What is GDPR and how does it affect Employers?
18 May 2018
The General Data Protection Regulation EU 2016/679 (GDPR) is a new EU-wide law that requires greater transparency from employers in relation to the collection, retention and processing of employees’ personal data. On 25 May 2018 the GDPR will introduce new standards of accountability and transparency as to how personal data is collected and processed. This places an onus on employers to show that they have complied with the core principles of data protection.
Personal data is collected and processed during the course of employment for a variety of reasons including for the purposes of recruitment, promotions, payroll, sickness absences, grievance and disciplinary procedures, health and safety at work and the termination of the employment relationship.
To ensure your company is GDPR compliant employers should review current data protection policies including handbooks and contracts of employment and consider whether a Data Protection Officer or Data Protection Manager should be appointed. From 25 May 2018 employers should have a GDPR compliant Data Protection Policy together with a Data Protection Notice (if required) in place. The Data Protection Policy and/or Notice should be comprehensive and provide employees with a full understanding of the personal data being processed, by whom, for what reason and the length of time the data will be retained.
Data Protection Policy /Notice
GDPR requires that employee consent must be freely given, specific, informed and unambiguous. Therefore, due to the imbalance in the employment relationship consent given through a contract may no longer be sufficient as a legal basis. Accordingly, employers should consider providing employees with a Data Protection Notice and ensure they have a GDPR compliant Data Protection Policy in place.
Why Employers should care about GDPR
GDPR imposes higher standards on employers in relation to processing personal data with the prospect of strict sanctions.
GDPR gives greater powers to regulators (such as the Office of the Data Protection Commissioner) to enforce the obligations upon data controllers. Companies who mishandle personal data or are not transparent about how their business collects data can face penalties including audits and or fines up to €20 million or 4% of the worldwide annual revenue of the prior financial year.
GDPR provides greater obligations in relation to the security of personal data. Any company the subject of a data breach must report that breach within 72 hours to the Office of the Data Protection Commissioner unless the personal data was anonymised or encrypted. Where a breach poses a high risk to employees (e.g. identity theft) they will need to be informed without undue delay.
The new GDPR regime is less than one month away. Employers should ensure they are ready.
For further information on this topic please contact:
Partner Employment & Employee Benefits Group
Direct +353 1 202 6505
Associate Employment & Employee Benefits Group
Direct +353 1 202 6550
Partner IP/IT & Data Protection Group
Direct +353 1 202 6454