Rest of the worldOur global pages
Close- Global home
- About us
- Global services/practices
- Industries/sectors
- Our people
- Events/webinars
- News and articles
- Eversheds Sutherland (International) Press Hub
- Eversheds Sutherland (US) Press Hub
- News and articles: choose a location
- Careers
- Careers with Eversheds Sutherland
- Careers: choose a location
GDPR for HR – what do you need to know?
- Ireland
- General
03-07-2017
Everyone is discussing GDPR. However, if you have been wondering how GDPR is relevant to your role in HR, we have set out below a summary of the top HR tips for GDPR compliance.
What is GDPR?
The General Data Protection Regulations (GDPR) is set to become one of the most wide raging pieces of EU legislation. It is designed to protect and enforce the rights of data subjects across the EU. It will have direct effect in Ireland from 25 May 2018 and will replace current national data protection legislation.
The GDPR builds on many of the familiar rules and principles which you will be aware of from Ireland’s current Data Protection Acts 1988 and 2003 (as amended) (the “Acts”).
However, some of the changes are as follows:
It’s time to be Accountable
The GDPR requires organisations to comply with the new rules but also to be able to actively demonstrate such compliance. Organisations should keep records of their processing activities and ensure that such processing is carried out in accordance with GDPR.
This sounds quite reasonable. However, many organisations are surprised and sometimes shocked once they begin to check where employee data is sent. For instance, do you use a HR consultancy firm to carry out your payroll? Do they do it themselves or are they in a position to send this to a third party payroll provider? Is that in Ireland or elsewhere? After 25 May, organisations must be able to demonstrate where employee data is sent and for what legitimate purpose it is processed.
Data Access Requests must be responded to in a shorter time
It will be easier than ever for an employee to make a data access request. Under the new rules, the request can be in written, email or oral form. There is also no requirement to pay the fee of €6.35. Organisations must comply within 30 days rather than the current period of 40 days.
Is the concept of “consent” over?
Your contract of employment may allow you to process employee data because you have outlined that you will do so and said that by signing the contract, the employee has consented to this processing. After 25 May, this consent will no longer be permitted.
The GDPR require that employees must freely give “specific, informed and unambiguous consent” to the processing of their data. This must now be a statement of affirmative action. Consent by way of acquiescence will no longer be acceptable.
For most employers, this should not pose an issue. As an employer you are required to process certain employee data for legitimate reasons and in compliance with your obligations under Irish law. For instance you must process an employee’s bank details to pay their salary. Further you must process their working time records and pay in order to make deductions to Revenue and comply with the Organisation of Working Time Act. However, if you currently refer to or rely on consent, you should update your employee handbook or policy on data protection to expressly refer to the legitimate purposes under which data is processes.
Sanctions and Fines
There are new and increased fines under the GDPR. The supervising authority, i.e. the Data Protection Commissioner in Ireland is permitted to impose fines against data controllers and processers (so each of the employer, the HR consultancy firm and the pay roll provider in the example given above) of up to €20 million or 4% of total worldwide annual turnover.
There is also the potential for double fines, as there is a fine for the breach itself and the failure to inform the DPC of the data breach when it initially occurred.
For the first time, the GDPR also introduces the concept of both material and non-material loss. Case law in Ireland has established that up to now a data subject has no entitlement to automatic compensation for a technical breach or where he cannot prove loss. The introduction of non-material fines will change this jurisprudence and data subjects may claim compensation in circumstances where the breach is only a technical one and no loss has been suffered. It remains to be seen how the Irish courts will award compensation for a purely technical breach.
How can I prepare my organisation for GDPR?
Start planning now!
The impending rules provide an excellent opportunity to review what data you as an organisation actually hold. We are working with a large number of companies to create a GDPR compliance roadmap setting out the steps to be taken in order to ensure they are GDPR ready.
The key to success is to begin the process as early as possible in order to allow for a smooth transition. You should work with your team (and with our help) to identify who’s data you hold, what data you hold, why you hold the data, how long you should retain the data for and where you are holding/storing the data.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.
- Legal Telescope: a view from our technology lawyers – March 2023
- Eversheds Sutherland advises Lesha Bank LLC (Public) on the purchase of minority stake in Starlink
- Eversheds Sutherland appoints new Financial Services Sector Group Partner
- Eversheds Sutherland Ots & Co has been highly recognised by Chambers & Partners
- Legal news in brief | March 2023
