our [inaudible 00:28:49] compliance [inaudible 00:28:50]. And in order to get some [inaudible 00:28:53] for that and also get some [inaudible 00:28:55] organisation, you can contact Debbie@legal-island.com. Again, these [slides 00:29:02] will be in your email. I want to make sure everybody has contact details for that.
I know that [inaudible 00:29:09] Legal-Island [inaudible 00:29:11]. We had a very successful conference [inaudible 00:29:13] last week?
Deirdre: At some time, at some conference, yes.
Kellie: And there'll be a repeat of that happening in the next few months as well, [inaudible 00:29:21] announced. And just keep an eye on our website, legal-island.com, for more details on that.
I think we have a slide there with all of your details there, Deirdre and Gillian, for anybody who has some questions. Anybody who has submitted questions today that we haven't been able to answer, then we will get back to individually. And if there's anything else that they [inaudible 00:29:47] give you a contact as well.
Kellie: We will ensure that the documents that [inaudible 00:29:53] referred to as well [inaudible 00:29:54] so they can get the working document you're talking about there as a PDF, and also links to the ICO website.
It was definitely a 30 minutes full of content. Thank you both very, very much for that. For those of you who do receive this recording of the webinar, feel free to forward it on to those in your organisation as well, and [inaudible 00:30:18] questions about [inaudible 00:30:19] information, share the contact, so feel free to do that.
And the other thing I have to say a huge thank you to you both.
Deirdre: Thank you, too.
Kellie: And hopefully we'll see you again soon.
Deirdre: Thanks. That's kind.
More on Data Protection & Freedom of Information
- Can we ask staff to let us know if they have been vaccinated, and can we keep a record of this?
- Does the chief executive have the right to view sensitive personal data without an employee’s consent?
- Data Protection Implications of Selling From the UK into the EU after Brexit
- Covert Recording in the 'Workplace' - When Might it be Lawful?
- New ICO Guidance on Subject Access Requests and Education Data
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.