The General Data Protection Regulation – Staff awareness training

GDPR comes into effect 25 May 2018

Main differences from current Data Protection Act:
▪ Under the Data Protection Act 1998, you were deemed compliant until there was a breach
▪ Under the GDPR, you must be able to evidence you are compliant from 25 May 2018
▪ Personal data is redefined to include IT advances such as IP addresses and retina scanning, for example
▪ Greater emphasis on consent; you are no longer able to assume consent
▪ Greater information governance and security
▪ Significantly increased fines for data breaches
Principles of GDPR
Article 5 of the GDPR requires that personal data shall be:
• lawful, fair and transparent
• for a legitimate purpose
• relevant and limited to what is necessary
• accurate and kept up to date
• only stored for as long as necessary
• processed securely

Individual Rights
▪ Right to be informed
▪ Right of access
▪ Right to rectification
▪ Right to erasure
▪ Right to restrict processing
▪ Right to data portability
▪ Right to object
▪ Rights relating to automated decision making, including profiling
Who Might We Hold Data On?
• Staff
• Contractors
• Extended Family and Friends (in case of emergency)
• Students
What is Personal Data?
• Name
• Address (home or business)
• Postcode
• NHS number
• Email address
• Date of birth or age
• Payroll number
• Gender
• Driving licence [shows date of birth and first part of surname]
• National insurance number

• Tax, benefit or pension records
• Marital status
• Citizenship
• Languages spoken
• Online identifiers (e.g. IP address, MAC address)
What is Sensitive Data?
• Racial/ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership
• Physical or mental health
• Sexual life
• Sexual preference
• Biometrics, DNA profile, fingerprints
• Bank, financial or credit card details
• Tax, benefit or pension records
• Health, adoption, school, social services, housing records
• Child data
What Documents Do We Have That Hold Personal/Sensitive Data?
• Photos
• Videos
• Registration forms
• Waiting lists
• Children’s files
• Accident records

• Incident records
• Training records
• Computer systems (software packages)
• Staff files
• Contractor files
• Bank details (staff and customers)
• DBS records
• Allergies and medication information
• Funding claims
• Staff meeting minutes
• Registers
• Contractors records
• Emergency contacts list
• Birth certificates, photocopies of passports, etc
• Cookies (website only)
• Invoices
Where Might We Hold This Data?
• Paper files
• Computer files
• Mobile phones
• Portable IT (laptops, tablets, etc)
• Displays
• Website and social media
• Website surveys (e.g. Survey Monkey).
• CCTV footage

Who Do We Share Information With?
• Contractors
• Local Authority
• Occupational Health Service
• Police
• Ofsted

What Do We Need to Do?
• Appoint a Lead for the GDPR
• Ensure all staff are trained on the GDPR, information sharing and consent
• Map out our processes and data
• Develop an Information Asset Register
• Complete a data processing record with agreed lawful basis for each process
• Complete privacy impact assessments
• Update our data protection policy
• Ensure we have a robust procedure for identifying and reporting breaches
• Update our consent documents
• Update our privacy notices
• Inform customers/clients of the GDPR and the steps we are taking
• Update induction processes to include the GDPR
• Maintain records as evidence of our compliance

What Can You Do as an employer/employee?
• Help with mapping out the data that we hold and the processes involved
• Read all the policies and procedures and ensure they are followed
• Ensure customers/clients consent to us holding and sharing information
• Report any breaches immediately to the designated GDPR officer
• Take additional care when emailing (password protect or use a secure system)
• Ensure that data is backed up securely
• Take extra care when transporting data (avoid where possible)
• Report any concerns regarding IT immediately
• Attend/complete any training requested regarding the GDPR and information governance