Deirdre Crowley’s Guide to the GDPR for HR ProfessionalsPosted in : Webinar Recordings on 15 March 2018
In this 45-minute webinar recording, Deirdre Crowley, Partner & Head of the Technology and Employment Law Units in Crowley Solicitors, sets out practical tips and answers your questions live in order that you can be better prepared in your HR department for the coming of the GDPR on 25th May. Time is tight but a lot can still be done before the deadline to minimise risks and get your systems in better shape.
Topics covered in this webinar include:
- Data Protection Commissioner
- Retention Periods
- Data Protection Officers
- Audits by the DPC
- Outsourcing Internal Functions: Controller-Processor Agreements
- The Importance of Training
- Incident Breach Management
- Subject Access Requests
NOTE: The following transcript has, where necessary, departed from the recorded interview to better clarify data protection law and best practice. Like the webinar recording itself, it does not constitute legal advice but is a useful guide to the GDPR and data protection matters in Ireland in March 2018.
Scott: Good morning, everybody. This is Scott Alexander. I’m from Legal-Island. Welcome to the first of a series of webinars from the National College of Ireland in association with them. If you have a look at our forthcoming webinars page, you can see registration details for other webinars that will be coming up in the series in conjunction with the National College of Ireland.
We’re just waiting on a few people to join us. Whilst you’re there, you’ll see there’s a series of slides on your screen. The National College of Ireland has an MBA open day next Thursday, from 6:00 to 7:00 in the evening. You can meet the staff and go to some mini-lectures. Listeners to this broadcast will also receive a 25% discount on a brand new GDPR-compliant e-learning module from Legal-Island and you’ll get details after the webinar.
Now, you can send some questions. You’ll see a chat box on your screen. So, you can send some questions today. I don't know how many we’re going to get through. We’ve had hundreds of questions from people. We have hundreds of listeners. The topic is, of course, the general data protection regulation and the updated Data Protection Act that will be coming in to Ireland from May the 25th. But it highlights the kind of interest that we’ve got.
Our speaker today is Deirdre Crowley. She’s Head of Technology and Employment Units at Crowley Solicitors. She’s well-known to anyone who’s been to an annual review of employment law from Legal-Island. But she’s also been giving data protection advice to clients for 15 years.
Now, you’ll see from the slides that Crowley Solicitors also has an offer on outsourced and shared service models or functions for data protection officers or privacy officers. So, we hope to cover all the issues on the slide, including data protection officers, and deal with very practical issues today. But just to start off, Deirdre, we’re going to look at the DPC because there’s some reassurance here for listeners that it’s not quite as scary as might be told depending on where you read. So, tell us a bit about DPC and morning to you, Deirdre.
Deirdre: Thanks, Scott, and good morning listeners. We’ve heard very recently from Helen Dixon, the Irish Data Protection Commissioner, that she is going to be very considered in relation to the fines and penalties that she applies to businesses. She specifically said that she’s going to be fair. She’s going to be proportionate and she’s going to assess the level of preparedness within each organisation for the GDPR.
Equally, on the other hand, she’s been quite clear about the fact that if you fail to prepare, you are preparing to fail. Come the 25th of May 2018, the GDPR is going to have day one effect. Helen Dixon said that she will use the full toolkit of enforcement powers available to her against organisations from that date in the event that they are not prepared. Certainly, the strong message the DPC ‘s office is sending out is that as long as you are prepared, as long as you’ve done the exercise of setting up your compliance program for privacy within your organisation and as long as that program is clear, and demonstrates accountability and demonstrates compliance, her response will be reasonable and proportionate.
Most importantly, the Data Protection Commissioner’s office is very strong on the point that privacy compliance programmes are to be communicated to data subjects. The message is that if an organisation prepares in this way, they will be well placed to deal with a data breach.
The message that we’re quite keen to communicate to our clients and to the listeners today is that breaches happen. They are part of life, they are a reality of operating in the commercial world and it is a question of how an organisation deals with a data breach and how it implements its incident plan to respond to a breach when it happens. This is the area that Helen Dixon has indicated she’s going to be very keenly observing.
Scott: So, there’s a number of things in there, maybe that they’re not going to come up with the big fines, the €20 million, the headline stuff, or the €10 million straightaway for most people, but that’s provided you’ve been doing some of the basic stuff. We’ll be dealing with breaches in a moment, but you’ve put in plan protocols for dealing with passwords, access to websites, encryption, all those kinds of things.
