General Data Protection Regulation (GDPR) - Guidance for Employers

Peninsula Team

December 18 2017

The new General Data Protection Regulation (GDPR) will come into effect in May 2018. Introduced to keep pace with the modern digital landscape, GDPR will replace the existing data protection framework and places new obligations on any organisation that handles data about EU citizens. Non-compliance with the new legislation could cost companies dearly, so our experts have collated a handy guide to help you. What is the GDPR? Currently, the law on data protection requiring the handling of data which identifies people to be done in a fair way is contained in the Data Protection Acts 1988 and 2003. The EU will introduce new legislation, called General Data Protection Regulation (GDPR) that will replace the current EU structure on the handling of data. Because of this, the Government will introduce new legislation – currently in draft form in the Data Protection Bill 2017. The new Bill, which will implement the requirements of the GDPR in Ireland, will come into effect no later than 25th May 2018 which is the date that GDPR will apply to all EU member states. The Office of the Data Protection Commissioner (DPC) is the authority responsible for ensuring compliance with the law on data protection. It publishes good practice guidance for data controllers and data processers (see Key Definitions later) to assist compliance. Why is the law changing? It had become increasingly clear that the current statutory framework was not “fit for purpose”. Personal data is now being used in ways that were not envisaged in the mid-90s, mainly down to the growth of the internet and the changes in online activities. Social media, advertising, and email marketing are a few examples of areas in which personal, and sometimes sensitive, data is hosted and processed using principles that are not appropriate or safe. Key Principles The current Data Protection Acts set out eight principles for the processing of data. These will remain once GDPR is introduced. They are:
  • Obtain and process the information fairly;
  • Data must only be obtained for specified and lawful purposes;
  • Data must be processed in accordance with the “data subject’s” (the individual’s) rights;
  • Data must be securely kept;
  • Date must be kept accurate and up-to-date;
  • Data must be adequate, relevant and not excessive;
  • Data must not be kept for longer than necessary;
  • Give a copy of a person’s personal data to them on
In addition, the GDPR contains the following changes:
  • Enhanced documentation to be kept by data controllers;
  • Enhanced privacy notices;
  • More detailed rules regarding ‘consent’;
  • Mandatory data breach notification requirements;
  • Enhanced data subject rights;
  • New obligations on data processors;
  • Expanded territorial scope;
  • Appointment of Data Protection Officers;
  • Significant increases in the size of fines and penalties for non-compliance.
Many of the implications of the new GDPR will affect companies on a commercial level. However, it also has an impact on the following areas from a HR/employment perspective:
  • Documentation to be kept by data controllers;
  • Data subject rights;
  • New obligations on data processors and appointment of data protection officers;
  • Data breach notification requirements;
  • Fine and penalties for non-compliance
Key Definitions Personal data – Under GDPR, this means “any information relating to an identified, or identifiable natural person (data  subject);  an identifiable  natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Special Categories of Personal Data (what we currently call “Sensitive” Personal Data) Under GDPR, this will mean data relating to:
  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Physical or mental health conditions;
  • Sex life or sexual orientation;
  • Genetic data;
  • Biometric
Data subject – In both DPAs and GDPR, this means the subject of personal data. It doesn’t include deceased individuals or an individual who can’t be identified/distinguished from others. You would need to show pure anonymity in order that a subject would not be caught. Data controller – The data controller is the decision maker. Under the GDPR the data controller is the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of processing of personal data. Data processor – Under GDPR this is a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller. This person acts only under the instruction of the data controller, keeping personal data secure from unauthorised access, loss or destruction. Processing – In both pieces of legislation, this means the obtaining, recording or holding of information or data or the carrying out of any operation or set of operations on the information or data, including access, storage, retrieval, disclosure and erasure/deletion. Documentation to be kept by data controllers  Personal data should only be kept where there is a legitimate interest, such as a contractual or statutory requirement. Once obtained it should be used for a specific and lawful purpose without being processed any further. Any personal data should be limited to only that which is relevant. In practical terms, employers should not ask for personal or sensitive data relating to an employee unless they can demonstrate a lawful, fair or obvious reason for it. Any personal data that is held in relation to an employee should be accurate, kept up to date and only held for as long as is necessary. GDPR states: [data should be kept for] “no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.” For more information on the new GDPR legislation, make sure you read our articles on employees' rights and data breach notification requirements. If you have any questions in relation to GDPR, please contact our expert employment law advisors on the 24 Hour Advice Service on 1890 252 923

Suggested Resources