Home Knowledge General Data Protection Regulation – Likely Impact for Employers and How to Prepare

General Data Protection Regulation – Likely Impact for Employers and How to Prepare

July 4, 2017
Partner
Leo Moore

The General Data Protection Regulation (“GDPR”), due to take effect on 25 May 2018, aims to harmonise data protection rules across the European Union (“EU”) and marks a milestone in data protection laws in the EU.  The GDPR places onerous obligations on organisations in relation to all personal data which they process. It is strongly advisable that employers begin to prepare now for the GDPR and we have highlighted five key points to use as a starting point.

  1. Data Protection Officers (“DPOs”)
    The GDPR provides that a DPO should be appointed by organisations whose core activities involve the regular and systematic monitoring of data subjects on a large scale, as well as organisations whose core activities involve the processing on a large scale of special categories of personal data, including processing information relating to criminal convictions or offences. It will be mandatory for public authorities to appoint a DPO. There is also scope for Member States to propose instances where a DPO will be required and such appointment will be provided for in this jurisdiction by the Data Protection Bill 2017.  Organisations can also appoint a DPO voluntarily.

    Employers are advised to conduct an analysis now to determine if they must appoint a DPO. As this could be costly, businesses should start to review their budgets accordingly. 

  2. Consent 
    The GDPR sets out an elevated threshold for obtaining consent. The test for consent has been radically overhauled under the GDPR and will be much more difficult to rely on. The onus rests with employers to prove that they have obtained consent validly. Consent must be freely given, specific, informed and unambiguous. The GDPR removes the possibility of “opt-out” consent by forbidding silence, inactivity, and pre-ticked boxes as a means of providing consent. Employers should be aware of this and consider phasing out reliance on consent as their legal basis for processing data. Consent must also be given separate to the contract of employment and it is advisable that employers start to review their existing contracts without delay to ensure that they meet the required standards.

    Once the GDPR takes effect, employers must make employees aware of their right to withdraw consent at any time. It is recommended that employers consider a different basis for processing data as opposed to consent, such as contractual necessity, statutory compliance or legitimate interests.  

  3. Data Protection Impact Assessment (DPIA)
    Any business implementing new processes or technologies which involve processing that is likely to result in a high risk to the rights and freedoms of employees may need to carry out a DPIA. Under the GDPR, systematic and extensive evaluation of personal data (such as profiling), large scale processing of special categories of personal data or personal data relating to criminal convictions or offences, and large scale systematic monitoring of public areas will be regarded as processing that will  likely result in a high risk.
  4. Enhanced Rights of Data Subjects
    The GDPR grants new rights and builds on existing rights of data subjects. The right to access, data portability, correction, erasure, objection and the restriction of processing of personal data are rights provided for under the GDPR. Employers should be aware that the time frame for responding to subject access requests will be reduced to one month and are advised to start adapting procedures to accommodate for this. It is recommended that employers review their current procedures and appoint a team who will be accountable for ensuring these rights are implemented.
  5. Penalties
    The GDPR provides for heavy sanctions to be imposed in the event of non-compliance and in particular heavy administrative fines may be imposed. Depending on the breach, a penalty of €10 million or 2% annual global turnover, whichever is greater, or €20 million or 4% of total annual global turnover, whichever is greater, may be imposed. 

As the GDPR is bringing data protection to a new level and is ensuring vigorous compliance, It is advisable that employers implement policies to ensure compliance and avoid such penalties. 

Next Steps

  • Know what personal data is being held, the purpose for holding data, and how long data will be held.
  • Appoint a working group, internally or externally, who will be responsible for implementing the GDPR.
  • Revise and amend policies and procedures.
  • If your organisation has not started your preparations, start now.

For further information on the GDPR, become a member of our PrivacySource, our dedicated website to the GDPR to help you prepare. 

Article contributed by Catherine O’Flynn and Leo Moore

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Consultant
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all