EU Regulator Discusses Enforcement Priorities for the GDPR
Authors: Grant D. Petersen (Tampa), Simon J. McMenemy (London), Hendrik Muschal (Berlin), Danielle Vanderzanden (Boston), Stephen A. Riga (Indianapolis)
Published Date: April 4, 2018
On March 27, 2018, Helen Dixon, the data protection commissioner for Ireland, outlined the enforcement priorities of the Irish data protection authority (DPA) for the General Data Protection Regulation (GDPR) during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C. The Irish DPA has been ramping up its compliance capabilities for the GDPR and will undoubtedly serve as the lead DPA for GDPR enforcement for numerous U.S. companies that are headquartered or have locations in Ireland.
Dixon recognized that many organizations will struggle to fully comply with the GDPR by the May 25, 2018, effective date but confirmed that the Irish DPA will begin to enforce the GDPR on that day and that there will be no grace period for companies that fail to comply. Additionally, Dixon stated that the Irish DPA will focus its enforcement efforts on resolving complaints filed with it as the GDPR requires DPAs to investigate all complaints. Dixon shared that, in 2017, the Irish DPA handled approximately 2,600 complaints. Over half of those complaints involved data subject access requests, and a majority of complaints involving data subject access requests were filed by employees who complained that their employers failed to adequately comply with their data access requests.
Further, Dixon emphasized the importance of transparency and accountability under the GDPR. Thus, the Irish DPA will scrutinize privacy policies and notices to ensure that data subjects are fully informed about how and why their personal data is being processed. Additionally, the Irish DPA will review organizations’ data protection governance documents to determine whether the organizations have made a commitment to data protection or have merely “ticked the boxes” to demonstrate minimal compliance with the GDPR.
Finally, Dixon stated that the Irish DPA takes seriously its duty under the GDPR to raise awareness about the GDPR and will allocate significant resources to providing guidance and advice to organizations about the GDPR, in addition to carrying out its obligations to enforce the GDPR.
Key Takeaways for Employers
Although employers are required to be fully compliant with the GDPR by May 25, 2018, they may want to prioritize and concentrate their efforts on high risk compliance areas. With less than 60 days until May 25, 2018, and based on Dixon’s comments, employers may want to take the following actions:
Prepare compliant privacy notices for applicants and employees
Develop effective data subject access request protocols to properly and timely respond to such requests and reduce the likelihood of employee complaints to DPAs
Prepare comprehensive data-handling policies and procedures that assign specific roles and responsibilities to individuals and provide meaningful consequences for noncompliance (Such documentation should include the Article 30 record of processing, which demonstrates that the employer has thought through the purpose, legal basis, and retention periods for processing personal data as well as the organizational and technical measures needed to protect the data.)
Mr. Petersen represents and counsels employers in a broad range of U.S. and international labor and employment laws, U.S. and global data privacy and data protection laws, and the Foreign Corrupt Practices Act and other international anti-corruption laws. He is the founder of the firm’s Data Privacy Practice Group and co-founder of the firm’s International Practice Group. Mr. Petersen has advised many clients regarding the impact of global data privacy laws in the workplace, the...
Simon is an experienced employment and data privacy law practitioner. He was called to the Bar in 1995, and subsequently qualified as a solicitor while working in the employment and incentives team of a major global law firm. He has advised on the employment aspects of many major international and multi-jurisdictional mergers and acquisitions. He also has a wide range of experience in advising companies on change management, particularly in relation to acquired rights, pensions and benefits....
Hendrik Muschal is a partner in Ogletree Deakins’ Berlin office. He advises numerous German and international clients on all aspects of individual employment law, collective employment law in both the private and public sector, international employment law and criminal labor law. Hendrik is strongly involved in international business activities, particularly in the field of international investments and cross-border transactions as well as global HR management. One of the focal points of...
Ms. Vanderzanden is a Shareholder in the Boston and Portland (ME) offices, and Co-Chair of the firm’s Data Privacy Practice Group. She specializes in the areas of privacy, restrictive covenant, wage and hour, discrimination and labor and employment litigation and counseling. She devotes her practice to helping employers with employment-related disputes, conducting investigations and providing counsel to clients seeking to reduce their potential for liability to their employees and third...
Mr. Riga concentrates his practice in the area of employee benefits and privacy and security issues. Mr. Riga's benefits practice includes work with funds and employers to design, maintain, merge and terminate qualified retirement plans and health and welfare plans. Mr. Riga prepares determination letters and voluntary compliance program submissions and assists employers and funds on COBRA, Medicare Part D, and HIPAA compliance. Mr. Riga evaluates contribution and withdrawal liability...