On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force, replacing all existing data protection regulations. Payroll bureaus process large amounts of personal data in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated. BrightPay hosted a free CPD accredited webinar alongside Bright Contracts where we discussed everything that accountants, bookkeepers and payroll bureaus need to know about GDPR. For more information visit https://www.brightpay.co.uk

1. &
GDPR for your Payroll Bureau
Tuesday 14th November 2017

2. Agenda
• What is GDPR and Why is it being implemented
• Why employers need to take it seriously
• How it will impact payroll bureaus
• How to prepare for GDPR
• How Thesaurus is working to help you

3. GDPR, what is it?
General Data Protection Regulation
• Aims to provide better protection for personal data
• Current data legislation dates back to 1998

4. Data is getting out of hand
Data brokers collect more
than 50 trillion unique data
transactions per year
82% of Android apps track
your other
online activities
If you read all of the terms of service for all
of your apps it would take 76 days
PayPal’s Terms of Service is
36,275 words long:
that’s longer than Hamlet

5. GDPR D-Day
145 Working Days to go

6. Reasons to Pay Attention!
€20,000,000
Or
4% of turnover
€10,000,000
Or
2% of turnover
FINES
Serious breaches
- Not having sufficient customer
consent
- Violating Privacy by Design
Serious breaches
Failure to: - document &
communicate Joint Controller
relationships
- ensure contract with Data Processor

7. Key Terms
Data Subject
• An individual who is the subject of the personal
data
Data controller
• Controls the contents and use of personal data
Processing means:
• Operations performed on personal data whether or
not by automated means
Controller is who:
• Determines the purposes and means of the
processing of personal data
Personal data breach:
• Means a breach of security leading to the
accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal
data transmitted, stored or otherwise processed.
Processor is who:
• Processes personal data on behalf of the controller.

8. Supervising Authority
Website www.ico.org.uk
www.gov.uk
E-mail:
Phone: +44 303 123 1113

9. Who does it apply to?
• EU Companies that process personal data, regardless
of whether the processing takes place in the EU
• Non-EU companies who offer goods or services to
individuals in the EU, irrespective of whether payment
is required.
• Non-EU companies who monitor individual’s
behaviour that takes place in the EU.

10. What is Personal Data?
“Any information related on a natural person or ‘Data Subject’, that can
be used to directly or indirectly identify a person.”
 A name
 A photo
 An email address
 Bank details
 Posts on social networking websites
 Medical information
 CCTV images
 Records of websites visited
 A computer IP address

11. -Key areas to consider

12. Six Principles of GDPR
Personal data shall be:
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and kept up-to-date
5. Kept for no longer than necessary
6. Processed in a confidential and secure manner
Accountability: demonstration of compliance

13. Lawful Processing
Processing is only lawful if:
• Data subject has given consent
• Necessary for the performance of a contract
• Necessary for the compliance with legal obligation
• In order to protect vital interests of a person
• Necessary for public interest or official authority
• For the legitimate interests of data controller/3rd party

14. Changes to Consent Rules
Consent must be:
- Specific, informed,
unambiguous and freely given
- Must be for a specified purpose
Where consent is obtained
as part of a larger document
covering other things,
consent must be clearly
distinguished from
everything else
Evidence needs to be retained
as to how the consent was
obtained
Forms, brochures signage,
website screenshots etc.
Language must be
accessible and easily
understood

15. Special Categories of Data
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• The processing of genetic data, biometric data for the purpose of
uniquely identifying a person
• Data concerning health, a person's sex life or sexual orientation

16. Children’s Personal Data
Under 16
Parental Guidance

17. Data Protection by Design and by Default
• Privacy by design: seeks to ensure that privacy issues are considered
at the outset of a project, rather than being an add on at a later stage
of a project.
• Privacy by default: by default only such personal data as is necessary
for the identified purposes should be processed.

18. Data Protection Impact Assessments (DPIA)
• A DPIA should contain:
• A description of the processing operations and the purposes
• An assessment of the necessity and proportionality of the processing in
relation to the purpose
• An assessment of the risks to the individuals
• The measures put in place to address risk, including security and to
demonstrate that you comply
• Where substantial risk is identified, you must refer to the Supervisory
Authority

19. Enhanced Rights for Individuals
Right to be
informed
The right to
access
The right to
rectification
The right to
erasure
The right to
restrict
processing
The right to data
portability
The right to
object
Rights in relation
to automated
decision making

20. Breach Reporting
 Breach:
The destruction, loss, alteration, unauthorised disclosure of or access to
personal data, human error
 Reported to Data Protection Commissioner
 Within 72 hours

21. Incident Response Plan
Containment and recovery
Assessment of ongoing risk
Notification of the breach
Post mortem and response

22. 2016 Reported Breaches
Theft of IT Equipment 14
Website Security 103
Unauthorised Disclosure – Postal 570
Unauthorised Disclosure – Electronic 376
Unauthorised Disclosure – Other 1,117
Security related issues 44

