gdpr for your payroll bureau - brightpay · 2018. 4. 12. · gdpr for your payroll bureau thursday...
TRANSCRIPT
&
GDPR for your Payroll Bureau
Thursday 8th March 2018
Agenda
1. GDPR Overview
2. Key Changes to Data Protection Law
3. How to Prepare your Payroll Bureau
4. How BrightPay is preparing
GDPR, what is it?
General Data Protection Regulation
• Aims to provide better protection for personal data
• Current data legislation dates back to 1988
GDPR D-Day
54 Working Days to go
Reasons to Pay Attention!
FINES
CIVIL LIABILITY CLAIMS
BRAND DAMAGE
LOSS OF BUSINESS
COST OF INVESTIGATION
Supervising Authority
Website www.dataprotection.ie
www.gdprandyou.ie
E-mail: [email protected]
Phone: +353 (0)761 104 800
Who does it apply to?
• EU Companies that process personal data, regardless of whether the processing takes place in the EU
• Non-EU companies who offer goods or services to individuals in the EU, irrespective of whether payment is required.
• Non-EU companies who monitor individual’s behaviour that takes place in the EU.
Key Terms
Data Subject
An individual
who is the
subject of the
personal data
Data
Controller
Controls the
contents and
use of
personal data
Processing
Operations
performed on
personal data
whether or not
by automated
means
Processor
Processes
personal data
on behalf of
the controller
Personal data breach:
A breach of security
leading to the accidental
or unlawful destruction,
loss, alteration,
unauthorised disclosure
of, or access to,
personal data
transmitted, stored or
otherwise processed.
- Key Changes to Data Protection Law
1. Definition of Personal Data
2. Special categories of data
3. Data Protection Principles
4. Lawful Processing of Data
5. Consent
6. Data Processors
7. Security
8. DPOs
10. Data Protection by Design & Default
9. Data Subject Rights
1. What is Personal Data?
“Any information related on a natural person or ‘Data Subject’, that can be used to directly or indirectly identify a person.”
✓ A name ✓ A photo ✓ An email address ✓ Bank details ✓ Posts on social networking websites ✓ Medical information ✓ CCTV images ✓ Records of websites visited ✓ A computer IP address
Personal Data in a Payroll Bureau
• Personal data about clients
• Personal data held of marketing purposes
• Personal data held on employees
2. Special Categories of Data
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• The processing of genetic data, biometric data for the purpose of uniquely identifying a person
• Data concerning health, a person's sex life or sexual orientation
3. Data Protection Principles
Lawfulness Purpose
Limitation
Data
Minimisation
Accuracy Storage
Limitation
Integrity &
Confidentiality
4. Lawful Processing
Processing is only lawful if:
❖ Data subject has given consent
or ❖ Necessary for the performance of a contract
or ❖ Necessary for the compliance with legal obligation
or ❖ In order to protect vital interests of a person
or ❖ Necessary for public interest or official authority
or ❖ For the legitimate interests of data controller/3rdparty
5. Changes to Consent Rules
Consent must be:
- Specific, informed, unambiguous and freely given
- Must be for a specified purpose
Where consent is obtained as part of a larger document
covering other things, consent must be clearly
distinguished from everything else
Evidence needs to be retained as to how the consent was
obtained - forms, brochures signage, website screenshots etc.
Language must be accessible and easily
understood
6. Data Processors
Controller Instructions
Restrictions on sub-processing
Contract
Records of Data Processing
7. Security
1. Reactive: Breach reporting
➢Breaches to be reported within 72 hours
1. Preventative: Technical & organisational measures
The DPC The individuals
The breach likely to result in a risk to the rights and freedoms of individuals
The breach likely to result in a high risk to the rights and freedoms of individuals
8. The Data Protection Officer (DPO) Mandatory for: ✓ Public Bodies
✓ Organisations engaged in “Large Scale” regular/systematic monitoring
✓ Organisations whose core activities consist of processing “special categories” of data or data relating to criminal convictions
✓ May be mandatory in other contexts as defined by Member State Law
The DPO must: ✓They must not have internal conflict of interests,
✓They be sufficiently senior to implement obligations
✓Does not have to be an employee
9. Enhanced Rights for Individuals
Right to be informed
The right to access
The right to rectification
The right to erasure
The right to restrict
processing
The right to data portability
The right to object
Rights in relation to automated
decision making
10. Other New Concepts
• Privacy by design: seeks to ensure that privacy issues are considered at the outset of a project, rather than being an add on at a later stage of a project.