You’ve also got some kind of impact assessment going on if you’re required to do those. It’s those practical things that Helen Dixon is going to be looking for when they come in and inspect because they’ve tripled their staff. The budget’s gone up. Data protection is going to be big and it’s going to be all over the place. They’re going to have a campaign about the GDPR. But it’s not all dirty big stick?
Deirdre: It is not all a dirty big stick right from the start. There are a number of other measures that Helen Dixon and her office can pursue first before they resort to fines and penalties and they include investigations. They include audits and raids. They include trying to amicably deal with complaints in the event that they happen. They include offering advice to organisations who find that they process data which is very high risk. Having engaged in best efforts to apply reasonable data security measures to the processing of (high risk) data, if controllers or processors find that they cannot appropriately secure that data, then they must consult with the DPC and her offices will assist them in dealing with the issue.
Generally speaking, Helen Dixon has indicated that her offices will not go straight to the fines and penalties stage of the enforcement procedure. What she has noted very specifically in her 2017 annual report is a 79% increase in complaints to the Data Protection Commissioner. That is a staggering increase in one year since 2016. She notes very specifically in the preamble to her report that 52% of those complaints relate to the issue of access requests.
So, this is something that is going to exercise the minds of HR professionals to a very large degree and it is something that certainly needs to be taken very seriously. Again, as long as the HR professional is prepared, as long as the HR professional has identified each form of processing activity within its department and, let’s remember, the HR department could be a processor for some functions, it could be a controller for other functions, but the key point is that the HR department has at least identified each specific processing function, and within that, then, has brought its privacy procedures to the levels that they need to be at for GDPR purposes, they can seek to mitigate against and avoid issues that attract liability.
In 2017, the Data Protection Commissioner’s Office has also handled new types of rights that are emerging. For example, in the Google Spain case, the right to be de-indexed, which is commonly referred to as the right to be forgotten, was dealt with in numerous cases. In 2017 alone, the Data Protection Commissioner found against seven organisations in respect of their treatment of a data subject’s right to be forgotten.
Scott: So, you’ve got a massive increase in requests and complaints to the DPC. Once this comes in, we can anticipate a big increase in SARs, subject access requests. So, presumably, there could be fines on those, but what you’re likely to find is that you’re going to get an inspection, perhaps, or certainly questions from the DPC if you don’t have some kind of protocol for dealing with a subject access request. My understanding if you look at the website is that their template on a subject access request is just, ‘Give me everything you’ve got.’
Deirdre: Yes. So, this is where the HR professional community is really experiencing a professional challenge right now. The compliance levels required in order to properly answer the need in the GDPR and to deal appropriately and lawfully with data subject access requests is a significant change to the current regime.
That’s not as easy as it sounds. That’s a very deep project. It involves starting with the classification of each processing activity and moving then through the procedures involving data inventory processes regarding each activity and finally onto the data classification and data mapping processes. That all has to be done before you input the outcomes of your review of your professional HR department.
Those steps come before your accountability report and they come before you can properly develop a data subject access response program. So, again, the key to the data subject access response program is going to be your retention policy and how long a piece of data within the HR department needs to be retained for.
Scott: That’s one of the themes that’s come up. There are a number of questions—how long do you keep it? If you just take the personnel file because most of our listeners are in HR, if you take the personnel file, there will be things on there like the application form, you’ll have details of next of kin. You’ll have sickness reports, you’ll have doctors’ things, you’ll have appraisal forms, all kinds of things.
The Data Protection Acts and the GDPR say that you’ve got to retain things for no longer than necessary. So, my understanding is that each bit of data could be its own and it has its own retention period and basically employers have to go through all those things and determine how long they have to keep them.
Deirdre: Exactly. That’s why the data inventory process within the HR review for GDPR purposes is so important because:
- it’s a question of identifying what data is held and
- what kind of data is on our personnel files,
- where is it stored
- what type of server is it on
- what type of software system is it on
- its location - is it in Ireland or abroad, or outside the EEA and
- who has access to it?
Of course, linked to that then is the idea that inevitably, organisations will identify and execute a data purging process.
