TECHNOLOGY INSIGHT
GDPR roundtable – developing best practice
Data mapping During the event, the importance of data mapping was covered; specifically: ● departmental interviews looking at data mapping across the entire business ● spend a day in each department looking at all areas where data is captured, processed and stored ● review impact and risks identified through these activities ● mapping relationships where data is shared.
The CIPP’s General Data Protection Regulation (GDPR) roundtable, which took place on 13 February 2018, was opened and chaired by Vickie Graham, associate director of marketing and business development at the CIPP. As well as the roundtable discussions, the event had guest speaker sessions provided by Claire Wright from CLF Consulting and Andy Collins from Omni Cyber Security. W ith recent research from Deloitte suggesting that only fifteen per cent of organisations will be GDPR-ready by the implementation date of 25 May 2018, the roundtable set out to confirm some key points and dispel myths to help the payroll industry prepare. Moving from Data Protection Act to GDPR The biggest difference between the Data Protection Act and the GDPR is that the two of the ‘principles’ under the Act are promoted to Article status under GDPR. To help you prepare for GDPR you need to: ● understand where you are currently with the DPA and GDPR ● understand what you need to do to comply (e.g. analyse gaps) ● define what you need to do by business risk. If you are complying with the DPA, then the implementation of GDPR should not be as cumbersome.
minimisation’ principle will help: only keep the information you require to carry out the processing the individual knows of, there is a lawful basis for and only for the period of time you require it for that purpose. ● The right to rectification – If you hold incorrect data on an individual, they have the right to have this rectified. For payroll and human resources, it would be beneficial to have a self-service portal for employees to manage domestic related data themselves. ● The right to be forgotten – This is not an absolute right, and later in the event we discussed consent and other lawful bases by which you are entitled to process data on an individual. However, if you process data on an individual and it is no longer required, they have the right to ask you to remove them from your records. If there is no lawful basis for you to hold their data, you will need to remove them. ● Restriction – This is linked to the right to be forgotten. If someone asks to be removed, but there is a lawful basis by which you need to retain their data, you should restrict access within your organisation. ● Portability – With the data subject’s consent, it should be simple to transfer data from one provider to another, following verification that the data subject is who they say they are. This applies to specific industries. ● The right to object – Under the Data Protection Act, the right to object was
...only fifteen per cent of organisations will be GDPR- ready by the implementation date...
Data subject rights The event talked about the rights of the data subject, namely: ● The right to be informed – Everyone has the right to be informed of how their personal information will be used and shared. Also, changing the original purpose will also require informing them of the change in some circumstances. ● The right to access – Everyone has the right to request access to all the
information that you hold on them. Because of this, meeting the ‘data
| Professional in Payroll, Pensions and Reward | April 2018 | Issue 39 26
Made with FlippingBook - Online magazine maker