Employment & GDPR: One Year On

Author:Ms Alice Loughney and Siobhan Bishop
Profession:Gowling WLG

It is one year into the GDPR regime but what are the next steps for organisations? We discuss the developments over the last year, the lessons to be learned and what priorities employers should concentrate on next.

To listen to the podcast click here

Siobhan Bishop: Hello and welcome to our Podcast on GDPR. We are discussing where we are now, one year on from the General Data Protection Regulation being introduced, where the key risks lie and what employers should be focusing on for the next 12 months.

I am Siobhan Bishop, a Principal Associate in the Employment, Labour & Equalities Team here at Gowling WLG and I am joined by Alice Loughney, an Associate in our Team.

It is one year into the GDPR regime and for the purposes of this Podcast we are working on the basis that employers have already completed the most basic steps, so done the relevant audits and have put in place privacy notices and policies and what we are going to look at now is what developments there have been over the last year and where employers should concentrate their efforts for the coming year. So Alice, let's look back first on what the Regulators across Europe have been focusing on so far and what lessons these lead to for employers and how they can learn from this.

Alice Loughney: A lot of the activity so far both EU-wide and in the UK has not been directly related to employment data and many of the cases that have started since GDPR came into force is still working their way through the tracks.

I think from what we do know, we can draw out three key themes for employers in the coming year. This is based on where the focus has been so far and also where the ICO (the UK regulator) has said its strategic priorities are going to be for the year to come. The three key themes for employers to look at the in the next year are:

Handling personal data breaches; Responding to data subject access requests or DSARs; and Automated decision making Siobhan: Thanks Alice. So looking first at one of those key priority areas, handling personal data breaches, what developments do you see there?

Alice: One of the main challenges for employers is that under GDPR you have to act really quickly in the event of a data breach. The obligation is to report any notifiable breaches as soon as possible and within 72 hours. Even if you don't have all of the facts, you still have to go to the regulator as soon as you know that something has happened. If that is not possible, for...

To continue reading