• Current students
      • Student centre
        Enrol on a course/exam
        My enrolments
        Exam results
        Mock exams
        Learning Hub data privacy policy
      • Course information
        Students FAQs
        Student induction
        Course enrolment information
        F2f student events
        Key dates
        Book distribution
        Timetables
        FAE elective information
      • Exams
        Exam Info: CAP1
        E-assessment information
        Exam info: CAP2
        Exam info: FAE
        Access support/reasonable accommodation
        Extenuating circumstances
        Timetables for exams & interim assessments
        Interim assessments past papers & E-Assessment mock solutions
        Committee reports & sample papers
        Information and appeals scheme
        JIEB: NI Insolvency Qualification
      • CA Diary resources
        Mentors: Getting started on the CA Diary
        CA Diary for Flexible Route FAQs
      • Admission to membership
        Joining as a reciprocal member
        Conferring dates
        Admissions FAQs
      • Support & services
        Recruitment to and transferring of training contracts
        CASSI
        Student supports and wellbeing
        Audit qualification
        Diversity and Inclusion Committee
    • Students

      View all the services available for students of the Institute

      Read More
  • Becoming a student
      • About Chartered Accountancy
        The Chartered difference
        What do Chartered Accountants do?
        5 Reasons to become a Chartered Accountant
        Student benefits
        School Bootcamp
        Third Level Hub
        Study in Northern Ireland
        Events
        Blogs
        Member testimonials 2022
        Become a Chartered Accountant podcast series
      • Entry routes
        College
        Working
        Accounting Technicians
        School leavers
        Member of another body
        International student
        Flexible Route
        Training Contract
      • Course description
        CAP1
        CAP2
        FAE
        Our education offering
      • Apply
        How to apply
        Exemptions guide
        Fees & payment options
        External students
      • Training vacancies
        Training vacancies search
        Training firms list
        Large training firms
        Milkround
        Recruitment to and transferring of training contract
        Interview preparation and advice
        The rewards on qualification
        Tailoring your CV for each application
        Securing a trainee Chartered Accountant role
      • Support & services
        Becoming a student FAQs
        Who to contact for employers
        Register for a school visit
    • Becoming a
      student

      Study with us

      Read More
  • Members
      • Members Hub
        My account
        Member subscriptions
        Annual returns
        Application forms
        CPD/events
        Member services A-Z
        District societies
        Professional Standards
        Young Professionals
        Careers development
        Diversity and Inclusion Committee
      • Members in practice
        Going into practice
        Managing your practice FAQs
        Practice compliance FAQs
        Toolkits and resources
        Audit FAQs
        Other client services
        Practice Consulting services
        What's new
      • In business
        Networking and special interest groups
        Articles
      • Overseas members
        Home
        Key supports
        Tax for returning Irish members
        Networks and people
      • Public sector
        Public sector news
        Public sector presentations
      • Member benefits
        Member benefits
      • Support & services
        Letters of good standing form
        Member FAQs
        AML confidential disclosure form
        Institute Technical content
        TaxSource Total
        The Educational Requirements for the Audit Qualification
        Pocket diaries
        Thrive Hub
    • Members

      View member services

      Read More
  • Employers
      • Training organisations
        Authorise to train
        Training in business
        Manage my students
        Incentive Scheme
        Recruitment to and transferring of training contracts
        Securing and retaining the best talent
        Tips on writing a job specification
      • Training
        In-house training
        Training tickets
      • Recruitment services
        Hire a qualified Chartered Accountant
        Hire a trainee student
      • Non executive directors recruitment service
      • Support & services
        Hire members: log a job vacancy
        Firm/employers FAQs
        Training ticket FAQs
        Authorisations
        Hire a room
        Who to contact for employers
    • Employers

      Services to support your business

      Read More
☰
  • Find a firm
  • Jobs
  • Login
☰
  • Home
  • Knowledge centre
  • Professional development
  • About us
  • Shop
  • News
Search
View Cart 0 Item

News

  • Home/
  • News
☰
  • News
  • News archive
    • 2022
    • 2021
  • Press releases
    • 2022
    • 2021
  • Newsletters
  • Press contacts
  • Media downloads
  • Podcasts Chartered Accountants Ireland
  • Budget day news

GDPR and the risk of employee data

Feb 11, 2019
With GDPR now in effect, employers must focus on a number of critical areas in order to mitigate the risk of litigation.

