&

GDPR for your Payroll Bureau

Tuesday 14th November 2017

Agenda

• What is GDPR and Why is it being implemented

• Why employers need to take it seriously

• How it will impact payroll bureaus

• How to prepare for GDPR

• How Thesaurus is working to help you

GDPR, what is it?

General Data Protection Regulation

• Aims to provide better protection for personal data

• Current data legislation dates back to 1998

Data is getting out of hand

Data brokers collect more than 50 trillion unique data

transactions per year

82% of Android apps track your other

online activities

If you read all of the terms of service for all of your apps it would take 76 days

PayPal’s Terms of Service is 36,275 words long:

that’s longer than Hamlet

GDPR D-Day

145 Working Days to go

Reasons to Pay Attention!

€20,000,000 Or

4% of turnover

€10,000,000 Or

2% of turnover

FINES

Serious breaches

- Not having sufficient customer consent

- Violating Privacy by Design

Serious breaches

Failure to: - document & communicate Joint Controller

relationships - ensure contract with Data Processor

Key Terms

Data Subject • An individual who is the subject of the personal

data

Data controller • Controls the contents and use of personal data

Processing means: • Operations performed on personal data whether or

not by automated means

Controller is who: • Determines the purposes and means of the

processing of personal data

Personal data breach: • Means a breach of security leading to the

accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processor is who: • Processes personal data on behalf of the controller.

Supervising Authority

Website www.ico.org.uk

www.gov.uk

E-mail:

Phone: +44 303 123 1113

Who does it apply to?

• EU Companies that process personal data, regardless of whether the processing takes place in the EU

• Non-EU companies who offer goods or services to individuals in the EU, irrespective of whether payment is required.

• Non-EU companies who monitor individual’s behaviour that takes place in the EU.

What is Personal Data?

“Any information related on a natural person or ‘Data Subject’, that can be used to directly or indirectly identify a person.”

A name A photo An email address Bank details Posts on social networking websites Medical information CCTV images Records of websites visited A computer IP address

- Key areas to consider

Six Principles of GDPR

Personal data shall be:

1. Processed lawfully, fairly and in a transparent manner

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

3. Adequate, relevant and limited to what is necessary

4. Accurate and kept up-to-date

5. Kept for no longer than necessary

6. Processed in a confidential and secure manner

Accountability: demonstration of compliance

Lawful Processing

Processing is only lawful if:

• Data subject has given consent

• Necessary for the performance of a contract

• Necessary for the compliance with legal obligation

• In order to protect vital interests of a person

• Necessary for public interest or official authority

• For the legitimate interests of data controller/3rd party

Changes to Consent Rules

Consent must be: - Specific, informed,

unambiguous and freely given

- Must be for a specified purpose

Where consent is obtained as part of a larger document

covering other things, consent must be clearly

distinguished from everything else

Evidence needs to be retained as to how the consent was

obtained Forms, brochures signage, website screenshots etc.

Language must be accessible and easily

understood

Special Categories of Data

• Racial or ethnic origin

• Political opinions

• Religious or philosophical beliefs

• Trade union membership

• The processing of genetic data, biometric data for the purpose of uniquely identifying a person

• Data concerning health, a person's sex life or sexual orientation

Children’s Personal Data

Under 16

Parental Guidance

Data Protection by Design and by Default

• Privacy by design: seeks to ensure that privacy issues are considered at the outset of a project, rather than being an add on at a later stage of a project.

• Privacy by default: by default only such personal data as is necessary for the identified purposes should be processed.

Data Protection Impact Assessments (DPIA)

• A DPIA should contain:

• A description of the processing operations and the purposes

• An assessment of the necessity and proportionality of the processing in relation to the purpose

• An assessment of the risks to the individuals

• The measures put in place to address risk, including security and to demonstrate that you comply

• Where substantial risk is identified, you must refer to the Supervisory Authority

Enhanced Rights for Individuals

Right to be informed

The right to access

The right to rectification

The right to erasure

The right to restrict

processing

The right to data portability

The right to object

Rights in relation to automated

decision making

Breach Reporting

Breach: The destruction, loss, alteration, unauthorised disclosure of or access to

personal data, human error

Reported to Data Protection Commissioner

Within 72 hours

Incident Response Plan

Containment and recovery Assessment of ongoing risk Notification of the breach Post mortem and response

2016 Reported Breaches

Theft of IT Equipment 14

Website Security 103

Unauthorised Disclosure – Postal 570

Unauthorised Disclosure – Electronic 376

Unauthorised Disclosure – Other 1,117

Security related issues 44

The Data Protection Officer (DPO) Mandatory for:

Public Bodies Organisations engaged in “Large Scale” regular/systematic monitoring Organisations whose core activities consist of processing “special categories” of

data or data relating to criminal convictions May be mandatory in other contexts as defined by Member State Law

The DPO must:

Have “expert knowledge” of Data Protection Law Must be involved in a “timely manner” in discussions of personal data processing Details must be provided to the DPC

Civil Liability

Individuals can claim for compensation for material loss and non-material damage, including: Distress Hurt Feelings Reputational Damage No proven financial loss

- Start Preparing Now

1. Your Data Inventory

• Create in inventory of all personal data held • Why are you holding the data? The legal basis?

