Dovetail Software (hr.dovetailsoftware.com) sponsors this informative and important webinar hosting experts Grant D. Petersen (ogletree.com/) and Estella Cohen (trustarc.com/) who shared information with HR practitioners and Organizations that need to be GDPR compliant by May 25, 2018.
Here's the link to view the recording: http://hr.dovetailsoftware.com/dsadmin/2018/01/31/hr-gdpr-preparing-2018-compliance/
2. Today’s Webinar
• Ask questions using the GTW control panel
• Share to Twitter & other social channels
• Twitter: @Dovetail
@TrustArc
@OgletreeDeakins
• Hashtag: #GDPRcompliance
• Q & A at 10 minutes before the hour
• Big thanks to our presenters:
Estella Cohen and Grant D. Petersen
3. GDPR
General Data Protection Regulation
A legal mandate that requires organizations to
store and manage EU based individuals’ personal
data: basic information, racial & ethnic origin,
genetic & biometric information, and even
political opinions.
Inventory & Store -> security
5. Estella Cohen
Ms. Cohen holds dual designations from the
International Association of Privacy Professionals
(IAPP) as a Certified Information Privacy Professional
(CIPP/C), and a Certified Information and Privacy
Manager, (CIPM) and just recently was accepted as
an IAPP Fellow of Information Privacy (FIP).
She currently provides consulting and research
services to private sector companies who do business
in Europe and will need to demonstrate compliance
with both the Privacy Shield Framework and the
General Data Protection Regulation. Fluent in
Spanish with an excellent working knowledge of
French, she has shared her knowledge of access and
privacy issues internationally.
CIPM, CIPP/C, FIP
Senior Privacy
Consultant
Toronto, Canada
6. Introduction of TrustArc
Solutions backed by unmatched people, process, and technology
Deep Privacy Expertise
• Large, global, 175+ person
team
• Dozens of CIPPs, former
CPOs, world renowned
policy experts
• Many with decades of
experience at top brands
across all industries
Proven Methodology
• Informed by 20 years &
thousands of engagements
• Based on key global
standards: GDPR, FIPPs,
OECD, etc.
• Developed by privacy
experts, powered by
industry leading technology
Powerful Technology
• Purpose build for privacy
• Flexible SaaS architecture
• Used by 1,000+ clients
• Operating at high scale
for 6 years
• Ongoing enhancements
• Large engineering &
support team
www.trustarc.com
7. Grant D. Petersen
Represents and Counsels Employers on:
• U.S. and International Labor and Employment Laws
• U.S. and Global Data Privacy and Data Protection Laws
• Foreign Corrupt Practices Act and other international
anti-corruption laws.
• Founder of Ogletree Deakins’ Data Privacy Practice
Group
• Co-Founder of Ogletree Deakins’ International Practice
Group.
Additionally, Mr. Petersen advises clients regarding the
impact of global data privacy laws in the workplace, the
complexities of international transfers of human resources
data, and practical steps for compliance with the
upcoming General Data Protection Regulation. He speaks
and writes on data privacy and employment issues
regularly.
Shareholder
Tampa, FL
8. Introduction of Ogletree Deakins
With offices across North America and Europe, Ogletree
Deakins’ practice and industry groups include: Data Privacy,
Employment Law, International Law, and Traditional Labor
Relations. Ogletree Deakins has a team comprised of experts
who specifically cover GDPR Data Privacy
www.ogletree.com
9. What You Need to Know about GDPR
• Most important thing to know
• Knowing where to start
• How will GDPR impact HR?
• Who does it impact?
• Why does is matter
• Accountability and Security
• How to get more help or information
10. GDPR
General Data Protection Regulation
GOAL: One single privacy law for the EU
▫ Replaces previous 1995 Directive and national laws that had variations
▫ Applicability is now extra-territorial
– Based on “residency of individuals in EU”
– Applies to any business offering goods or services
▫ Where the organization is processing personal data
– Data that relates to an individual who can be identified from it (or
other data associated with it)
– Regardless of format (digital, paper, audio, video, etc.)
– Doesn’t have to be names (ID by picture, IP addresses, device IDs,
Cookies, etc.)
▫ Evidence of demonstrable compliance is the standard
▫ Takes effect May 25, 2018
12. Effective Date: 25 MAY 2018
The GDPR took 4
years to negotiate
and is the most
comprehensive data
protection regulation
ever enacted.
To Do
• Determine your exposure (more on that in a moment…)
• Determine your action plan for compliance, if needed
• Determine your response to customers who ask for your compliance status
• … because they will ask!
