This update was co-authored by Aisling Parkinson, Senior Associate and Tina O'Sullivan, Solicitor.
The countdown is on to the implementation of the GDPR on 25 May 2018. In the coming weeks, we will be publishing a series of short GDPR updates in order to assist employers to finalise their preparations for the changes this piece of legislation will bring to Irish workplaces. We are starting by providing a recap of the key elements of GDPR we recommend employers consider in the build up to 25 May next and thereafter.
The GDPR puts personal data protection front and centre as a fundamental right of the individual, including that of the employee. In terms of its complexity and the obligations that it imposes on employers as organisations that collect and process personal data, the GDPR is arguably the most significant legal development in the workplace for a generation.
For employees, the GDPR will introduce new and enhanced rights such as, amongst others, the right to data erasure (the right to be forgotten), the right to have inaccurate data rectified, the right to restrict the processing of their personal data, the right to object to its processing altogether (this should be on compelling legitimate grounds) and the right of data portability to a new organisation.
In addition to these new and enhanced rights, the most significant development for employers is arguably the emphasis on transparency and accountability as fundamental GDPR concepts. Employers should be able to demonstrate compliance with the GDPR or risk facing enforcement action from the Data Protection Commissioner, fines for non-compliance as well as compensation claims from employees.
The first recommended step for the person charged with GDPR responsibilities in any organisation, whether that be a designated Data Protection Officer, a HR professional, the in-house legal counsel or another identified person, is to carry out an audit to identify gaps between how the organisation currently complies with its data protection responsibilities and what is required in this respect from 25 May onwards. As a first step in preparing for GDPR, the Data Protection Commissioner has recently suggested that organisations aim to comply with Article 30 initially and thereafter Article 24 of the GDPR.
For the purpose of employers, this translates to the following recommended first steps:
What current employee data is being held on file and stored by the...