Key elements of GDPR for employers: Are you ready for the changes?

2 May 2018

The clock is ticking as the GDPR deadline looms. Image: Bohbeh/Shutterstock

The team at Matheson offers some advice for employers in the lead-up to GDPR.

The General Data Protection Regulation (GDPR) puts personal data protection front and centre as a fundamental right of the individual, including that of the employee.

In terms of its complexity and the obligations that it imposes on employers as organisations that collect and process personal data, the GDPR is arguably the most significant legal development in the workplace for a generation.

New and enhanced employee rights

For employees, the GDPR will introduce new and enhanced rights such as, among others, the right to data erasure (the right to be forgotten), the right to have inaccurate data rectified, the right to restrict the processing of their personal data, the right to object to its processing altogether (this should be on compelling legitimate grounds) and the right of data portability to a new organisation.

In addition to these new and enhanced rights, the most significant development for employers is arguably the emphasis on transparency and accountability as fundamental GDPR concepts. Employers should be able to demonstrate compliance with the GDPR or risk facing enforcement action from the Data Protection Commissioner (DPC), fines for non-compliance as well as compensation claims from employees.

The first recommended step for the person charged with GDPR responsibilities in any organisation – whether that be a designated data protection officer, a HR professional, the in-house legal counsel or another identified person – is to carry out an audit to identify gaps between how the organisation currently complies with its data protection responsibilities and what is required in this respect from 25 May onwards.

As a first step in preparing for GDPR, the DPC has recently suggested that organisations aim to comply with Article 30 initially, and thereafter Article 24 of the GDPR.

What are the steps?

For the purpose of employers, this translates to the following recommended first steps:

  • What current employee data is being held on file and stored by the organisation?
  • Who does the data relate to? (For example, current or former employees, other third parties etc)
  • Why is the organisation holding it?
  • Has the organisation internal policies, processes and procedures around employee data?
  • How did the organisation obtain it?
  • Why was it originally gathered?
  • How long does the organisation retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Does the organisation ever share it with third parties, and on what basis might it do so?
  • Will the data be transferred outside of the EU?

If you have not already done so by now as part of of your GDPR preparations, we recommend that the above exercise be undertaken in respect of all aspects of the employment relationship and its natural development from recruitment through to termination.

For instance and by way of brief example, employers should consider whether these questions are asked of job applicants during the recruitment process, whether said questions are relevant to the job and whether the applicants are made aware of how the information they supply in response to the questions will be processed.

As part of this exercise and specifically in relation to recruitment, employers should also consider what information can be appropriately transferred to a successful applicant’s personnel file and why it is relevant to the ongoing employment relationship.

The next obvious question is how long an employer can retain employment-related data or records for. In retaining personal data, employers should be guided by statutory retention periods, limitation periods for claims, individual business needs and, of course, the data quality principles.

By Bryan Dunne, partner at Matheson (co-authored by senior associate Aisling Parkinson and solicitor Tina O’Sullivan of Matheson)

A version of this article originally appeared on Matheson’s website.