So, once they have identified the data that they hold, they can then identify the purpose for which the data is held. Significantly also of course is the test to establish the legal basis upon which data is processed. A common practical situation we come across is that significant data is held and a significant data purging exercise must now be undertaken. By way of consolation to your listeners, this is not at all unusual and there is a natural tendency for controllers and processors to hold on to data for no particular reason. The GDPR changes all of this. It is no longer possible to hold onto data ‘‘just in case.’’
Scott: “Just in case.”
Deirdre: Just in case, because HR professionals are very keenly aware that matters can result in subsequent litigation and they are fearful of the eventuality that, ‘What happens if we’re sued and we don’t have the data because we deleted it in line with our retention policy and our destruction policy?’ The answer to that is first of all, there’s no obligation under the GDPR vis-à-vis data minimisation not to hold onto data that an organisation has a lawful purpose or a legal basis for holding.
So, yes, the GDPR is about minimisation, but in such a way as allows a business to run and to properly manage its risk. So, if an HR professional forms the view that a particular data subject or employee poses risks to the organisation of potentially a WRC claim or perhaps a personal injury claim or indeed separately now a risk of compensation for a breach of privacy claim, which, again, is a new right under the GDPR, it is reasonable and proportionate for the HR professional to justify on an objective basis why they wish to retain that data for a certain period and then to retain the data accordingly.
So, just to give some feedback I reviewed the extensive questions in advance of today’s webinar. One of the repetitive themes that I see coming up time and time again is queries in relation to retention periods - how long are we obliged to hold onto data for? Certainly, pay-related data, organisation of working time act related to data, so reference in relation to breaks, annual leave, etc., there’s an obligation to hold on to that for three years and then we look at the other data in respect of occupational health and health and safety.
They are particularly interesting because the health and safety legislation talks about data in respect of an occurrence or an accident or matter of concern needing to be retained for ten years. That’s a very significant length of time. It exceeds the statute of limitations, for example.
Scott: But that’s where incidents occur. If you’re in a fairly sedentary occupation and nobody’s put in a claim and you haven’t seen any injuries, you don’t really have the justification to hang on to that information. It’s not as if, ‘Oh, there might be a claim within the next ten years,’ so just in case, we’re going to hang on to everything for ten years or there may be a WRC claim, so we have to hang on to it for longer than six months. Pensions and stuff you might have to keep for years and years. It really is each on its own merits, isn’t it?
Deirdre: It is. Each piece of data must be considered from the point of view of retention and the other tests required by the GDPR on its own merits. It is also worthy of note that the only type of data relevant to the GDPR is personal data. Commercial data is not relevant. The definition of a data subject is interesting also.
Scott: Data subjects are living people?
Deirdre: Yes, a data subject must be a natural living person. A data subject cannot be a deceased person and also, it is data that is personal to that data subject and that falls within the definition of personal data or, indeed, special categories of personal data. That is an important side-step because one of the first tests that must be carried out by anybody dealing with a data subject access request is whether the request is in fact for personal data and further that the request has been made by a data subject as defined in the GDPR.
However, just to go back to answer your question about retaining data, the GDPR does not permit the notion of retaining data ‘just in case’ something might arise in the future. My view is that this would not be held to be reasonable by the Data Protection Commissioner.
However, if an HR professional forms a reasonable view based on evidence that there is a risk of litigation of whatever nature so, let’s take the bullying and harassment-type example, where there’s a grievance and regardless of whether the grievance has been held to be well-founded or not, the bottom line is there was a grievance, someone was unhappy and someone may continue to be unhappy.
If a HR professional forms a view that the employee or data subject poses a reasonable risk from a litigation point of view, then as long as the appropriate analysis is carried out in the risk assessment, I think it would be difficult for a Data Protection Commissioner to find against an organisation for holding on to that information for a specific period of time. But it is important to qualify that answer by saying that in the event that it is retained, HR professionals and their colleagues must be satisfied that the data is appropriately secured and, if necessary steps are taken to pseudo-anonymise or fully anonymise it and to restrict access to the data.
So, previous standards that may have applied continue to exist and are enhanced and strengthened by the GDPR.
Something we discussed before the Webinar is this notion that HR professionals must all of a sudden now be cybersecurity experts as well as everything else that they’re expected to be. It is not the sole remit or responsibility of HR or any one department internally. It is very much a pan-organisational brief.
