180 likes | 198 Views
GDPR 9 MONTHS IN. DPC Focus:. The ongoing state of health of the organisation’s GDPR compliance programme; A genuine commitment and best efforts to meeting their GDPR obligations; 3. The scale and impact of any infringement that may arise;. DPC Focus:.
E N D
DPC Focus: The ongoing state of health of the organisation’s GDPR compliance programme; A genuine commitment and best efforts to meeting their GDPR obligations; 3. The scale and impact of any infringement that may arise;
DPC Focus: 4. Whether the organisation was negligent or wilfully in breach; and 5. Readiness to engage openly and transparently with both the Data Protection Commission and the individuals whose data they process.
Data Subjects: • More aware of their data rights • Can ‘weaponise’ data law against suppliers/employers • DPC obliged to investigate complaints • Duel controlling issues arising – DPC no tolerance for lack of Data Protection Agreements or Data Sharing Agreements • Seeking to be deleted – but this can only be done in accordance with statute • Data Protection Policy/Privacy Notice/Cross Border/Technical and Organisational Measures
GDPR 8 MONTHS IN – What must you now have in place Ensuring compliance
What should you have in place by now: • Data Mapping and Data Processing Logging document with the lawful basis of processing recorded beside each process • Identification of data locations and where data is transferred to • Identification of the lawful basis of processing • Identification of retention periods • Identification of IT technical measures, security and data safety • Privacy Policy AND Privacy Statement/Notice • Amendments to your T&Cs, employee contracts and handbook
What should you have in place by now: • Data Protection Impact Assessments • Legitimate interest balancing assessment • Data Processing Agreements/Data Sharing Agreements • Data Protection Officer/Oversight/Audit • Breach notification process • Data Subject Response Policy • Test Run for compliance with data subject rights • Adherence audit and checking mechanisms
Identification of the Lawful Basis of Processing • What lawful basis is your organisation relying on in the processing of data? • Is it an appropriate basis? • If you are relying on consent – have you analysed whether and how do you prove the consent is freely given? • If relying on other bases, explain them, be transparent about them and document your rationale • Most common in recruitment: contract, legal obligation, legitimate interest and consent
LAWFUL BASIS CAN AFFECT THE RIGHTS AVAILABLE TO INDIVIDUALS: THIS IS A GRAPH GENERATED BY THE BRITISH SUPERVISORY AUTHORITY (ICO) OF WHICH RIGHTS ARE INOPERABLE UNDER GDPR DEPENDING ON THE LAWFUL BASIS ENGAGED:
WEC GUIDELINES ON CONTROLLERS AND PROCESSORS • AGENCY WORK • DIRECT RECRUITMENT • RECRUITMENT PROCESS OUTSOURCING • MANAGED SERVICE PROVIDER • VENDOR • OUTPLACEMENT/CAREER-MANAGEMENT
WEC GUIDELINES ON CONTROLLERS AND PROCESSORS • AGENCY WORK • Each of the employment agency and the user-company (hirer) each determine the purposes and means of processing data of the agency-worker, they shall each be an Independent Controller. • The exchange of data is a controller to controller relationship - therefore it needs a data sharing agreement
WEC GUIDELINES ON CONTROLLERS AND PROCESSORS • DIRECT RECRUITMENT – on the surface this is a Controller/Processor relationship but …. • Where the recruitment firm supplies the jobseeker from its own database, the processing of the data is based on its own legal grounds and purposes, this is an Independent Controller to Independent Controller relationship. • And needs a data sharing agreement
WEC GUIDELINES ON CONTROLLERS AND PROCESSORS • RECRUITMENT PROCESS OUTSOURCING • This is where the agency provides an external HR service provision to the Client. • The HR service provider organises and coordinates the client’s recruitment process. • This is a controller to processor relationship – you must have a data processing agreement in place.
WEC GUIDELINES ON CONTROLLERS AND PROCESSORS • MANAGED SERVICE PROVIDER • This is specifically where the agency is providing a service which supports the client in the management, compliance, standardisation, alignment and/or coordination of different suppliers and contractors providing workforce solutions to the client. • This is where the client is the source of data to the agency • This is a likely Controller/Processor relationship and requires a Data Processing Agreement
WEC GUIDELINES ON CONTROLLERS AND PROCESSORS • VENDOR • Similar to managed service provider - this is specifically where the agency is providing a service which supports the client in the management, compliance, standardisation, alignment and/or coordination of different suppliers and contractors providing workforce solutions to the client. • This is where the AGENCY is the source of data to the CLIENT • This is a likely Controller/Processor relationship and requires a Data Processing Agreement
WEC GUIDELINES ON CONTROLLERS AND PROCESSORS • OUTPLACEMENT/CAREER-MANAGEMENT • Utilised where a company is reducing their staff • Seek the services of the agency to relocate their staff and help them find work elsewhere • Once the employee engages with the Agency – they are providing them with data for a different purpose to that of their employer (the agency client) • The Client and Agency have a Controller to Controller relationship • A data sharing agreement is required
Issues that have arisen - References Section 4(4) of the Data Protection Acts allowed for a disclosure exemption where the data was an opinion given in confidence. This has been repeated in Section 60 (3) (b) of the Data Protection Act 2018 which excludes from disclosure: the personal data relating to the data subject consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information,
HR Brief Limited contact us: • 26 Upper Pembroke Street • Dublin 2. • 01 234 3725 • info@hrbrief.ie Mary Seery Kearney: 0873291306 mary@hrbrief.ie David Kearney 0873291300 david@hrbrief.ie