GILLIAN ACHESON – DATA PROTECTION

DEIRDRE ALLISON – RECORDS MANAGEMENT

YEARN2LEARN TRAINING

5 THINGS HR MUST DO IN THE ROLE OF THE DATA PROTECTION OFFICER

GENERAL DATA PROTECTION REGULATION

What is it?• GDPR represents the most significant shift in European

data protection legislation since the Data Protection Directive

• Will harmonise data protection laws throughout the EU

• Will replace the Data Protection Act 1998

• Applies from 25 May 2018

• The current Data Protection Bill which will become the Data

Protection Act 2018 fills the gaps in GDPR, addressing areas in which

flexibility and derogations are permitted

• UK’s decision to leave the EU will not effect the commencement of the legislation.

TOP 5 THINGS HR MUST DO

1 Know the legislation – what is the impact on your organisation

2 Understand the Role of a Data Protection Officer

3 Know what information you hold

4 Understand what ‘accountable’ means

5 Develop an action plan to meet the key tasks to be carried out

2. UNDERSTAND THE ROLE OF DATA PROTECTION OFFICER WHICH ORGANISATIONS ARE REQUIRED TO APPOINT A DPO? (ARTICLE 37(1))

The GDPR requires the designation of a DPO in three specific cases:

where the processing is carried out by a public authority or body

(irrespective of what data is being processed);

where the core activities of the controller or the processor consist of

processing operations, which require regular and systematic monitoring

of data subjects on a large scale;

where the core activities of the controller or the processor consist of

processing on a large scale of special categories of data or personal

data relating to criminal convictions and offences.

Frequently Asked QuestionsCan organisations appoint a DPO jointly?

‘easily accessible from each establishment’

Appoint an external DPO?

‘fulfil the tasks on the basis of a service contract’

Professional qualities DPO should have (article 37(5)‘Shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability of fulfil the task referred to Article 39’

Who cannot be DPO?DPO can not be someone who determines the purpose and the means of processing of personal data.

POSITION OF THE DPO

Involvement in all issues relating to the protection of personal data

Opinion of the DPO must be given due weight

DPO consulted promptly once a data breach occurs

Must be given necessary resources - Article 38(2)

Act in an independent manner

Must report directly to the ’ highest level of management’ within the

organisation’.

DATA PROTECTION OFFICER ROLE TASKS

3. KNOW WHAT INFORMATION YOU HOLD

Asset

number

or ID

Name of

asset

What does

it doLocation Owner Volume

Personal

dataAccess Shared Format Retention Risks / impact Key asset

What does your organisation do?

What information do you have?

Where is your information kept?

Document what you know.

Do you have duplicate information?

An Information Asset Register (IAR) is a simple way to

help your understand and manage your organisation’s

information assets and the risks to them.

It is important to know and fully understand what

information you hold in order to protect it and be able to

exploit its potential.

Use of self assessments

Keep it up to date.

4 ACCOUNTABILITY

9

ACCOUNTABILITY CONTINUED:-

Documentation is a new requirement under the GDPR. Records must be

kept on processing purposes, data sharing, and retention.

Will require internal records of your processing activities.

Your obligation to ensure (and demonstrate) that what you do with people’s

personal data is in line with the GDPR. Article 30 sets out the different

types of information you need to document including the purposes of

processing, categories of personal data and recipients of personal data.

You can use your existing register entry for the 1998 Act as a basis from

which to create your record of processing activities

5 DEVELOPMENT OF AN ACTION PLAN Documenting your processing activities - it is a legal requirement. As a key element of the

accountability principle, documenting your processing activities can also help you to ensure (and demonstrate) your compliance with other aspects of the GDPR.

Drafting your privacy notice – much of the information you have to document is very similar to what you need to tell people in your privacy notice.

Responding to access requests – knowing what personal data is held and where it is will help you to efficiently handle requests from individuals for access to their information.

Taking stock of your processing activities – this will make it much easier to address other matters under the GDPR such as ensuring that the personal data you held is relevant, up to date and secure.

Improve data governance – highlighting and addressing data protection matters through documentation will support good practice in data governance. This can give you assurance as to data quality, completeness and provenance.

Increase business efficiency – knowing what personal data is held, why you hold it is held and for how long, will help to develop more effective and streamlined business processes.

Data Breaches – how does your organisation deal with data breaches

Training – how will your organisation train staff to reduce data governance incidents occurring

ADDITIONAL RESOURCES

Yearn2Learn, an ILM Recognised Provider event

‘I’m the new Data Protection Officer – the First 100 Days’

Date:Tuesday 24 April 2018

Time:10.00 – 4.30 pm (Registration 9.30)

Venue: Children in NI (CINI) Cost

Cost £169.00 per person

To book, contact dallison.yearn2learn@live.co.uk or Tel: 07761586390

Legal-Island’s GDPR eLearning

for all employees

For free access & 25% discount contact

Debbie@legal-island.com

CONTACTS

Yearn2Learn are an ILM Recognised Provider and Accredited

Member of IRMS (Information & Records Management Society) UK

and ROI

For further information or to arrange a site visit for advice, guidance

or support, contact:

Deirdre Allison – dallison.yearn2learn@live.co.uk Tel: 07761586390

Gillian Acheson – gacheson.yearn2learn@outlook.com

Visit our website at www.yearn2learntraining.com

ADDITIONAL RESOURCES

Yearn2Learn, an ILM Recognised Provider event

‘I’m the new Data Protection Officer – the First 100 Days’

Date:Tuesday 24 April 2018

Time:10.00 – 4.30 pm (Registration 9.30)

Venue: Children in NI (CINI)

Cost £169.00 per person

To book, contact dallison.yearn2learn@live.co.uk

or Tel: 07761586390

Legal-Island’s GDPR eLearning

for all employees

For free access & 25% discount contact

Debbie@legal-island.com