It’s important that whoever the privacy officer/DPO for an organisation is, that they are appropriately resourced in order to perform their functions. That’s not just good advice. That’s now a legal obligation. So, that’s in the GDPR. Something that we hear quite frequently although it’s less of an issue these days because D-day is looming, people find it difficult to convince the board or to convince senior management to appoint the appropriate resources to the GDPR project.
Scott: Okay. We’ll come back to the DPO because the data protection officer is another common theme that has come in. Just for one or two of the listeners online that have been sending in questions, yes, we will be putting the slides up on the resource section of our website along with a stream of this.
So, if you want to check back on anything, you can, or indeed, as Deirdre’s just suggested, send it on to somebody else in your organisation to listen to to say this is part of the law now, you must adequately resource the GDPR, you can do that. We’ll also create a transcript. That’s probably a couple of weeks away. The stream will be on a little bit later today, but the transcript usually takes a couple of weeks for us to tidy up and get rid of the ‘mms’ and the ‘ahs’ and such like and just double check that we haven’t inadvertently mistyped a word and given you some bad advice.
You’re listening to Deirdre Crowley from Crowley Solicitors. I’m Scott Alexander from Legal-Island and we’re discussing the GDPR. The next subject you just mentioned there was data protection officers. Now, they’re a specific legislative beast, if you like. They need to be independent. They are protected in law. And there are a number of issues around that particular data protection officer. Whether it should be a data protection officer or some other name because they do have a specific definition.
So, if we take the first one there, they have to be independent of the controller. They have to be independent within the organisation. So, tell us more about that.
Deirdre: The question is to
(1) the independence of data protection officers
(2) the qualifications they need to have prior to appointment and
(3) what the fallout is in the event that the data protection officer offers advice to the business and the business decides to refuse to accept that advice. These are all topical issues
So, just to take each piece in turn, the data protection officer is somebody who is required by the GDPR to have certain professional qualities and in particular, to have an expert knowledge of data protection law and the practices and the ability to fulfil the tasks referred to in the GDPR. What are those tasks? There are many tasks relevant to the privacy brief. The tasks are very significant and they talk about the obligation on the DPO to inform and advise the controller or the processor as to their privacy obligations. Also, by way of reminder, the obligation to appoint a DPO arises for both controllers and processors and is not unique to controllers.
Scott: The controller in most organisations is its chief executive, effectively. They would be ultimately responsible or it would be the board. It’s the employer themselves who would, in ordinary circumstance, be the controller.
Scott: So, you’re advising and informing the controller as a senior position as well as being independent.
Deirdre: Yes. It’s a very senior position. The DPO must have direct access to the board. So, the DPO is quite a unique role within an organisation. The data protection officer cannot, for example, be victimised or penalised for having raised a concern with the controller or the processor.
In relation to the protection of the employment status of the DPO, it is envisaged that the DPO will have special protected status under Irish employment law, similar to that, for example, of a whistleblower. We know that in the case of a whistleblower, if they make a protected disclosure and are penalised or victimised as a result by their employer and they are unfairly dismissed, they can win up to five years’ salary by way of compensation.
So, bearing in mind that the DPO is someone who is required to have expert knowledge of the area and is someone who is reporting to the board, they are certainly going to be an expensive resource for the organisation and it would indeed be an expensive day out in the event that that person were to successfully challenge their dismissal.
Scott: They have other responsibilities you were chatting about there.
Deirdre: Yes. The DPO must have an expert knowledge of data protection law. They must assign responsibilities internally. They have overall responsibility for the privacy breach. They must raise awareness through training of staff involved in the processing activities. They must conduct audits as they see fit. They must provide advice.
They must also cooperate with the supervisory authority in respect of any matter as needed and act as the contact point in relation to issues regarding data processing and potential breaches. The DPO must also consult with the DPC in relation to high-risk processing activities.
So, the data protection officer is a key person within an organisation. I have met very few, and I can count on one hand the amount of people I can say I have met through working in this area very recently, specifically in relation to the DPO piece, who actually fulfil all of the requirements that are in the GDPR. So, instead, what organisations are obliged to do is either appoint an existing employee into the role of DPO or appoint an outsourced service to the role and properly resource that entity or that person to fulfil their brief.
Typically, we find that that means that whoever is performing the function would need strong support from a resourcing and a project management point of view. They typically need cybersecurity advice and legal advice.
