This update was co-authored by Aisling Parkinson, Senior Associate and Tina O'Sullivan, Solicitor.
The countdown is on to the implementation of the GDPR on 25 May 2018. In the coming weeks, we will be publishing a series of short GDPR updates in order to assist employers to finalise their preparations for the changes this piece of legislation will bring to Irish workplaces. We are starting by providing a recap of the key elements of GDPR we recommend employers consider in the build up to 25 May next and thereafter.
The GDPR puts personal data protection front and centre as a fundamental right of the individual, including that of the employee. In terms of its complexity and the obligations that it imposes on employers as organisations that collect and process personal data, the GDPR is arguably the most significant legal development in the workplace for a generation.
For employees, the GDPR will introduce new and enhanced rights such as, amongst others, the right to data erasure (the right to be forgotten), the right to have inaccurate data rectified, the right to restrict the processing of their personal data, the right to object to its processing altogether (this should be on compelling legitimate grounds) and the right of data portability to a new organisation.
In addition to these new and enhanced rights, the most significant development for employers is arguably the emphasis on transparency and accountability as fundamental GDPR concepts. Employers should be able to demonstrate compliance with the GDPR or risk facing enforcement action from the Data Protection Commissioner, fines for non-compliance as well as compensation claims from employees.
The first recommended step for the person charged with GDPR responsibilities in any organisation, whether that be a designated Data Protection Officer, a HR professional, the in-house legal counsel or another identified person, is to carry out an audit to identify gaps between how the organisation currently complies with its data protection responsibilities and what is required in this respect from 25 May onwards. As a first step in preparing for GDPR, the Data Protection Commissioner has recently suggested that organisations aim to comply with Article 30 initially and thereafter Article 24 of the GDPR.
For the purpose of employers, this translates to the following recommended first steps:
- What current employee data is being held on file and stored by the organisation?
- Who does the data relate to? (For example, current or former employees, other third parties etc)
- Why is the organisation holding it?
- Has the organisation internal policies, processes and procedures around employee data?
- How did the organisation obtain it?
- Why was it originally gathered?
- How long does the organisation retain it?
- How secure is it, both in terms of encryption and accessibility?
- Does the organisation ever share it with third parties and on what basis might it do so?
- Will the data be transferred outside of the EU?
If you have not already done so by now as part of of your GDPR preparations, we recommend that the above exercise be undertaken in respect of all aspects of the employment relationship and its natural development from recruitment through to termination. For instance and by way of brief example, employers should consider whether these questions are asked of job applicants during the recruitment process, whether said questions are relevant to the job and whether the applicants are made aware of how the information they supply in response to the questions will be processed. As part of this exercise and specifically in relation to recruitment, employers should also consider what information can be appropriately transferred to a successful applicant's personnel file and why it is relevant to the ongoing employment relationship.
The next obvious question is how long an employer can retain employment related data/records for. In retaining personal data, employers should be guided by statutory retention periods, limitation periods for claims, individual business needs and, of course, the data quality principles. Our next update will deal specifically with retention of employee records/data.
If you are interested in further detail of the overview of HR and the GDPR, you can access a further discussion on this from the Matheson Employment Law Podcast series.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.