• How is data obtained?

• Why was it originally gathered.

• How long data is held for?

• How is data saved? Securely?

• Is data shared? With whom?

2. Data Privacy Notices

The business identity

Contact details for the business and the DPO, if applicable

The reasons for collecting the data

The use(s) to which the data will be put to

To whom the data will be disclosed

Whether the data will be transferred outside of the EU

The legal basis for processing the the data

Where the processing is based on the legitimate interests of the business, the legitimate interest concerned

Where the processing is necessitated by a statutory or contractual requirement, the consequences for the individual of not providing the data.

The period of which the data will be stored, or the criteria to be used to determine retention periods

Whether the data subject will be subject to automated decision making

The rights of the individual under the GDPR

3. Further Preparation

• Speak to Data Controllers or Data Processors

• Processing children’s data?

• Will access requests change?

• How will you manage breaches?

• Data by Design / Data Protection Impact Assessment

• Do you require a Data Protection Officer?

GDPR from a HR Perspective

Lawful processing

• What is your reason for retaining and processing personal data? • Consent no longer an option for HR data • Imbalance of power between employee & employer

1. Legitimate interests of the business 2. Performance of a contract or legal obligation

Increased employee rights

• Clear policies

Delete, delete, delete

- How Thesaurus Software is Preparing

It’s your data

Keep your password safe!

What we have done

New in-program features

Updated our Privacy Policies

Internal IT audits

Increased security – in house

Introduced extra consent fields

Staff training

Bright Contracts updated policies

Thank You!

G.D.P.R. General Data Protection Regulation

25th May 2018

BrightPay www.brightpay.co.uk

support@brightpay.co.uk PH +44 (0) 845 3004304

Bright Contacts www.brightcontracts.co.uk

support@brightcontracts.co.uk PH +44 (0) 845 3004305

- Appendix: GDPR List of Offences

2% Offences • Breaches of provisions relating to consent of Children

• Asking for personal data, citing GDPR as basis, where you are not processing identifiable data

• Failure to implement Privacy by Design/by Default

• Failure to document & communicate Joint Controller relationships

• Failure to appoint a representative if based outside EU

• Failure to ensure contract with Data Processor

• Engagement of a sub-processor by processor without authorisation

• Failure to include prescribe content in Processor Contracts

• Processing data by a Data Processor other than on instruction of Data Controller

• Failure to ensure DPO does not have conflict of interest in execution of duties

• Failure to execute tasks of the DPO under Article 39

• Failure to apply required controls or safeguards under a DP certification scheme

• Failure to keep records of processing activities (Article 30)

• Failure to cooperate with the Supervisory Authority

• Failure to ensure appropriate level of security over personal data

• Failure to ensure ability to restore availability and access to data

• Failure to conduct regular testing of effectiveness of technical and organisational controls for information security

• Failure to notify data breach to Supervisory Authority

• Failure to communicate data breach to Data Subjects (where required)

• Failure to conduct Data Protection Impact Assessments (when required)

• Failure to consult with Supervisory Authority where PIA suggests high risk to rights of individuals

• Failure to engage DPO in a timely manner

• Failure to support DPO in performance of tasks, including provision of resources, access to data and processing operations, and opportunity to maintain expert knowledge

• Failure by a certification body to meet the conditions for accreditation or where actions of the accrediting body infringe the Regulation

4% Offences

• Breaching any of the core principles of GDPR

• Failure to implement measures to comply with the accountability principle

• Failure to comply with standards required for consent, where consent only basis for processing

• Unlawful processing of “special categories” of personal information

• Infringement of rights under Article 12 – 22

• Transfers to 3rd countries in contravention of provisions of Articles 44 to 49

• Failure to comply with any obligation under Member State Law under “Delegated Acts” under Regulation

• Non-compliance with a prohibition under Article 58(2) on processing or data transfers, whether temporary or definitive

• Failure to provide access to Data Protection Supervisory Authority to conduct investigations as per Article 58(1)