Scott: So, that can be resourced. But the DPO is specific to certain organisations. So, it’s the public sector and people who use particular data or a lot of that or that special category of stuff. So, it’s not everybody needs a DPO. What would your advice be if you’re one of most organisations, presumably, outside the public sector who do not require a DPO? You still need somebody with responsibility for your plan and your GDPR plan.
Deirdre: Yes. So, certainly, the organisations that we have found outside of the public service who require to appoint a DPO are few and far between because normally, it is very clear as to who needs to appoint a DPO. You handle special categories of data, you handle big data or you are a public authority and you fall squarely within the provisions of the GDPR from the point of view of the requirement for a DPO.
If an organisation does not have a legal obligation to appoint a DPO, our advice has consistently been that a DPO, in other words, a person of that name, data protection officer, who aspires to comply with the obligations of a data protection officer under the GDPR should not be appointed because that is an organisation that holds itself voluntarily to the higher level of compliance and they will be held to account to that higher level.
That is not to say that an organisation needs to then rest easy, that they do not need to appoint someone to the position. The bottom line is that if you do not need to appoint a DPO, you must still comply with the GDPR. Therefore, you must appoint a privacy officer or, as some organisations are calling it, a data champion within your organisation. I think it is important to pause on that for a moment. What we are also seeing working quite well within organisations is that a privacy officer who is the person ultimately responsible for coordinating the privacy plan is appointed, but that person does not shoulder the burden of privacy compliance all on their own.
They have an appointed person and indeed a deputy person on each team in each department within an organisation who feeds back to that privacy officer in relation to each team’s processing functions. So, it’s very much a collaborative effort.
Scott: Just a final question really on this privacy expert, if you like, whoever that happens to be. They would be the ones that would be arguing, ‘Look, you’re going to have to mainstream GDPR here.’ If you bring in a new process, you just have to ask the question will it have an impact on data subjects and if it does, what are we going to do to ameliorate the impact or the risk of a breach? It’s fairly simple stuff, if you like, at that level. It becomes complex when you drill down, but the bottom line is you’ve got to start thinking privacy.
Deirdre: Yes. So, the GDPR obliges businesses now to make the data protection discussion part of normal business vernacular. Data processing and privacy need to become operational issues. They must appear on agendas for discussion for example. There is no point bringing your privacy officer or your data champion into a discussion after you have purchased a new software product. It is not the way to go anymore from the 25th of May. That person needs to be in the room at the point of purchase.
Scott: And just to clarify, one of the questions that has come in there just on this particular subject is an organisation may be subject to random audits by the DPC or is it just if there has been a breach? It can happen anytime. They are not just waiting around for breaches.
Deirdre: It could happen anytime. Now, on that point, there has been a lot of discussion in recent years, particularly since 2016 when the regulations were first brought out, as to how well resourced the Data Protection Commissioner’s office is. Something I find that I come across in practice is the notion that ‘‘we’re not an organisation that is being investigated or we are not an organisation that has come to the attention of the Data Protection Commissioner in the past, therefore surely, we need not worry too much about this.’’ The answer is that every business regardless of their sector or business function is subject to the obligations in the GDPR if they process personal data in the EEA.
The DPC can engage in random audits as she sees fit. In fact, in the past, she has been very open about the fact in her annual reports that she does wish to inspect certain sectors from a data processing point of view and she has published her findings in respect of each of these random audits. So, yes, at any time an officer from the Data Protection Commissioner office could call to your organisation if you fall within the scope of the GDPR.
Scott: One of the other themes that came through there is that HR outsources quite a lot of its functions. If you outsource a function such as your occupational health or your payroll or whatever it happens to be, that’s part of the special category status, so it brings with it an extra level of protection, if you like, and safety requirements around it.
But it also means that you need an agreement and a pretty watertight agreement between the controller, i.e., the person that effectively owns the data and gives it to somebody else, and the processor, the one that does the work on behalf of the processor. So, maybe expand on that. How important is this agreement? What kind of things should be in it?
Deirdre: Sure. So, yes, the GDPR obliges agreements to be in place between the controllers and processors now, such that the apportionment of duties and responsibilities under the GDPR are very clear and such that the data controller has given clear instructions to the data processor as to their duties and obligations.
Controllers also need to do proper due diligence on all processors or vendors in the HR context and put in place appropriate cyber liability insurance. So, this is a commercial contract now. Again, as privacy has become operational, all of the usual operational contractual requirements would apply there.