• Privacy by default: by default only such personal data as is necessary for the identified purposes should be processed.
• Data Protection Impact Assessments (PIAs) – to be conducted in high risk data processing activities.
1. Definition of Personal Data
2. Special categories of data
3. Data Protection Principles
4. Lawful Processing of Data
5. Consent
6. Data Processors
7. Security
8. DPOs
10. Data Protection by Design & Default
9. Data Subject Rights
- How to Prepare your Payroll Bureau
7 Step Preparation Guide
Data Inventory
Policies & Contracts
Capturing Consent
Governance Security
PIAs
&
Data by Design
Advise your Clients
1. Your Data Inventory
• Create in inventory of all personal data held • Why are you holding the data? The legal basis?
• How is data obtained?
• Why was it originally gathered.
• How long data is held for?
• How is data saved? Securely?
• Is data shared? With whom?
2. Contracts & Policies
Contracts
• Review contracts with
your clients
• Advertise GDPR
readiness
• Review contracts with
other 3rd parties
Privacy Notices
• Customer privacy notice
• Employee privacy notice
• No legalese!
3. Capturing Consent
• Review terms & conditions that capture consent
4. Governance
• Reviewing how you will deal with data subject access request
• Appoint a DPO if necessary
• Update staff on data protection
5. Security
• Reviewing your breach reporting process
• Review encryptions
• Organisational measures
6. Data by Design / PIA’s
• Develop privacy impact assessment and privacy by design implementation and review process
7. Advise your Clients
99% of the UK’s 5.5 million businesses employ fewer than 249 people
The GDPR and
you
12 steps to
prepare for
GDPR
- How Thesaurus Software is Preparing
It’s your data
What we have done ✓New in-program features
✓Updated our Privacy Policies
✓Internal IT audits
✓Increased security – in house
✓Introduced extra consent fields
✓Staff training
✓Thesaurus Connect
✓Bright Contracts updated policies
Privacy Policy within Bright Contracts
Sign up to our Newsletter
Sign up to our Thesaurus & Bright Contracts newsletters to hear about
our free webinars, events, industry updates and special offers across
our range of products.
Thank You!
G.D.P.R. General Data Protection Regulation
25th May 2018
Thesaurus Software www.thesaurus.ie
PH 01 8352074
Bright Contracts www.brightcontracts.ie
PH 01 8499699
- Appendix: GDPR List of Offences
2% Offences • Breaches of provisions relating to consent of Children
• Asking for personal data, citing GDPR as basis, where you are not processing identifiable data
• Failure to implement Privacy by Design/by Default
• Failure to document & communicate Joint Controller relationships
• Failure to appoint a representative if based outside EU
• Failure to ensure contract with Data Processor
• Engagement of a sub-processor by processor without authorisation
• Failure to include prescribe content in Processor Contracts
• Processing data by a Data Processor other than on instruction of Data Controller
• Failure to ensure DPO does not have conflict of interest in execution of duties
• Failure to execute tasks of the DPO under Article 39
• Failure to apply required controls or safeguards under a DP certification scheme
• Failure to keep records of processing activities (Article 30)
• Failure to cooperate with the Supervisory Authority
• Failure to ensure appropriate level of security over personal data
• Failure to ensure ability to restore availability and access to data
• Failure to conduct regular testing of effectiveness of technical and organisational controls for information security
• Failure to notify data breach to Supervisory Authority
• Failure to communicate data breach to Data Subjects (where required)
• Failure to conduct Data Protection Impact Assessments (when required)
• Failure to consult with Supervisory Authority where PIA suggests high risk to rights of individuals
• Failure to engage DPO in a timely manner
• Failure to support DPO in performance of tasks, including provision of resources, access to data and processing operations, and opportunity to maintain expert knowledge
• Failure by a certification body to meet the conditions for accreditation or where actions of the accrediting body infringe the Regulation
4% Offences
• Breaching any of the core principles of GDPR
• Failure to implement measures to comply with the accountability principle
• Failure to comply with standards required for consent, where consent only basis for processing
• Unlawful processing of “special categories” of personal information
• Infringement of rights under Article 12 – 22
• Transfers to 3rd countries in contravention of provisions of Articles 44 to 49
• Failure to comply with any obligation under Member State Law under “Delegated Acts” under Regulation
• Non-compliance with a prohibition under Article 58(2) on processing or data transfers, whether temporary or definitive
• Failure to provide access to Data Protection Supervisory Authority to conduct investigations as per Article 58(1)