For more information visit https://www.brightpay.co.uk The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world. Employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated. In this webinar, we will peel back the legislation to outline clearly: What is GDPR and why is it being implemented? Why employers need to take it seriously How to prepare for GDPR How we are working to help you

1. GDPR for Employers:
What does it mean for your
business?
Wednesday 9th May 2018

2. Agenda
➢GDPR Overview
➢Key changes to data protection law
➢How to prepare for GDPR
➢How BrightPay is preparing for GDPR

3. GDPR, what is it?
General Data Protection Regulation
• Aims to provide better protection for personal data
• Current data legislation dates back to 1998

4. Reasons to Pay Attention!
FINES
CIVIL LIABILITY CLAIMS
BRAND DAMAGE
LOSS OF BUSINESS
COST OF INVESTIGATION

5. Supervising Authority
Website www.ico.org.uk
E-mail: registration@ico.org.uk
Helpline
Mon – Fri
9am – 5pm
0303 123 1113 (option 4)

6. Who does it apply to?
1
My business is
an SME so the
GDPR doesn’t
apply to me.
My business is
a sole trader
so the GDPR
doesn’t apply
to me.
My business is
not located in
the EU so the
GDPR doesn’t
apply to me.
2 3

7. Key Terms
Data Subject
An individual
who is the
subject of the
personal data
Data
Controller
Controls the
contents and
use of
personal data
Processing
Operations
performed on
personal data
whether or not
by automated
means
Processor
Processes
personal data
on behalf of
the controller
Personal data breach:
A breach of security
leading to the accidental
or unlawful destruction,
loss, alteration,
unauthorised disclosure
of, or access to,
personal data
transmitted, stored or
otherwise processed.

8. -KEY CHANGES TO DATA PROTECTION LAW

9. 1. Definition of
Personal Data
2. Special categories of
data
3. Data Protection Principles
4. Lawful Processing of
Data
5. Consent
6. Data Processors
7. Security
8. DPOs
10. Data Protection by
Design & Default
9. Data Subject
Rights
Employee Rights

10. 1. What is Personal Data?
“Any information related on a natural person or ‘Data Subject’, that can be
used to directly or indirectly identify a person.”
✓ A name
✓ A photo
✓ An email address
✓ Bank details
✓ Posts on social networking websites
✓ Medical information
✓ CCTV images
✓ Records of websites visited
✓ A computer IP address

11. 2. Special Categories of Data
➢Racial or ethnic origin
➢Political opinions
➢Religious or philosophical beliefs
➢Trade union membership
➢The processing of genetic data, biometric data for the purpose of uniquely
identifying a person
➢Data concerning health, a person's sex life or sexual orientation

12. 3. Data Protection Principles
Lawfulness Purpose
Limitation
Data
Minimisation
Accuracy Storage
Limitation
Integrity &
Confidentiality

13. 4. Lawful Processing
Processing is only lawful if:
➢Data subject has given consent (consent has been given)
or
➢ Necessary for the performance of a contract (needed for the contract)
or
➢ Necessary for the compliance with legal obligation
or
➢ In order to protect vital interests of a person
or
➢ Necessary for public interest or official authority
or
➢ For the legitimate interests of data controller/3rd party

14. 5. Changes to Consent Rules
1. Consent must be:
- Specific, informed,
unambiguous and freely given
- Must be for a specified purpose
2. Where consent is
obtained as part of a larger
document covering other
things, consent must be
clearly distinguished from
everything else
3. Evidence needs to be
retained as to how the consent
was obtained
Forms, brochures signage,
website screenshots etc.
4. Language must be
accessible and easily
understood

15. 6. Data Controller / Data Processors
❑Increased liability for Data Processors
❑Processors: guarantee that technical and organisational measures have been
taken in preparation for GDPR
❑A written contract must exist
❑Process may only process data in accordance with written instruction

16. 7. Security
1. Preventative: “technical & organisational measures”
❑Technical: encryption & regular testing
❑Organisational:
❑Using unsupported programs
❑Clean desk policy
2. Breaches:
❑Reported within 72 Hours
ICO The Individuals
The breach likely to result in a risk to the
rights and freedoms of individuals
The breach likely to result in a high risk to
the rights and freedoms of individuals

17. 8. The Data Protection Officer (DPO)
Mandatory for:
✓ Public Bodies
✓ Organisations engaged in “Large Scale” regular/systematic monitoring
✓ Organisations whose core activities consist of processing “special categories” of
data or data relating to criminal convictions
✓ May be mandatory in other contexts as defined by Member State Law
The DPO must:
✓ Have “expert knowledge” of Data Protection Law
✓ Must be involved in a “timely manner” in discussions of personal data processing
✓ Details must be provided to the DPC

18. 9. Enhanced Rights for Data Subjects
The right to
erasure
The right to
restrict
processing
The right to data
portability
The right to
object
Rights in relation to
automated
decision making
Right to be
informed
The right to
access
The right to
rectification

19. GDPR from a HR Perspective
Lawful processing
• What is your reason for retaining and processing personal data?
• Consent no longer an option for HR data
• Imbalance of power between employee & employer
1. Legitimate interests of the business
2. Performance of a contract or legal obligation
Increased employee rights
• Clear policies
• Have access to a self service portal?