Many accountancy firms closely monitored and prepared for the implementation of GDPR on 25 May 2018. The Data Protection Acts, 1988 to 2018 (the Act) have now come into operation in Ireland and as with many other organisations, part of the GDPR focus in accountancy firms revolve around compliance issues surrounding employee data. At this point, employers should have carried out a detailed analysis of their flow of employee data and where and how they track their employees’ activities, considered what information they control or process, how they collect that information, the purpose for which they hold it, how secure it is, whether it is passed to third parties, and how long they should retain the information.

Organisations are also likely to have carried out Data Protection Impact Assessments (DPIAs) to identify and minimise the data protection risks of any ongoing or upcoming projects during the run-up to GDPR implementation. Arising from those considerations, employers will have taken steps to update employee contracts (moving away from a reliance on consent), privacy notices, information and communications (ICT) and data protection policies.

Many managers in these organisations are now sitting back, patting themselves on the back for a job well done, assured that they have protected themselves against future claims. But is this true? In this article, the first in a two-part series, we will briefly examine the key obligations of GDPR and highlight the areas we believe employers will need to monitor in the future to minimise litigation risk and costs arising from GDPR. 

The new status quo

When discussing GDPR, the most important thing to point out is that a new standard has been established in relation to the controlling and processing of data. The Data Protection Commissioner (DPC) has made it clear that companies must develop a GDPR mindset and culture to ensure that breaches do not occur. As we know, new cultures take time to bed down. They also require vigorous training and monitoring of staff in the short-term, with ongoing training in the medium- to long-term to be successful. The steps taken by companies up to 25 May 2018 merely represent the compliance side of the equation. Companies have carried out risk analysis and put policies and processes in place in an attempt to protect themselves against prospective future claims. However, the reality is that companies need to continue that evaluation in the short- to medium-term. At this point, companies should be in a position to re-evaluate the impact of GDPR on their business and assess the ‘real’ litigation risk to determine whether they need to adapt their processes to minimise those risks going forward.

Sanctions

Data Protection Commissioner

Before discussing the prospective risks and claims that may arise because of GDPR, it is important to review the sanctions or penalties contained in the Act. Traditionally, only the courts could levy fines against companies. In practice, this meant that the DPC would always have to issue legal proceedings incurring costs and delaying enforcement. With the introduction of GDPR, the DPC can directly impose fines on companies. This is likely to increase the number and level of fines imposed in the future. With the implementation of the Act, sanctions have increased and administrative fines have been introduced. For the most serious infringements, organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater. For example, a serious breach for employers would include not having sufficient consent to process data.

For lesser breaches, organisations can be fined up to 2% of their annual global turnover or €10 million, whichever is greater. Examples of lesser breaches include not having records in order, not notifying the supervisory authority and data subject about a breach or not conducting impact assessments. The level of fines are measured against the “nature, gravity and duration of the infringement”. With the appointment of two additional commissioners, the DPC will likely have the resources to carry out significantly more investigations on an annual basis.

The office of the DPC has helpfully provided guidance on its website as to the approach it intends to take to enforce GDPR. It has confirmed that no compliance grace period will apply. Factors that will be taken into consideration are whether the company can demonstrate a genuine commitment to meeting their GDPR obligations through their GDPR compliance programme, the scale of the infringement, whether the breach is negligent or wilful and their readiness to engage with the DPC. The DPC’s focus will be on ensuring that companies comply with the rights of data subjects, that data protection principles are respected, that organisations are transparent in relation to the data they collect and process and the basis upon which the data is being processed. Unlike the UK, the Irish DPC has been particularly proactive in focusing on the issue of transparency and has regularly flagged the requirement for privacy notices to be issued or updated in advance of GDPR implementation. In simple terms, companies must ensure that data subjects understand what, how and why their data is being processed.

Individual claims and the new ‘Data Protection Actions’

The most notable change in the Act is that actions can now be taken by individuals for material or non-material damage. GDPR provides for joint and several liability, so both the controller and processor can be held fully liable for any damage caused. The Act does not define non-material damage. As with many civil actions, proving loss can be a hurdle to claimants. With the removal of the material loss requirement, the prospect of cases being taken by individual claimants becomes a real threat for companies.

