Technology insight
carried out by a data processor on their behalf. It is therefore the responsibility of the controller to ensure that clear written terms of processing are in place and due diligence checks carried out on the processor. ● ‘Data processor’ is “an organisation or individual who processes personal data on behalf of the data controller”. Simple; this could be, for example, a payroll bureau that you outsource your payroll administration to, or a confidential waste collection firm. Although the data processor does not have ultimate responsibility for the processing they do have to process in accordance with the principles and conditions of the GDPR too. They are also subject to the written terms of processing from the controller. Steps to GDPR compliance ● Accountability – Do you know what personal data you process and what purpose it is processed for? Can you demonstrate how you meet the obligations of GDPR? Have you looked at this across the organisation, not just in obvious departments? Currently, organisations that process personal data are required to register that they process personal data with the UK supervisory authority – the Information Commissioner’s Office (ICO) – and pay a nominal fee. With GDPR you will need to physically demonstrate compliance. To understand what personal data you process a data mapping exercise is needed. This activity will help create a personal data asset register which can be used to demonstrate and manage your GDPR compliance. ● Appointment of a data protection officer (DPO) – Public authorities and organisations that process personal data as a core activity or large scale processing of special categories of personal data, must appoint a competent DPO. What is classed as ‘large scale’ has not been defined but industry guidelines indicate 250+ employees and/or records as a guide. The role of the DPO is to offer impartial advice and support in regard to all processing and legal activities. Having such a person within an organisation will deliver the confidence and governance required. Even if you are not prescribed by the GDPR to appoint a DPO there could be significant benefits in doing so. The role of the DPO can be full- or part-
time. Where it is carried out as a part-time activity within a full-time role there must be no conflict of interest in them being able to fulfil their role as DPO. ● Training and awareness programme – It is easy to be distracted by the technical controls we put in place to manage the security of our data but statistics show that 64% of data breaches occur due to human error in comparison to 16% due to cyber security. It is critical that our employees understand their roles and responsibilities and that we equip them through appropriate and regular training and awareness programmes ● Privacy by design – When new processes are implemented or current processes changed, it is important to ensure that they are reviewed against the provisions of the GDPR. This will ensure that early in a project or implementation lifecycle privacy risks have been considered and planned. Remember to update your data asset register. ● Breach management – 72-hour compulsory breach notifications have been introduced under the GDPR. These are made to the regulator and may also include notification of the breach to the individuals concerned. ...Outsourcing the processing does not outsource the responsibility ● Individual’s rights – The most common right is that of access to all personal data that an organisation process about you. This is an absolute right and can be requested at any time. Under the current legal framework, you have forty calendar days to respond to a request and can charge a nominal fee. Under GDPR, the information is to be provided without delay and within one month of date of receipt of the request. For some organisations, this will have a resourcing impact. There are other rights. You need to familiarise yourselves with these and which are relevant to your processing activities. Remember though, that where there is a legal basis for processing (except consent) the right to object and/or erasure would not be applicable. ● Data minimisation and retention – Keep it short and sweet – only process
the information needed to perform the task. When you start to process unnecessary data, you put yourselves at potential risk of a breach and assume the role of data controller. Outsourcing processing Many organisations choose to outsource their payroll processing services. This can be attributed to numerous factors, of which resource and capability are the main drivers. Outsourcing the processing does not outsource the responsibility. You should select a processor that can demonstrate they meet the obligations of the GDPR and are subject to written terms of processing and regular supplier due diligence audits/measures. What should we do first? ● Ensure that senior management are clear and committed to the requirements of GDPR and are key sponsors to the project. ● Conduct a data mapping exercise. ● Appoint a DPO, if necessary. ● Check that adequate privacy policies and procedures are in place. ● Review privacy notices are accurate and easy to understand. ● Understand what legal basis you are processing by, and where you rely on consent ensure that the conditions of GDPR are met. ● Review retention periods and check records are being managed in accordance with these. ● Have processes in place for dealing with individuals rights. ● Check that there are written terms and contracts in place with data processors. ● Ensure that adequate physical and technical security is in place. In summary The GDPR may appear cumbersome and unyielding; however, the core principles should already be in place and, in most cases, will be. Start eating that elephant: understand what personal data you process, conduct a processing audit and map this against the new GDPR conditions. This will be the foundation of your compliance programme. Let’s not waste any more time debating whether we need to comply, we do. ‘How?’ should now be the question. n
27
| Professional in Payroll, Pensions and Reward |
Issue 33 | September 2017
Made with FlippingBook HTML5