5 things hr must do in the role of the data protection …€¦ · legal-island’s gdpr elearning...
TRANSCRIPT
GILLIAN ACHESON – DATA PROTECTION
DEIRDRE ALLISON – RECORDS MANAGEMENT
YEARN2LEARN TRAINING
5 THINGS HR MUST DO IN THE ROLE OF THE DATA PROTECTION OFFICER
GENERAL DATA PROTECTION REGULATION
What is it?• GDPR represents the most significant shift in European
data protection legislation since the Data Protection Directive
• Will harmonise data protection laws throughout the EU
• Will replace the Data Protection Act 1998
• Applies from 25 May 2018
• The current Data Protection Bill which will become the Data
Protection Act 2018 fills the gaps in GDPR, addressing areas in which
flexibility and derogations are permitted
• UK’s decision to leave the EU will not effect the commencement of the legislation.
TOP 5 THINGS HR MUST DO
1 Know the legislation – what is the impact on your organisation
2 Understand the Role of a Data Protection Officer
3 Know what information you hold
4 Understand what ‘accountable’ means
5 Develop an action plan to meet the key tasks to be carried out
2. UNDERSTAND THE ROLE OF DATA PROTECTION OFFICER WHICH ORGANISATIONS ARE REQUIRED TO APPOINT A DPO? (ARTICLE 37(1))
The GDPR requires the designation of a DPO in three specific cases:
where the processing is carried out by a public authority or body
(irrespective of what data is being processed);
where the core activities of the controller or the processor consist of
processing operations, which require regular and systematic monitoring
of data subjects on a large scale;
where the core activities of the controller or the processor consist of
processing on a large scale of special categories of data or personal
data relating to criminal convictions and offences.
Frequently Asked QuestionsCan organisations appoint a DPO jointly?
‘easily accessible from each establishment’
Appoint an external DPO?
‘fulfil the tasks on the basis of a service contract’
Professional qualities DPO should have (article 37(5)‘Shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability of fulfil the task referred to Article 39’
Who cannot be DPO?DPO can not be someone who determines the purpose and the means of processing of personal data.
POSITION OF THE DPO
Involvement in all issues relating to the protection of personal data
Opinion of the DPO must be given due weight
DPO consulted promptly once a data breach occurs
Must be given necessary resources - Article 38(2)
Act in an independent manner
Must report directly to the ’ highest level of management’ within the
organisation’.
DATA PROTECTION OFFICER ROLE TASKS
3. KNOW WHAT INFORMATION YOU HOLD
Asset
number
or ID
Name of
asset
What does
it doLocation Owner Volume
Personal
dataAccess Shared Format Retention Risks / impact Key asset
What does your organisation do?
What information do you have?
Where is your information kept?
Document what you know.
Do you have duplicate information?
An Information Asset Register (IAR) is a simple way to
help your understand and manage your organisation’s
information assets and the risks to them.
It is important to know and fully understand what
information you hold in order to protect it and be able to
exploit its potential.
Use of self assessments
Keep it up to date.
4 ACCOUNTABILITY
9
ACCOUNTABILITY CONTINUED:-
Documentation is a new requirement under the GDPR. Records must be
kept on processing purposes, data sharing, and retention.
Will require internal records of your processing activities.
Your obligation to ensure (and demonstrate) that what you do with people’s
personal data is in line with the GDPR. Article 30 sets out the different
types of information you need to document including the purposes of
processing, categories of personal data and recipients of personal data.
You can use your existing register entry for the 1998 Act as a basis from
which to create your record of processing activities
5 DEVELOPMENT OF AN ACTION PLAN Documenting your processing activities - it is a legal requirement. As a key element of the
accountability principle, documenting your processing activities can also help you to ensure (and demonstrate) your compliance with other aspects of the GDPR.
Drafting your privacy notice – much of the information you have to document is very similar to what you need to tell people in your privacy notice.
Responding to access requests – knowing what personal data is held and where it is will help you to efficiently handle requests from individuals for access to their information.
Taking stock of your processing activities – this will make it much easier to address other matters under the GDPR such as ensuring that the personal data you held is relevant, up to date and secure.
Improve data governance – highlighting and addressing data protection matters through documentation will support good practice in data governance. This can give you assurance as to data quality, completeness and provenance.
Increase business efficiency – knowing what personal data is held, why you hold it is held and for how long, will help to develop more effective and streamlined business processes.
Data Breaches – how does your organisation deal with data breaches
Training – how will your organisation train staff to reduce data governance incidents occurring
ADDITIONAL RESOURCES
Yearn2Learn, an ILM Recognised Provider event
‘I’m the new Data Protection Officer – the First 100 Days’
Date:Tuesday 24 April 2018
Time:10.00 – 4.30 pm (Registration 9.30)
Venue: Children in NI (CINI) Cost
Cost £169.00 per person
To book, contact [email protected] or Tel: 07761586390
Legal-Island’s GDPR eLearning
for all employees
For free access & 25% discount contact
CONTACTS
Yearn2Learn are an ILM Recognised Provider and Accredited
Member of IRMS (Information & Records Management Society) UK
and ROI
For further information or to arrange a site visit for advice, guidance
or support, contact:
Deirdre Allison – [email protected] Tel: 07761586390
Gillian Acheson – [email protected]
Visit our website at www.yearn2learntraining.com
ADDITIONAL RESOURCES
Yearn2Learn, an ILM Recognised Provider event
‘I’m the new Data Protection Officer – the First 100 Days’
Date:Tuesday 24 April 2018
Time:10.00 – 4.30 pm (Registration 9.30)
Venue: Children in NI (CINI)
Cost £169.00 per person
To book, contact [email protected]
or Tel: 07761586390
Legal-Island’s GDPR eLearning
for all employees
For free access & 25% discount contact