13. Core Rules remain the same
• GDPR retains same core rules as the current
Data Protection Directive, with some notable changes
• "Sensitive" personal data has been expanded to include
genetic and biometric data
• "New" rights have been codified, such as data portability
and the "right to be forgotten"
• New obligations have been added around management,
documentation,
data breach notification, and more
To Do
• Review existing compliance (you are compliant, right?)
• Review new requirements
14. Cross-Border Transfers
• Transfer of personal data outside of EU is prohibited unless
certain conditions are met (same as today)
• "Adequacy" can be met through
▫ Binding Corporate Rules
▫ Standard Contractual Clauses
▫ Code of Conduct and Certification Programs (tbd)
▫ EU-US Privacy Shield
▫ Allows for "explicit consent" but regulators have expressed
skepticism
To Do
• Review your current transfers
• Determine and implement appropriate transfer mechanism
15. Special Categories of Personal Data
• “Special categories of personal data”
• “Particularly sensitive in relation to fundamental rights
and freedoms” and, therefore, “merit specific protection.”
• Includes data “revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade-union
membership, and the processing of genetic data, biometric
data for the purpose of uniquely identifying a natural person,
data concerning health or data concerning a natural person’s sex
life or sexual orientation”
To Do
• Review data sets for any sensitive data elements
• Review whether sensitive data is necessary for services
• Determine adequacy of consent mechanisms
16. Data Subject Rights
• Enhanced rights to notice, access, correction
• "Right to be forgotten" – erase data "without undue delay"
▫ If no longer necessary, objection, or unlawful processing
• Data Portability
▫ "Automated" processes, Controller must provide data in "machine-
readable" format, transmittable to any other controller, even
directly
to a competitor
• Profiling and the Right to Object
▫ "Automated" processes that assess or predict things like:
performance, economic situation (e.g., credit), health, personal
preferences, interests and behavior, location and movements
To Do
• Review the applicability of these rights to your processes and impact of any exercise of
those rights
• Develop processes to receive and process requests
17. Accountability
• You must not only comply, you must be able to
demonstrate your compliance
• You must have a privacy impact assessment program for
any "high risk to rights and freedoms" from processing
and may be required to consult with your regulator
To Do
• Create and maintain a record of your data processing activities and privacy risk
management activities
• Develop Privacy by Design, privacy-related training, etc., to ensure integration of privacy
considerations into product development and engineering processes
• Develop a Privacy Impact Assessment program for any processing where data risk may
arise
18. Security
• Controllers and Processors must “implement appropriate
technical and organizational measures” taking into
account “the state of the art and the costs of implementation”
and “the nature, scope, context, and purposes of the
processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons.”
• Few specific requirements, but things like encryption,
pseudonymization,
data recovery, regular testing/assessments, are all referred to
• Breach notification standards: 72 hours after awareness (unless
"reasoned justification" which will need to be communicated to DPA)
To Do
• Develop a Breach Response plan with pre-defined notification templates
• Regularly test response plan, update with latest contacts and defined responsibilities
• Review adequacy of security audits, including review and audits of key service
providers
19. Foundation for Article 30
Who, What, Why Behind Article 30
Article 30 GDPR = Records of Processing Activities
Each controller and, where applicable, the controller's representative, shall
maintain a record of processing activities under its responsibility.
Each processor and, where applicable, the processor's representative shall
maintain a record of all categories of processing activities carried out on behalf
of a controller.
The records shall be in writing, including in electronic form.
The controller or the processor and, where applicable, the controller's or the
processor's representative, shall make the record available to the supervisory
authority on request.
The obligations shall not apply to an enterprise or an organization employing fewer
than 250 persons unless the processing it carries out is likely to result in a risk to
the rights and freedoms of data subjects, the processing is not occasional, or the
processing includes special categories of data as referred to in Article 9(1) or
personal data relating to criminal convictions and offences referred to in Article 10.
20. Data Mapping
• The GDPR doesn’t actually require data maps rather a
“record of processing activities”
• However it is hard to capture the multi-linear
connections between different data flows and assets
without some form of visualization
• Data visualizations or “maps” help companies
to understand the data they hold and build in controls to
manage any inherent risk
• Many different approaches exist –
common tools include Visio and LucidChart
21. Knowing Where to Start
Scope out the project
Don’t reinvent the wheel
Start small, then expand
22. HR Data is Unique Under GDPR
• The GDPR permits each EU country to enact their own, stricter
requirements for HR data
• EU regulators treat HR data differently (employee consent is not a
valid basis to process HR data)
• HR data processing involves more sensitive data (racial or ethnic
origin, health data, criminal record, etc.)
• Companies engage in more invasive monitoring regarding
employee data (computer & internet usage, GPS, etc.)