20. 10. Other New Concepts
• Privacy by design: seeks to ensure that privacy issues are considered
at the outset of a project, rather than being an add on at a later stage
of a project.
• Privacy by default: by default only such personal data as is necessary
for the identified purposes should be processed.
• Data Protection Impact Assessments (PIAs) – to be conducted in high
risk data processing activities.

21. Definition of
Personal Data
Special categories of data
Data Protection Principles
Lawful Processing of
Data
Consent
Data Processor
Security
DPOs
Data Protection by
Design & Default
Data Subject Rights
Employee Rights

22. -Start Preparing Now

23. 7 Step Preparation Guide
1. Data
Inventory
2. Employee
Preparation
3. Customers
& 3rd Party
Providers
4. Capturing
Consent
5.
Governance
6. Security
7. PIAs
&
Data by
Design

24. 1. Your Data Inventory
• Create in inventory of all personal data held
• Why are you holding the data? The legal basis?
• How is data obtained?
• Why was it originally gathered.
• How long data is held for?
• How is data saved? Securely?
• Is data shared? With whom? Outside EU?
• Do you process children’s data or special data?

25. 2. Employee Preparation
Policies & Procedures
❑Implement an Employee Privacy Policy
❑ Update your Data Protection Policy
❑ Clean Desk Policy?
❑ Working from Home Policy
Consider a self-service option

26. GDPR

30. 3. Customers & Third Party Providers
Privacy Policy Notices
• Customer
• No legalese
3rd Party Contracts
• Who are your data
processors?
• Specific information
must be in writing

31. 4. Capturing Consent
• Review terms & conditions that
capture consent
5. Governance
• Reviewing how you will deal with data
subject access request
• Appoint a DPO if necessary
• Update staff on data protection

32. 6. Security
• Technical: are computers
encrypted
• Organisational:
• clean desk policy
• Secure Wifi
7. Data by Design / PIA’s
• Develop privacy impact assessment
and privacy by design implementation
and review process

33. -How BrightPay is Preparing

34. Our GDPR compliance journey

35. Sign up to our Newsletter
Sign up to our newsletter to hear about our free webinars, events, industry
updates and special offers across our range of products. You can
unsubscribe from the newsletter at anytime.

36. Thank You!
G.D.P.R.
General Data Protection Regulation
25th May 2018
BrightPay
www.brightpay.co.uk
support@brightpay.co.uk
PH +44 (0) 845300304
Bright Contracts
www.brightcontracts.co.uk
support@brightcontracts.co.uk
PH +44 (0) 8453004305

37. -Appendix: GDPR List of Offences

38. 2% Offences
• Breaches of provisions relating to consent of Children
• Asking for personal data, citing GDPR as basis, where you are not
processing identifiable data
• Failure to implement Privacy by Design/by Default
• Failure to document & communicate Joint Controller relationships
• Failure to appoint a representative if based outside EU
• Failure to ensure contract with Data Processor
• Engagement of a sub-processor by processor without authorisation
• Failure to include prescribe content in Processor Contracts
• Processing data by a Data Processor other than on instruction of
Data Controller
• Failure to ensure DPO does not have conflict of interest in execution
of duties
• Failure to execute tasks of the DPO under Article 39
• Failure to apply required controls or safeguards under a DP
certification scheme
• Failure to keep records of processing activities (Article 30)
• Failure to cooperate with the Supervisory Authority
• Failure to ensure appropriate level of security over personal data
• Failure to ensure ability to restore availability and access to data
• Failure to conduct regular testing of effectiveness of technical and
organisational controls for information security
• Failure to notify data breach to Supervisory Authority
• Failure to communicate data breach to Data Subjects (where
required)
• Failure to conduct Data Protection Impact Assessments (when
required)
• Failure to consult with Supervisory Authority where PIA suggests
high risk to rights of individuals
• Failure to engage DPO in a timely manner
• Failure to support DPO in performance of tasks, including provision
of resources, access to data and processing operations, and
opportunity to maintain expert knowledge
• Failure by a certification body to meet the conditions for
accreditation or where actions of the accrediting body infringe the
Regulation

39. 4% Offences
• Breaching any of the core principles of
GDPR
• Failure to implement measures to comply
with the accountability principle
• Failure to comply with standards required
for consent, where consent only basis for
processing
• Unlawful processing of “special
categories” of personal information
• Infringement of rights under Article 12 –
22
• Transfers to 3rd countries in
contravention of provisions of Articles 44
to 49
• Failure to comply with any obligation
under Member State Law under
“Delegated Acts” under Regulation
• Non-compliance with a prohibition under
Article 58(2) on processing or data
transfers, whether temporary or
definitive
• Failure to provide access to Data
Protection Supervisory Authority to
conduct investigations as per Article 58(1)