The General Data Protection Regulation: Top Tips for HR

• Ireland

• General

18-12-2017

The General Data Protection Regulation (the “GDPR”) is undoubtedly one of the most talked-about developments in data protection law of 2017, but what does it mean for HR managers? 

If you have responsibility for the HR function in your organisation, you may be wondering how exactly the GDPR will affect you and what you need to do to prepare. 

What exactly is GDPR?

The GDPR is set to become one of the most wide-raging pieces of European Union (“EU”) legislation. It is designed to protect and enforce the rights of data subjects across the EU.  It will come into force across the EU on 25 May 2018 and will replace current national data protection legislation.

The GDPR builds on many of the familiar rules and principles from Ireland’s Data Protection Acts 1988 and 2003 (as amended) but there are a number of changes and additional obligations under the new rules.

These are Eversheds Sutherland’s top 5 tips for compliance:

1. It’s time to be accountable

All organisations have to comply with the GDPR but the new rules also introduce the concept of accountability, which will require organisations to demonstrate compliance with the GDPR. Therefore, you should keep records of all your processing activities and ensure that any such processing is carried out in accordance with the requirements set out in the GDPR.

While this sounds quite reasonable you may be surprised as to the location of your employee data when you start documenting your processing activities., this is particularly relevant in circumstances where you are using third parties to provide services on your behalf (i.e. payroll services). It is often the case that employers don’t realise that such third parties may also use sub-contractors and at times the sub-contractors may be located outside the EU.

2. Don’t delay on data access requests

The GDPR will make it much easier for an employee to make a data subject access request.

The option of charging a fee of up to €6.35 is being abolished, and you must comply with a request within one month rather than the current period of forty days. It is vital that you have a comprehensive compliance methodology in place to deal with incoming data access requests, particularly given the reduced timeline for compliance.

3. Don’t take consent at face value

The GDPR defines consent as a “freely given, specific, informed and unambiguous” statement or clear affirmative action. Consent by way of acquiescence will no longer be acceptable. Similar to the current position in respect of consent in an employment contract, it will be very difficult to argue that consent in the course of the employment relationship is “freely given”, due to the imbalance of power between an employer and employee. 

For most employers, there are generally alternative legitimate grounds to process employee data (for instance, you must process an employee’s bank details to pay their salary as part of the terms stated in an employment contract and you must process their working time records and pay in order to make deductions to Revenue and comply with the Organisation of Working Time Act, 1997). In situations where you provide employees with a genuine option, then you must ensure any consent captured is in compliance with the new requirements. 

4. Be Aware of the Sanctions and Fines

A major change introduced by the GDPR is the severity of the sanctions for non-compliance. The supervising authority, the Office of the Data Protection Commissioner (the “ODPC”) in Ireland, can impose fines against both data controllers and data processers.  The fines can be up to a maximum of €20 million or 4% of total worldwide annual turnover, whichever is higher.

The GDPR also introduces the possibility of class actions – which is particularly concerning for employers with respect to employee data. A recent case taken against supermarket giant Morrisons by a group of employees whose personal data were leaked online is a clear example of the potential impact of a class action. A disgruntled employee sent information (including salaries, bank details, addresses and phone numbers) relating to almost 100,000 Morrisons staff to a file-sharing website. The UK High Court found Morrisons vicariously liable for the data breach. Morrisons have been given permission to appeal the decision and it remains to be seen what the outcome of that appeal will be.

Remember that nothing beats training, and educating your employees on the risks and requirements of the GDPR. It could prevent costly and embarrassing mistakes down the line.  

5. Start planning now!

Our top tip for compliance with the GDPR is to act now. 

The impending changes provide an excellent opportunity to review what data you as an organisation actually hold. The key to success is to begin the process as early as possible in order to allow for a smooth transition. You should work with your team (and with our help) to identify:

• what data you hold;
• who the data relates to;
• why you hold the data;
• how long you should retain the data for; and 
• where you are holding/storing the data. 

Once you have identified your current data protection landscape, you can start to decide what steps need to be taken to become GDPR compliant.

Eversheds Sutherland’s experienced team can help you with every step of the process.

• Joanne Hyde
• Partner
• +353 1 6644 252
• +353 1 6644 252

• Marie McGinley
• Partner
• +353 1 6441 457
• +353 1 6441 457

< Go back