gdpr: coming soon to a workplace near you · gdpr: coming soon to a workplace near you your...

GDPR: Coming Soon To A Workplace

Near You

Daniel Milnes - Head of Commercial

1 March 2018

GDPR: Coming Soon To A Workplace

Near You

Your Attention Is Directed To This Note

These materials are supplied as general illustrations of legal

issues and not as legal advice applicable to any particular person

or situation. These materials may not be relied upon as legal

advice. Forbes shall not be liable for any loss caused to any

person through any action or omission made in reliance on these

materials or any connected presentation.

© Forbes Solicitors 2017-18

GDPRE Privacy

Regulation

Where are we going?Data Protection

Bill 2017/Act 2018

Old Risk: Bigger Consequences

• Higher Fines

• Criminalisation

• Class Actions

Old Solutions Stop Working

• DPA 98 standard consent

• ICO Notification

New Compliance Risks

• Right to be Forgotten

• Data Portability

• New Offences

• Mandatory DPOs

• Mandatory Reporting to ICO

Controllers and Processors

• Distinction

• Obligations

• What’s different under GDPR?

• Contracts

• ICO Draft Guidance

Privacy by Design and DPIAs

• “by design”

• “by default”

• Data mapping

• DPIA

• when?

• How?

Principles

1. Personal data shall be…

Lawfulness, fairness & transparency

Purpose limitation

Data minimization

Accuracy

Storage limitation

Integrity and confidentiality2. The controller…

responsible for & demonstrate … compliance with paragraph 1

Accountability

(a) Consent has been given

(b) Necessary for the performance of a contract

(c) Necessary for compliance with a legal obligation

(d) Necessary to protect vital interests

(e) Necessary for the performance of a task in the public interest

(f) Necessary for the purposes of legitimate interests *

Justified Special

Categories ProcessingExplicit

Consent

Necessary for…social protection

law

Necessary for…vital interests…where DS physically or legally incapable of giving

consent

Manifestly made public

Necessary for…defence of legal claims or

whenever courts are acting in their judicial

capacity

Necessary for…substantial public interest

Necessary for…archiving

purposes in the public interest

“Any freely given, specific,

informed and unambiguous

indication of agreement by a

statement or clear affirmative

action”

GDPR definition of consent

Subject Access

Right to be

Forgotten

Data Portability

Object to Profiling

Rectify and

RestrictComplain

Recruitment & Selection

Induction

Monitoring at Work

Appraisal

Grievance/

Disciplinary

Resignation/

Termination

Recruitment & Selection

What PD are you seeking?

Is it necessary?

Enforced SAR or

DBS? Spent convictions?

ReferencesInterview

notes

Will you verify

information?

Consent & retention periods?

Audits

• Review personal data held

• Why held?

• Shared?

• Data security?

Procedures

• Applicants

• Staff

• Whistleblowers

• Non-Execs

• Suppliers

• Consents

Right to be Forgotten

• Extent

• Method

• Procedure

Review

• Legal basis for various processing

• Existing contracts with processors

• Privacy notices

Record Keeping

• Keep clear records of data processing activity

• Data Privacy Impact Assessments

• Record of consents

• Retention policy

• Disposal policy

Data Breach Response

• Mandatory reporting requirement

• 72 hours to report breach

• Are there procedures in place?

Training• Consider what

training employees will need to comply with GDPR

Watch this space…

• Data Protection Bill

• ICO Guidance

• www.forbessolicitors.co.uk

• @forbessolicitor

• @forbes_HR

• daniel.milnes@forbessolicitors.co.uk

Discussion and Questions