Scott: Many people have these contracts at the moment. They’re going to have to change. I suppose the processor might say there is more expense and whatever. That might have to be part of the negotiation. But the bottom line is that anything prior to the 25th of May probably isn’t going to be adequate because we’ll be looking at breaches in a moment, but the duty to report a breach is one of the clauses that has to go in, the duty to do audits or the right to come in and inspect a processor’s operation, it’s those types of things that really expand on some of those.
The commercial reality is that people might have to renegotiate something but there are certain things that if you want to be protected as a controller, you have to tell the processor to do certain things, otherwise you don’t get the protection.
Deirdre: Yes. Also, the protection arises in respect of both controllers and processors. So, for example, for those entities that are typically processors, to whom HR professionals outsource functions to, they are at risk now because the GDPR apportions liability on a joint and several basis between the controller and the processors. It is as much in the processor’s interest as the controller’s interest to clarify the line of responsibilities between the parties.
So, it’s in everybody’s best interest to make sure this new departure in the GDPR from the point of view of joint and several liability can properly be applied fairly between parties. The only way to do that is by way of clear written terms in the data processing agreement. So, the question is really how do controllers make sure that processers are properly processing data, securing data and retaining and disposing of data in a manner which is consistent with the controller’s practices? And the answer is, of course, to make sure that you build in requirements to audit in those data processing agreements.
This is something that I have seen in practice a strong resistance to. The reality is that the commercial bargaining power between the parties may be such that the processor is in actual fact in the greater bargaining position. However, it is the controller, that is the entity under the GDPR that carries the responsibility of regularising the duties and responsibilities vis a vis the processing of personal data. So, it is a question of all parties coming together prior to May and regularising the issues.
Scott: Okay. So, the controller or the processor, what about training and knowledge of data protection on behalf of the processor? Is that something that should be built into the contract as well? If they don’t train their staff and they’re handling your data. The HR departments out there are passing them to a processor. The HR data is being controlled by somebody or run by somebody else, processed by somebody else and if they don’t have protocols in place to keep it safe and if they don’t have somebody in charge of data protection, you may as well not have an agreement, really.
Deirdre: Yes. Absolutely. The reality is that you are only as good as your weakest link. So, you may have wonderful corporate governance. You may have awareness. You have training. But unless the message regarding appropriate data processing standards has filtered down to your frontline staff, the bottom line is you’re still at risk. So, to answer your question, yes, Article 28 of the GDPR does require training and awareness to be put in place and again, that would be quite a standard part of a data processing agreement.
Scott: Okay. Let’s move on to breaches. Let’s assume, as you’ve said already, there’s going to be a breach. Everyone’s going to get hacked. So, it really depends on what you’ve done to try and control that hacking. But as with the processor agreement, if there’s a breach, it could happen at the processor end. It could happen in the controller end, but you have 72 hours to report that breach to Helen Dixon’s office.
Scott: So, presumably you would require something in the processor agreement to say, “You have to get in touch with us within an hour, two hours, whatever.” What happens if it takes place in the workplace? Should you run a simulation exercise?
Deirdre: Yes. So, moving on to incident breach management, yes, just to take your last observation first, we do recommend that a simulation exercise is run within the HR department because if there is a breach of personal data that can be attributed to a processing activity in the HR department, then it is going to be a question of in real time assessing how you’re going to respond to that.
Let’s not forget that data breaches can happen at any time on any day in the year. So, that includes holidays, Saturdays, Sundays and the 72-hour timeframe is unforgiving. The clock starts ticking from the time of the breach. So, in terms of the data processing agreement then, it is very important that the data processing agreement expressly calls out the length of time available to a processor to inform a controller in relation to the breach.
It talks about the data processor informing the controller as soon as it becomes aware of a breach. Then it talks about a 72-hour strict, drop-dead timeline on the controller within which to notify of the breach. So, I think there’s going to be significant litigation in terms of that notification period and when a processor brings a controller up to speed in relation to what’s happening.
Scott: Now, you were talking about the processors there rightly because I asked the question about a processor, but the fact is that all staff have to know if there has been a breach to whom they report and that it has got to be done within 72 hours because if somebody, one of your IT staff out there that’s running the systems thinks there might be a breach, they may not be clear, they have still got to report it to somebody because that clock is ticking straight away. If it later transpires there has been a breach on all the account details of all the staff members, they may have been accessed.
