Recommended
More Related Content
What's hot
What's hot (20)
Similar to GDPR introduction
Similar to GDPR introduction (20)
Recently uploaded
Recently uploaded (20)
GDPR introduction
- 2. The jargon • Data processing • Data Controllers • Data Processors • Personal data • Sensitive personal data • Data Protection Officer 2
- 3. GDPR principles Article 5 of GDPR says that personal data shall be:- • Processed lawfully, fairly & transparently • Relevant, adequate, but limited to what’s needed • Accurate • Kept for no longer than necessary • Protected against accidental loss, destruction or damage 3
- 4. Individual rights • Right to be informed • Right of access • Right to rectification • Right to erasure • Right to restrict processing • Right to data portability • Right to object • Rights related to automated decision making 4
- 5. Directors’ responsibilities • Technical & organisational measures • Documentation • Consider appointing a DPO • Data protection by design • Consider a Data Protection Impact assessment 5
- 6. Data security • Portable devices • Desk-top devices • Physical records • Electronic records • Data duplication • Communications • Clear desk/screen 6
- 7. Marketing • Marketing lists – Data brokers – Trade directories – Lists compiled internally 7
- 8. GDPR & Human Resources • Personal data in HR – Personal data – Sensitive personal data • Data Processors – HR Champions/Acorn H&S – Lower-risk DPs • Keeping records/retention periods 8
- 9. Discussion 9
- 10. 10 “We free you get on with your business” Our capabilities range from CE marking, practical application of quality, environmental & safety management, to fully certified “ISO” systems. Contact Richard Shearwood-Porter 01934 316224 / 07909 528942 info@theHSQEdepartment.com www.theHSQEdepartment.com
Editor's Notes
- First, some GDPR facts…. Businesses in the EU have to deal with 28 different data protection laws, which creates costs for SMEs that want to trade across Europe. EU GDPR is a single harmonised regulation on data protection that applies to any company that wants to do business in the EU. The UK has been instrumental in drawing GDPR up and is implementing it as the Data Protection Bill. Government has confirmed that the Data Protection Bill will not be repealed when the UK leaves the EU. In the UK we already have the Data Protection Act and the Privacy and Electronic Communications Regulations (PECR), which both have an impact on how companies manage personal data and carry out marketing activities. The Data Protection Bill will repeal the old Act and strengthen data protection rules. GDPR applies to any data that could be used to identify an individual, such as name, address, phone number, e-mail, IP address. The regulator is the Information Commissioner’s Office (ICO) The consequences of a serious data breach under GDPR are up to 20m euros or 4% of turnover, but the ICO has declared that it will aim to work with companies to strengthen data protection rather than go for a big fine in the first instance.
- There are a number of terms that we need to get our heads around if we’re to get to grips with GDPR Data processing Any activity that changes the state of personal data. This can be as simple as saving contact details to a ‘phone or adding details to a database. Data Controller – a body or person that Decides the purposes for which personal data is used and the way in which this is done Companies that make use of personal data will be Data Controllers, whether or not they actually process data them selves. Data Controllers have specific legal obligations such as keeping records of what data is being kept and how it’s being processed, and are liable for any data breach. Data Processor – a body or person that Is responsible for handling data on behalf of a Data Controller, such as for the purpose of running payroll, providing marketing lists, carry out health surveillance and so on. Any Data Processor needs to be appointed under a contract. The Data Controller is legally liable for any loss of its data by the Data Processor, so needs to carry out reasonable due diligence on the Data Processor’s protection measures. Personal Data As mentioned earlier, GDPR applies to any data that could be used to identify an individual, such as name, address, phone number, e-mail, IP address and this can be in any form. Sensitive personal data Information that could be used to stigmatise or discriminate against someone. Sensitive personal data must be protected with extra care. Data Protection Officer A DPO is a named person, with no vested interest in data processing, who has an appropriate level of knowledge of data protection and who acts as an unbiased advisor to the Data Controller’s senior team. The DPO also acts as the point of contact for the ICO and for enquiries about data protection. There a rules on when companies need to appoint a DPO and the majority of SMEs are excluded. A DPO must be appointed by public authorities, or by other organisations whose main purpose is large-scale, systematic and regular monitoring of individuals (such as Facebook) or where they carry out processing of special categories of data on a large scale, such as BUPA. Exempt organisations still need to have a named person responsible for data protection and can opt to appoint a DPO if they see it as helpful.
