As Karlin Lillington of the Irish Times (26 April 2018) remarked, everyone is talking about GDPR but things aren’t necessarily getting any clearer. There is a lot of noise out there and attempts to scare the bejaysus out of people by pointing to the astronomical fines that non-compliance can potentially expose a company to, without providing solutions.
To understand what you have to do, you need to have an understanding of the principles underlying GDPR. The principles are straightforward. They are about transparency and accountability. If you, as an employer, collect data on someone – be it an employee, a worker or a contractor – you need to tell them what information you hold; why you are holding it; how long you intend to hold it for; what security measures you have put in place to make sure that their data is safe and; how they can access, amend, transport or erase it.
An employer will do this through the medium of three documents – a privacy statement, a data protection policy and a data retention policy.
Privacy statement
The privacy statement should set out information on the nature of the data collected/to be collected; the purpose for which it may be used; to whom it may be disclosed; the reason for the processing; if the information is to be transferred outside the country, where and why; how long their data will be retained; their right to correct/erase/move their data; their right to complain to the Data Protection Commissioner and, if there is a Data Protection Officer in place, their contact details.
Data Protection Policy
The Data Protection Policy will elaborate on some of the issues referenced in the privacy statement. In addition, it should address the issue of where the data is to be held; the security measures that are in place to ensure the safety of the data; the rules around sensitive data; how data access requests will be dealt with; what the process it in the event there is a security breach; the individual’s obligation to process other individuals’ personal data in accordance with the policy and the consequences for failing to comply with the policy.
Data Retention Policy
The data retention policy should set out the how long a data subject’s data will be retained for and the reason for the retention.
Summary
It is of course more complex and more nuanced than just having a privacy statement, a data protection and retention policy but this is a good starting-out position. It will help bring clarity to how an employer deals with personal data and, who, within the organisation needs to have it. It might also make people think twice about cc’ing the “whole world” when it comes to discussing an individual or, consider having a meeting, rather than a myriad of emails that will be subject to data access requests. The Cambridge Analytica scandal; the ongoing litigation before the European Court of Justice relating to the transfer of data; the increased fines and enhanced individual rights to sue for breaches relating to their personal data, is going to put data protection “front and centre” for the foreseeable future. Employers will probably find themselves in the cross-hairs, where any advisor worth their salt will be telling disgruntled employers to put in a data access request and see how much of a “stir” that causes an organisation. Finally, it goes without saying, make sure that the data protection clause in the contract of employment is consistent with the privacy statement, data protection and data retention policy.
Jacqui Kelly, Mediator and Trainer in Employment Law 