• BOTTOM LINE: Companies need a robust GDPR compliance
program specific to HR data
24. GDPR HR Data
Country-Specific
Requirements Permitted
Comply with Local Labor
Laws
§ Appears to defeat the
purpose of the GDPR to
establish a single set of
data protection rules
§ Austria: Employers cannot
collect sensitive data
unless required by
employment law (i.e.,
collect trade union
membership data only for
deduction of union dues)
§ Belgium: Former
employers cannot provide
reason for termination to
new employers
§ Applies to all EU
residents including expat
employees
§ Germany: passed HR data
requirements in June
2017
§ Portugal: Employers
prohibited from
collecting unnecessary
data during recruitment
such as name and
profession of spouse,
number of children, and
bank account information
25. GDPR HR Data
Collective Agreements/
Works Councils
Data Minimization/ Legal
Basis
§ National or trade
collective agreements
often contain stricter
data privacy
requirements
§ Review HR data
collection practices to
collect only necessary
data
§ Use anonymization and
pseudonyms
§ Employers must
consult works councils
regarding data privacy
matters including
employee monitoring
policies
§ Employers cannot rely
on employee consent
§ Base collection on
performance of
employment contract,
legal obligation, or
legitimate interest of
employer v. employee
rights
26. GDPR HR Data
Recruitment
Employee Monitoring
§ Only collect data
necessary for job
§ Criminal history can be
processed only if
authorized under EU or
national law
§ Must provide advance
notice of monitoring
and reasons for
monitoring
§ Continuous monitoring
of computer and
internet usage is
improper
§ Employer must notify
applicant if it reviews
applicant’s social
media
§ Delete recruitment
data as soon as it is
clear that applicant
will not be hired
§ Implement preventative
measures rather than
monitor:
§ Block/notify
regarding suspicious
activities
§ Acceptable use
policy
§ Provide “personal
space”
27. GDPR HR Data
BYOD
GPS Tracking/
Surveillance
§ Avoid accessing private
areas of employee’s
device (i.e., photos,
etc.)
§ Use technologies that
provide privacy
safeguards (i.e.,
sandboxing)
§ Notice of location/
behavior tracking must
be placed within
eyesight of driver
§ Permit employees to
turn off vehicle or
device GPS during non-
working hours
§ If cannot prevent
monitoring of private
areas of employee
devices, prohibit
BYOD
§ Install preventative
measures: cell phone use
block, automatic
braking, lane departure
alerts
§ Use video surveillance
for security reasons, not
performance evaluation
28. GDPR HR Data
Employee Hotlines
Employee Access
Requests
§ Valid if applies to
violations of EU or
Member State laws (not
U.S. laws) or furthers
employer interest that
outweighs employee
privacy rights (accused’s
privacy rights must be
protected
§ Employers must provide
employees with access
to their data
§ Employees entitled to
see evaluations,
including subjective
assessments
§ Limit reports to
bribery, financial and
auditing issues, and
serious violations of
EU or local law
§ Cannot encourage but
can accept anonymous
reports
§ Employees have right to
correct inaccurate data,
object to improper
processing of data,
request rationale for any
automated decisions,
and request portability
of data
29. GDPR HR Data
Cross-Border Data
Transfers
Employee Access
Requests
§ Access to HR data of EU
employees stored on
HRIS by personnel
outside of the EU is a
cross-border transfer
§ Employers must have
legal purpose to transfer
HR data
§ DPIA is required for a
processing function
involving HR data if any
of the following criteria
is involved:
§ Evaluation of work
performance
§ Employer cannot
transfer HR data
outside of EU unless it
transfers data to a
country with adequate
protections or it uses
standard contract
clauses, BCRs, or
Privacy Shield
§ Systematic monitoring
§ Sensitive data
§ Cross-border transfers
§ Automated decisions
31. GDPR – what we’ve covered…
General Data Protection Regulation
HOW HR it impacted
WHY it matters
Are there fines associated with non-compliance?
Let’s talk about DPIAs.
32. Benefits of Knowing & Preparing
“HR’s role will encompass not just communication, but also training and
change management across all business units, such as IT and legal. As
well as pushing back on resistance to change., HR will need to figure out
incentives to insure employee engagement.”
– Jeremy Baker, Affiliate Professor at ESCP Europe Business School
• Focus on data allows HR to be more strategic
• More data points around engagement and diversity
• Boost to productivity and performance
• Increase trust in employees, as well as customers/clients that comes
from being a privacy entered organization
*from Workday Rising 2017 conference in Barcelona last November.
https://blogs.workday.com/european-data-protection-and-the-path-to-gdpr-compliance/