- Processing lawfully, fairly & transparently Data subjects must actively opt-in. They can not longer be tricked with a pre-ticked box. There are 6 lawful reasons for processing information and the Data Controller needs to record which of these apply and why:- Consent (opt-in) Contract (need the data in order to carry out the contract with the subject of the data) Legal obligation (employer’s and landlords are required to check a person’s right to be in this country) Vital interest (where data is needed to protect someone’s life, but they are unable to give consent, e.g. treatment after a serious accident) Public task (any body that has official authority or that carries out work in the public interest) Legitimate interest – the most flexible basis by which to hold data. Can be used when you hold and use data in a way that people could reasonably expect, for reasons directly related to the purpose of the organisation (for example lists of people that have purchased from you or who have made enquiries) The most likely lawful reasons for most organisations will be Consent, Contract & Legitimate interests. Relevant, adequate, limited (Speaks for itself) Accurate Inaccurate data can cause individuals all sorts of problems & create huge amounts of unwarranted stress. For example:- Threatening letters from debt collectors, chasing a previous occupier. Being wrongly identified as an executor to a will and being chased for money. Bills from two electricity companies after switching – covering the same period of time. After May 25th these would be offences. Kept for no longer than necessary Some common sense needs to be applied here as to what a reasonable left of time might be, but you need to be able to justify the time period if asked. Two examples at extreme ends of the spectrum:- CV’s from a recruitment drive: The person you initially choose may pull out at the last minute, may leave shortly after arriving or may be asked to leave within their probation period. So it would be reasonable to retain the CVs of others on the short list until a probation period is up. CVs that don’t make a short-list should probably be destroyed once they have been screened out. Health surveillance records: Ex employees may make a claim for disability many years after leaving employment. It would therefore be sensible and legitimate to keep health surveillance records more or less forever. Protected against accidental loss, destruction or damage This clause refers to a data breach, which can include:- Access by an unauthorised third party Deliberate or accidental action/inaction by a Data Controller or Processor Sending personal data to an incorrect recipient Loss or theft of documents or electronic devices Alteration of data without permission Loss of availability of personal data (for example by deleting, shredding or hard drive failure)
- Right to be informed At the time someone opts-in they must be told what information will be kept, how it will be used, how long it will be retained and who it will be shared with. This is called “Privacy Information”. If you get personal data from a source other than the individual, they must be informed within a month. This would apply to marketing lists, but you would probably be informing them by means of direct marketing. Right of access Individuals must be able to access the information that you hold on them and be able verify that any processing is lawful. Companies must therefore be able to respond to information requests. Right to rectification Individuals can ask, verbally or in writing, for inaccurate data to be corrected and the Data Controller has one calendar month to respond. If the Data Controller decides the data is accurate, they can refuse to change it. If the request is vexatious or excessive, the Data Controller can also refuse to comply. Right to erasure Also known as “the right to be forgotten”. Individuals can ask, verbally or in writing, for data to be deleted and the Data Controller has one calendar month to respond. This right applies if:- Data isn’t needed any more The Data Controller is relying on Consent and consent is withdrawn The Data Controller is relying on legitimate interest and this is overridden by the individual’s interest The individual objects to direct marketing The data has been processed unlawfully e.g. passed on by a data broker without consent Erasure complies with a legal obligation e.g. to enforce a court order on erasure The data relates to a child Right to restrict processing This isn’t an absolute right and only applies in certain circumstances. Individuals can ask, verbally or in writing, for data to be restricted and the Data Controller has one calendar month to respond. This right applies if:- The individual has asked for data to be corrected and this is under investigation The individual objects to their data being processed but the Data Controller is investigating whether it has a legitimate interest to keep it Data has been unlawfully processed and the individual wants it to be retained, but not used (Facebook?) The data isn’t needed any more by the Data Controller, but the individual needs it to be kept, for instance to defend a legal claim Right to data portability This allows individuals to obtain and reuse their personal data for their own purposes across different services, for example when changing bank or utility company. Right to object Individuals have a right to object to:- Processing based on Legitimate Interests or Performance of a Task in the Public Interest/Exercise of Official Authority Direct marketing Processing for scientific/historical research or statistics Rights related to automated decision making including profiling This relates to when data is analysed and acted on without the intervention of humans. Examples would be:- On-line applications for a loan or insurance On-line aptitude test as part of a job application Predicting someone’s preferences from their on-line profiles or searches. Because this is seen as high-risk, Data Controllers and Processors must ensure that:- They have carried out a Data Impact Assessment Data subjects can appeal and receive an explanation for a decision Data subjects can express an opinion Humans can intervene