23. The Data Protection Officer (DPO)
Mandatory for:
 Public Bodies
 Organisations engaged in “Large Scale” regular/systematic monitoring
 Organisations whose core activities consist of processing “special categories” of
data or data relating to criminal convictions
 May be mandatory in other contexts as defined by Member State Law
The DPO must:
 Have “expert knowledge” of Data Protection Law
 Must be involved in a “timely manner” in discussions of personal data processing
 Details must be provided to the DPC

24. Civil Liability
Individuals can claim for compensation for material loss and non-
material damage, including:
Distress
Hurt Feelings
Reputational Damage
No proven financial loss

25. -Start Preparing Now

26. 1. Your Data Inventory
• Create in inventory of all personal data held
• Why are you holding the data? The legal basis?
• How is data obtained?
• Why was it originally gathered.
• How long data is held for?
• How is data saved? Securely?
• Is data shared? With whom?

27. 2. Data Privacy Notices
 The business identity
 Contact details for the business and the DPO, if applicable
 The reasons for collecting the data
 The use(s) to which the data will be put to
 To whom the data will be disclosed
 Whether the data will be transferred outside of the EU
 The legal basis for processing the the data
 Where the processing is based on the legitimate interests of the business, the legitimate interest
concerned
 Where the processing is necessitated by a statutory or contractual requirement, the consequences for the
individual of not providing the data.
 The period of which the data will be stored, or the criteria to be used to determine retention periods
 Whether the data subject will be subject to automated decision making
 The rights of the individual under the GDPR

28. 3. Further Preparation
• Speak to Data Controllers or Data Processors
• Processing children’s data?
• Will access requests change?
• How will you manage breaches?
• Data by Design / Data Protection Impact Assessment
• Do you require a Data Protection Officer?

29. GDPR from a HR Perspective
Lawful processing
• What is your reason for retaining and processing personal data?
• Consent no longer an option for HR data
• Imbalance of power between employee & employer
1. Legitimate interests of the business
2. Performance of a contract or legal obligation
Increased employee rights
• Clear policies
Delete, delete, delete

30. -How Thesaurus Software is Preparing

31. It’s your data
Keep your
password safe!

32. What we have done
 New in-program features
 Updated our Privacy Policies
 Internal IT audits
 Increased security – in house
 Introduced extra consent fields
 Staff training
 Bright Contracts updated policies

33. Thank You!
G.D.P.R.
General Data Protection Regulation
25th May 2018
BrightPay
www.brightpay.co.uk
support@brightpay.co.uk
PH +44 (0) 845 3004304
Bright Contacts
www.brightcontracts.co.uk
support@brightcontracts.co.uk
PH +44 (0) 845 3004305

34. -Appendix: GDPR List of Offences

35. 2% Offences
• Breaches of provisions relating to consent of Children
• Asking for personal data, citing GDPR as basis, where you are not
processing identifiable data
• Failure to implement Privacy by Design/by Default
• Failure to document & communicate Joint Controller relationships
• Failure to appoint a representative if based outside EU
• Failure to ensure contract with Data Processor
• Engagement of a sub-processor by processor without authorisation
• Failure to include prescribe content in Processor Contracts
• Processing data by a Data Processor other than on instruction of
Data Controller
• Failure to ensure DPO does not have conflict of interest in execution
of duties
• Failure to execute tasks of the DPO under Article 39
• Failure to apply required controls or safeguards under a DP
certification scheme
• Failure to keep records of processing activities (Article 30)
• Failure to cooperate with the Supervisory Authority
• Failure to ensure appropriate level of security over personal data
• Failure to ensure ability to restore availability and access to data
• Failure to conduct regular testing of effectiveness of technical and
organisational controls for information security
• Failure to notify data breach to Supervisory Authority
• Failure to communicate data breach to Data Subjects (where
required)
• Failure to conduct Data Protection Impact Assessments (when
required)
• Failure to consult with Supervisory Authority where PIA suggests
high risk to rights of individuals
• Failure to engage DPO in a timely manner
• Failure to support DPO in performance of tasks, including provision
of resources, access to data and processing operations, and
opportunity to maintain expert knowledge
• Failure by a certification body to meet the conditions for
accreditation or where actions of the accrediting body infringe the
Regulation

36. 4% Offences
• Breaching any of the core principles of
GDPR
• Failure to implement measures to comply
with the accountability principle
• Failure to comply with standards required
for consent, where consent only basis for
processing
• Unlawful processing of “special
categories” of personal information
• Infringement of rights under Article 12 –
22
• Transfers to 3rd countries in
contravention of provisions of Articles 44
to 49
• Failure to comply with any obligation
under Member State Law under
“Delegated Acts” under Regulation
• Non-compliance with a prohibition under
Article 58(2) on processing or data
transfers, whether temporary or
definitive
• Failure to provide access to Data
Protection Supervisory Authority to
conduct investigations as per Article 58(1)