Deirdre: So, you’ve just raised a really critical point in terms of HR’s readiness for incident management. That is to distinguish between the notion of a vulnerability, a data vulnerability that is not reportable to the DPC and a data breach. So, what you have just described, obviously, is a clear example of a data breach, but there are other examples where there is no risk to the data subject or there may be no risk of the data subject being identified. In those circumstances, an assessment needs to be undertaken by HR in consultation with their privacy team as to whether the incident actually involves a vulnerability or a breach.
Scott: Okay. Let’s take an example. We’ve got somebody who has taken some work home and they’ve left the laptop on the train or in a pub or whatever. That could be a data breach, but it may not be. Explain the circumstances when that’s not a breach.
Deirdre: Okay. So, where a data subject or an employee is not identifiable from the data that has unlawfully gone into the public domain, then the question arises as to whether the data subject needs to be informed or not. The GDPR is very clear about the fact that the DPC needs to be informed in those circumstances, but the question is, are your policies and procedures within the HR department clear enough such that you have the know-how available to you now before the 25th of May, 2018 in order to perform that simulation exercise.
Scott: So, if somebody lost their phone or their laptop and it was encrypted, that’s not a reportable one in so far as it’s not going to put anyone at risk because you can’t identify the data.
Deirdre: So, the way to look at this from an HR point of view is to simply say that if your data following your privacy review is properly secured, perhaps you’re going through a pseudo-anonymisation process at the moment or an anonymisation process, and you’re doing that in order to mitigate against your liability under the GDPR and you’re doing that to safeguard against the data you process in HR, then you may find yourself in a better place in the event of a breach where you’re notifying to the DPC. Certainly, you are going through all of those incident reporting procedures, but you do not have to engage in the wider scale PR exercise or perhaps setting up call centres, whatever is required in order to notify data subjects.
Scott: And you shouldn’t be subject to a fine either because you haven’t put anyone at risk. Is that right?
Deirdre: The answer to that is the prevailing wisdom right now is that we are going to have to wait and see how Helen Dixon and her officers treat that, but certainly if one assumes that all of the steps have been taken and appropriate incident management processes are in place, which compliment an appropriate security management program, then it’s going to place an organisation in a healthy position from a mitigation point of view.
Scott: That would include had there been a breach, say, on a website, putting on a patch to stop any further breaches and putting those protections in place, those types of sensible things, good passwords for staff members, encrypting mobile data, not sending personal data by email, for instance, those types of things would minimise the risk. If somebody does manage to get through and they can’t identify this living person, then there really hasn’t been a data breach as such.
Deirdre: The key fundamental rationale behind the GDPR is that data subjects own their own data. The organisations, the employers do not own the data. It belongs to the data subject and the employers/controllers/processors are processing it for a particular function. To be clear, there may be a data breach where personal data has unlawfully been made available in the public domain without a data subject’s consent or knowledge, but if the data subject is not identifiable from that data, then there will, I expect, be a responsibility to report to the DPC but not necessarily to the data subject.
Scott: Okay. Let’s keep to the fact that the data is owned by the subject themselves. So, that’s the living person. Quite a lot of the things that we came up with there are subject access requests - we’ve been getting an awful lot of queries on those types of things. So, within HR, you hold lots of data on an individual. That individual has the right to see all that data to make sure it’s not being kept inappropriately, that it’s not being kept too long.
So, looking at a subject access request that comes in, an employee says, “I want you to give me everything you have on me,” just a really tough one. It’s sent out on emails, sent in the HR files, it’s sent off to the pensions people, sent off to OH, that type of stuff. What are the kinds of difficulties? There are 30 days to deal with that access request and my understanding, going back to the breach, it doesn’t matter if the subject access request comes on the first day of the school holidays, the 30 days clock is running and you’ve got to have some kind of protocol or system to deal with a SAR coming in at any time. So, tell us more about subject access requests.
Deirdre: So, data subject access requests are something that all of us working in the employment law and HR sphere are very familiar with. They have been around for a long time. They are very clearly provided for in the current data protection legislation. They have received significant attention in the GDPR. They have been enhanced and widened. So, it is the case now that employees who make a data subject access request have significantly greater rights of access than they would have had under the older and current regime.
So, the right of access has been widened to include rights such as the right to portability of data, the right to erasure of their data. We heard earlier that this year, Helen Dixon has seven reported decisions in relation to that right to be forgotten, which is something new. We now have an enhanced right to rectification of data.
