#firmday manchester autumn 2017 - the general data protection regulation (gdpr) & in-house...
TRANSCRIPT
The General Data Protection Regulation (GDPR) & In House Recruitment:
What could possibly go wrong?
Lucy Kendall, ComplyGDPR
A few quick reminders of the key points of the GDPR
1. European Regulation that comes into force on
2. Affects all companies with offices in the EU (EEA).
3. Affects any company processing the data of European (EEA) residents
irrespective of where they are located in the world.
4. PECR (Privacy & Electronic Communication Regulation) that affects direct marketing
is under review, due 2018.
5. Elevated level of sanctions, including fines of up to 10M Euros/20M Euros
(2% or 4% of global turnover).
6. Adopting as the UK is part of the EU at enforcement date and continued as
part of the Withdrawl Bill
What has the UK Information Commissioner said?
“The new (GDPR) legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks.
It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation”
January 2017 Elizabeth Denham UK ICO Commissioner
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
“We have always preferred the carrot to the stick.”
August 2017
Those 2 WORDS………
Why have we reached this point?
At the centre of the GDPR is the individual and their rights(the data subject)
Require that data
is deletedTRANSPARENCYwhat is held, why &
how it will be used
Request to see
what is being
held
(no fee)
Require data to be transferred
Require that data
be corrected
Object to data
being processed
An individual’s
right to exercise
control over their
own data
What recruiters need to do – GDPR responsibilities
Assess the risks
and mitigate the risks
that you create for
others
Take technical
measures to
protect data
Don’t use data
for purposes
other than it was
collected
Take
organisational
measures to
protect data
Keep data up to
date and no
longer than is
necessary
Monitor and
report breaches
within 72 hours
Have a legal
basis for
processing
data
Documentary evidence is key for a breach investigation
?
?30 day rule
(if a person is
unaware you
have their data)
!Consent
Contract
Legitimate
Interest
Scenario 1: Accidental Email
Scenario 2: Working on the train
Scenario 3: Aggrieved Candidate & SAR
Scenario 4: Unsubscribe me!
What could you have done: mitigating the risks
Can YOU pass the GDPR test?
Do the necessary WORK
and be able
to show your WORKINGS
There are some holes in my data privacy bucket!
Are their any holes in your data privacy bucket?
Policies &
Process
Audit
Information
Audit
and
IT Security
Audit
FREE
ComplyGDPR
On-Line
Readiness
Audit
What we doThe GDPR
Handbook=
Compliance
Support Helpline
(On Line) Training
Implementation SuperUser
Training
The GDPR Action Plan
The ticking time bomb: a data breach
A total of 28,331,861 data records were compromised in
the UK in H1 2017 (up 130 per cent from H2 2016).
Half of data incidents in the UK involved a malicious
outsider (50 per cent), with 38 per cent attributed to
accidental loss. Two-thirds of the breaches in the UK are
classified as identity theft (65 per cent).
Source: Breach Level Index, ONLY publicly disclosed breaches
The Ultimate Cost
REPUTATION
GDPR is not asking you to be perfect, it is asking you to do enough to demonstrate the you RESPECT, VALUE and PROTECT peoples personal data entrusted to you.
Thank You
ComplyGDPR have provided this overview for general information purposes only. It is not a complete view of the requirements of the Regulation. It does not constitute legal advice and is not to be relied on as a substitute for legal advice.
Come talk to me or email me
for the link to our free
GDPR readiness audit
www.complygdpr.com