General Data Protection Regulation (GDPR)

The Data Protection Acts 1988 to 2003 currently instructs organisations on their data protection obligations. The General Data Protection Regulation (GDPR) is due to come into effect on 25 May 2018, replacing the existing data protection framework under the EU Data Protection Directive. The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.

The GDPR will enhance existing individual privacy rights considerably, and organisations should review in advance their current employment practices to ensure alignment and compliance. The Office of the Data Protection Commissioner has produced GDPR specific guidance that organisations should familiarise themselves with, in anticipation of legislative changes next year. The Data Protection Commissioner will continue to release briefing notes for data controllers and data processors in the run up to the implementation date, and has also launched a GDPR dedicated website.

Employers are also encouraged to have a data protection policy in place, that includes details on the recruitment practices, use of information and communications technology, transfer of personal data, record keeping, data access requests and other key issues relevant to the organisations' obligations under data protection legislation. GDPR will enhance data protection rights of employees, impose onerous obligations on employers and introduce severe financial penalties for non-compliance. Ibec have produced a number of resources to help employers prepare in advance for the implementation of GDPR.