- Technical & organisational measures Data protection policies – Privacy; Access Control; Data Security; Information Requests; Data Breach. HR policies – Sensitive information; Appropriate Use (including social media) Staff training – GDPR & data security Internal audit Documentation Data mapping Purpose of processing Legal basis for processing – mainly Contractual & Legitimate Interest Privacy notices Records of Consent (where used) Records of due diligence on Data Processors Contracts with Data Processors DPO Discussed earlier Data protection by design & default This refers to making sure that organisational measures and technical measures work together to protect data from loss. Data protection impact assessment A data protection impact assessment is a systematic analysis of how data is processed and where it is vulnerable to loss of damage, but is compulsory only where processing carries a high risk to individuals. Examples would be:- There is systematic and extensive profiling with significant effects, for instance health insurance Personal data is sensitive or about criminal offences CCTV records of public places
- We’ve checked what is in place and have recommended some further security measures, so what does this mean for you? Portable devices Laptops & phones protected by PIN, password or biometrics Don’t load personal information onto removable media Set device to lock after a period of inactivity Enable remote wiping Apps from trusted sources only Essential personal data only Report if lost or stolen Desk-top devices Secure account log-in Don’t share passwords Set to lock after a period of inactivity Screens positioned to prevent “shoulder surfing” or fitted with a clip-on privacy screen Only visit trusted websites Physical records Lock personal data away when not in use Securely destroy personal data when no-longer needed Carry only essential personal data when off-site Electronic records Restrict access to those that need it Securely “shred” personal data, for example with CCleaner Ensure that back-ups are effective Data duplication Central archive with secure back-up Communications Only share personal data with people that have a legitimate use for it Make sure communications are addressed to the right person (reply-all and auto addressing) Only open communications from trusted sources and never open links in e-mails. If in doubt – call the apparent sender Follow organisational policy on use of social media Clear desk/screen When working with personal data, lock screen and clear papers away when away from the desk
- Direct marketing has been controlled under the Privacy in Electronic Communications Regulations (PECR), which came out in 2003 and has been strengthened a number of time by amendments. The rules are reinforced under GDPR. Data brokers You can use data brokers if:- Your data broker can prove to you that the contact has opted-in to having their details passed to a company such as BituChem for the purpose of direct marketing. This could be done by picking some data subjects at random and asking to see evidence of their consent. The data broker will have a process to unsubscribe anyone that objects. The same rules about direct marketing will apply to you as now (Privacy & Electronic Communications Regs). You'll need a publicly available privacy policy - this can be on a web site - and communications with prospective clients will point them to the policy. The policy will need to cover a range of points, but one of these will be the right to be removed from your list. You tell the prospect where you got their contact details from. Trade Directories Companies and their named contacts that sign up to a specialised trade directory, such as “ESI External Works” can reasonably expect that they will be contacted directly by other companies working in the sector. This allows you to claim “Legitimate Interest” to hold their contact details and to contact them, but you must say where you got their contact details. The named contact has the right to opt-out of further contacts. Internal lists Web sites must now carry a privacy notice and a positive opt-in to receiving marketing information. Potential customer’s that have visited a web site and have opted-in can be contacted directly, but evidence needs to be kept of the opt-in. Potential customers that have visited a web site but have not opted-in, or who have opted-out at a later date, cannot be contacted and you cannot retain their data. Existing customers can reasonably be expected to have an interest in learning about your new products and can be contacted under “Legitimate Interest”. This is known as a “soft opt-in”.
- HR is where you are most likely to hold “sensitive personal data” and be involved with “Data Processors”, so is an area that is particularly sensitive. Simple personal data Contact details Next of kin Employment history CVs Sensitive personal data – tighter control needed Racial, ethnic, religious & sexual details/preferences Prosecutions & criminal history Health records including occupational health results (Acorn H&S surveillance reports; report into risks of chemical dermatitis for an individual employee) Outsourced HR & H&S Data Processors posing a higher risk to you because they hold sensitive personal data. Send a Duty of Care questionnaire. You are legally responsible for any leakage of employee data from these companies. Providers of pensions, payroll, insurance, tacho-card analysis etc. Data Processors, but lower risk because the hold no sensitive data on employees. Keeping records & retention periods Back to basics: Keep only what’s necessary It must be accurate It must be secure Keep only as long as necessary Examples at the extreme ends of the spectrum were discussed earlier:- CVs Health records Consider:- Do you need paper records and, if so, how will you keep them secure? Do you need duplicate copies of things like health surveillance reports to be kept in user accounts, or would one central copy be safer? How long will you hold personal data before it becomes obsolete – for example company contact details? How will you clean and confidentially delete data that isn’t needed anymore?
- We’ve looked at:- Some basic facts about GDPR The principles of GDPR The rights of data subjects Your responsibilities What GPDR means for marketing The effect on HR Any questions?