Individuals and employees can now sue for stress and emotional damage allegedly suffered because of breaches of GDPR obligations. There has also been a huge public media campaign surrounding the introduction of GDPR, making private individuals far more aware of their data protection rights. Luckily, class actions are not a feature of litigation in Ireland. However, it is easy to see how well-publicised data breaches could invite a flood of claims against companies by individual data subjects.

Litigation risks

A review of the Act makes it obvious that increased litigation will be an inevitable result of the implementation of GDPR. Some risks have been heavily ‘red flagged’ while others are less obvious.

Consent – personal data

With the implementation of GDPR, there has been a lot of discussion around the issue of consent to process personal data. Personal data falls under two categories: personal data and sensitive personal data. Given the inequality between an employer and an employee, consent to process personal data may not be “freely given” by employees.  As a result, employers are recommended to rely on other grounds to justify processing; for example, a necessity for the performance of a contract or a necessity to comply with a legal obligation that allows the employer to process the data. This approach should have been reflected by the updated data protection policy and privacy notices rolled out within organisations prior to 25 May 2018. 

The DPC has imposed strict criteria for drafting privacy notices in this jurisdiction. Companies are obliged to include a list of the personal data they hold, how they collect it, and how they use and share information during an employee’s employment and after it ends. During the course of the employment relationship, for example, it could be necessary to provide information to a variety of external contractors for a variety of issues including wage function, legal advice, the potential sale of the business or to comply with the law. 

All well-drafted privacy notices should clearly set out a company’s obligations to employees in respect of their personal data and should be shared with staff to ensure transparency. The notices should also set out the company’s other data protection obligations such as proportionality, ensuring information is secure and putting employees on notice of their rights to access, correct or erase that information. The availability of this information to employees makes it more likely that employees could query the data being held and the basis on which data is processed in the future. As a direct result, the number of complaints to the DPC regarding consent are likely to increase.

Sensitive personal data

The issue of sensitive personal data often arises in the context of employee data; for example, when employers are dealing with an employee’s medical information. Employers can be left in difficulty when investigating an employee’s absence from work, as it is open to an employee to provide medical certification but no details of their illness. An employer is entitled to certification and confirmation of return to work assuming these are required by their absence policy. However, the employer may not be entitled to specific details of the employee’s illness.

With the spotlight on GDPR, employees are much more likely to refuse to furnish such information to employers, making it extremely difficult to manage absenteeism and provide cover for absent staff. It has also become increasingly common for employees to go on sick leave in the midst of a disciplinary process in an attempt to frustrate that process. If an employee refuses to furnish details of their illness, the question will arise as to whether the absence is linked to workplace stress or something entirely unrelated. A recent Workplace Relations Commission (WRC) decision in relation to furnishing medical data confirmed that the employer was entitled to ask the claimant for the details of a family illness. This suggests that the WRC may take a common-sense approach when disputes come before it relating to employees being required to furnish sensitive data to employers. Despite this helpful decision, given the difficulties in holding and processing sensitive data it is inevitable that organisations will simply be forced to hold less sensitive data in the future.

Security

An employer’s obligation to keep employees’ personal data secure has not increased because of GDPR. What has changed is the level of the transparency employers need to demonstrate to employees in relation to that data. Employers’ privacy notices should confirm that the information is held securely and that there are procedures in place to deal with a suspected data security breach. This includes an obligation to notify the regulator and the data subject of any breach. It should also confirm that the employer will limit access to personal information to those who have a genuine business need to know. The transparency of this arrangement will increase the likelihood of employees making subject access requests (SARs).

Sinead Morgan is a Senior Associate at DWF Solicitors in Dublin specialising in employment law.

The latest news to your inbox

Useful links

  • Current students
  • Becoming a student
  • Knowledge centre
  • Shop
  • District societies

Get in touch

Dublin HQ

Chartered Accountants
House, 47-49 Pearse St,
Dublin 2, D02 YN40, Ireland

TEL: +353 1 637 7200
Belfast HQ

The Linenhall
32-38 Linenhall Street, Belfast,
Antrim, BT2 8BG, United Kingdom

TEL: +44 28 9043 5840

Connect with us

Something wrong?

Is the website not looking right/working right for you?
Browser support
CAW Footer Logo-min
GAA Footer Logo-min
CCAB-I Footer Logo-min
ABN_Logo-min

© Copyright Chartered Accountants Ireland 2020. All Rights Reserved.

☰
  • Terms & conditions
  • Privacy statement
  • Event privacy notice
  • Sitemap
LOADING...

Please wait while the page loads.