Scott: Now, rectification is where you say, “Something is wrong. I want that tweaked.” And erasure is, “I want that removed.”
Deirdre: Yes. We’ll talk about the fact that those rights in the employment context are not absolute in a moment, but just to finish on the data subject access request, the data subject access rights themselves, the right of rectification arises when a data subject alleges that their data is inaccurate or somehow out of date. That’s not particularly a highly contentious matter. That can simply be rectified by a supplemental statement or simply correcting the data, but it is the right of restriction of processing, which is interesting.
A data subject can object to direct marketing and interestingly, it’s important for those working in the marketing space to remember that the e-privacy regulations are also in the ether and they were supposed to come into effect on the 25th of May, but it looks now like they are going to come into effect in September. So, the take-home really from the point of view of subject access requests for the HR professional is that data subject access requests now are all about taking a privacy by design approach and being aware that the data belongs to the employee.
Coming back to what we were discussing earlier, in our view, it is a wonderful thing if a data subject access request comes in and an organisation’s retention policy is so clear that the access request can be dealt with in a routine way. We are encouraging all of our clients and all listeners today to make their data subject access response systems clear and transparent such that they can routinely and quickly comply with them.
Scott: So, we’re coming to the end of the broadcast here. Too many questions to deal with, but we’ll see what we can do with them afterwards. But just on the subject access requests, one of the key things there would be to train staff to know what it looks like because somebody could turn up at reception with a subject access request and it could sit in a filing tray for a month and then you’re out of time and then there’s a report to the DPC saying they haven’t given the subject access request. It certainly doesn’t look good. Or it can come in an email or it can come in one of the holidays.
So, really, dealing with those, it’s your employee’s data. They’ve got the right to see it. They’ve got the right to ask you to rectify it, to erase it. It’s not absolute. You can retain it and justify retaining it. But what you don’t have the right to do as an employer or HR department is ignore the fact that the SAR has come in or not put in some kind of protocol to recognise it when it comes in. That comes down to training of other staff, not just HR people. The request could come in anywhere.
Deirdre: The advantage of having an awareness program on your subject access request policy is that there’s an appointed person or deputy person who has carriage of responsibility for dealing with data subject access requests.
Just one important point to pick up on, which I see as a recurring theme as well, the timeframe within which to respond to a data subject access request is 30 days, but this time period can be extended under the GDPR now to three months for a very complex or lengthy data subject access response. So, I think that’s something that will be welcomed by HR professionals.
Scott: And a lot of that stuff, when people want to see it, it may be blended in with other things, such as emails. So, you may have to redact it and certainly something that came up yesterday which I didn’t know about, but it came up at a conference that we were running yesterday in Belfast is that a number of organisations are using data redaction software, which brings it out and blackens the confidential stuff.
So, there’s no need to photocopy everything and then black out the photocopy and then photocopy it again because you can still see it. The software does that kind of thing. But it does have to be read. That’s one of the difficulties. If you say, “Deidre Crowley asks to see her data,” and we just say, “There’s your file,” there could be other people involved in that file, other data subjects and they’ve got a right to protection as well that we should be passing on. It’s quite a complex, time-consuming area that we’re looking at here.
Deirdre: It is a complex, time-consuming area. Obviously, within the constraints of our webinar this morning, we won’t get to all GDPR issues. I suggest to HR professionals that a key outcome from the session would be that as part of creating awareness of the issue within your organisation, make sure that minutes of meetings outside of the HR context are carefully controlled such that personal data does not infiltrate the commercial data sphere. The efficiency of your responses will really be down to the efficiency of your data control procedures.
Scott: Okay. We’re going to have to leave it there, I’m afraid. The webinar is coming to an end. Just to remind you, it will be up on the website this afternoon. So, you can listen back or you can check things. We will get it transcribed, but it maybe takes us a couple of weeks. But thank you very much to Deirdre Crowley, from Crowley Solicitors. Thank you very much to the NCI for hosting this webinar and indeed most of the series this year and hopefully, you’ll be able to tune in later again. If you want to listen to other webinars, go to the forthcoming webinars page. We’ll be in touch just to see what you thought of today.
Thank you very much. Thanks for listening. Bye, bye.
Deirdre: Thanks, everyone.
More on Data Protection & Freedom of Information
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.