GDPR: Coming Soon To A Workplace Near You · GDPR: Coming Soon To A Workplace Near You Your...
Transcript of GDPR: Coming Soon To A Workplace Near You · GDPR: Coming Soon To A Workplace Near You Your...
GDPR: Coming Soon To A Workplace
Near You
Daniel Milnes - Head of Commercial
1 March 2018
GDPR: Coming Soon To A Workplace
Near You
Your Attention Is Directed To This Note
These materials are supplied as general illustrations of legal
issues and not as legal advice applicable to any particular person
or situation. These materials may not be relied upon as legal
advice. Forbes shall not be liable for any loss caused to any
person through any action or omission made in reliance on these
materials or any connected presentation.
© Forbes Solicitors 2017-18
GDPRE Privacy
Regulation
Where are we going?Data Protection
Bill 2017/Act 2018
Old Risk: Bigger Consequences
• Higher Fines
• Criminalisation
• Class Actions
Old Solutions Stop Working
• DPA 98 standard consent
• ICO Notification
New Compliance Risks
• Right to be Forgotten
• Data Portability
• New Offences
• Mandatory DPOs
• Mandatory Reporting to ICO
Controllers and Processors
• Distinction
• Obligations
• What’s different under GDPR?
• Contracts
• ICO Draft Guidance
Privacy by Design and DPIAs
• “by design”
• “by default”
• Data mapping
• DPIA
• when?
• How?
Principles
1. Personal data shall be…
Lawfulness, fairness & transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality2. The controller…
responsible for & demonstrate … compliance with paragraph 1
Accountability
(a) Consent has been given
(b) Necessary for the performance of a contract
(c) Necessary for compliance with a legal obligation
(d) Necessary to protect vital interests
(e) Necessary for the performance of a task in the public interest
(f) Necessary for the purposes of legitimate interests *
Justified Special
Categories ProcessingExplicit
Consent
Necessary for…social protection
law
Necessary for…vital interests…where DS physically or legally incapable of giving
consent
Manifestly made public
Necessary for…defence of legal claims or
whenever courts are acting in their judicial
capacity
Necessary for…substantial public interest
Necessary for…archiving
purposes in the public interest
“Any freely given, specific,
informed and unambiguous
indication of agreement by a
statement or clear affirmative
action”
GDPR definition of consent
Subject Access
Right to be
Forgotten
Data Portability
Object to Profiling
Rectify and
RestrictComplain
Recruitment & Selection
Induction
Monitoring at Work
Appraisal
Grievance/
Disciplinary
Resignation/
Termination
Recruitment & Selection
What PD are you seeking?
Is it necessary?
Enforced SAR or
DBS? Spent convictions?
ReferencesInterview
notes
Will you verify
information?
Consent & retention periods?
Audits
• Review personal data held
• Why held?
• Shared?
• Data security?
Procedures
• Applicants
• Staff
• Whistleblowers
• Non-Execs
• Suppliers
• Consents
Right to be Forgotten
• Extent
• Method
• Procedure
Review
• Legal basis for various processing
• Existing contracts with processors
• Privacy notices
Record Keeping
• Keep clear records of data processing activity
• Data Privacy Impact Assessments
• Record of consents
• Retention policy
• Disposal policy
Data Breach Response
• Mandatory reporting requirement
• 72 hours to report breach
• Are there procedures in place?
Training• Consider what
training employees will need to comply with GDPR
Watch this space…
• Data Protection Bill
• ICO Guidance
• www.forbessolicitors.co.uk
• @forbessolicitor
• @forbes_HR
Discussion and Questions