Following GDPR Guidelines
General Data Protection Regulation (GDPR) is a hot topic right now. GDPR is the toughest privacy and security law in the world. Even though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU. Under GDPR people have a fundamental right of access to their personal data from data controllers.
Types of data processed
In business there are 3 main types of data that is processed regularly. These are:
• Customer data
• Employee data
• CCTV
When dealing with this data the three key principles to remember are:
• Lawfulness
• Fairness
• Transparency
How to treat the data you process
• Purpose limitation
Personal data should only be collected for specific, explicit and legitimate purposes and not further processed in manner that is incompatible with those purposes.
• Data minimisation
Processing of personal data must be adequate, relevant and limited to what is necessary in the relation to the purpose for which they are processed.
• Storage limitation
Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purpose for which the personal data are processed.
• Integrity and confidentiality
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The four main breaches of GDPR are:
• Unauthorised disclosures
• Unauthorised access
• Hacking
• Integrity
GDPR Guidelines
1. Know what data you have, where you have it and why you have it
2. Be transparent
3. Identify any risks
4. Know your processors
5. Manage any risks
Bright Contracts contains a 'Data Protection' section of the Company Handbook which can be viewed under the 'Introduction' tab. Download a trial of our software to see a sample of this content.
Whistleblowing Updates
Whistleblowing legislation has been in place in Ireland since 2014 as a result of the Protected Disclosures Act 2014 (the "PD Act"), a major development at the time, which introduced significant legal protection for employee whistleblowers and consequently new and serious obligations for employers. As a result of the EU Whistleblowing Directive, the 2014 Act has been significantly updated and enhanced through amending legislation which became effective on 1 January 2023.
What impact did the updated whistleblowing legislation have in Ireland?
While many of the elements required by the Directive were already covered under Irish law, the Irish Government introduced the Protected Disclosures (Amendment) Act 2022, which amends the existing 2014 PD Act.
The updated legislation includes a number of key enhancements to existing whistleblowing protections and measures, such as:
• Widening the scope of individuals who are afforded protection beyond employees to include volunteers, interns, job applicants, suppliers, shareholders and non-executive directors
• Expanding the ambit of "relevant wrongdoings" for the purposes of whistleblowing by encompassing breaches of EU law in various prescribed areas including public procurement, financial services, product safety, transport safety, food safety, animal welfare, public health, consumer protection, privacy and protection of personal data. – it excludes interpersonal conflicts which concerns the worker exclusively
• Considerably extending the definition of "penalisation" to include acts such as failing to convert fixed-term contracts, negative performance assessments and psychiatric or medical referrals
• Extending the existing injunction style interim relief potentially available in dismissal cases to make it potentially available in other penalisation situations
• Reversing the traditional burden of proof. Where a worker alleges penalisation, the new legislation shifts the burden to the employer to prove that the employer' actions were based on justified grounds and not because the worker made a protected disclosure
• Requiring that certain private sector employers must have whistleblowing procedures and internal channels on the following basis:
o Private entities with more than 250 employees – from 1 January 2023
o Private entities with between 50 - 249 employees – from 17 December 2023.
o All public sector organisations are already required to have a formal whistleblowing policy in place under the existing legislation
• Imposing strict timeframes on employers for acknowledging, following up and providing feedback to whistleblowers
• Establishing a Protected Disclosures Commissioner
Are employers required to process anonymous disclosures?
Employers are not obliged to accept or follow-up on anonymous reports. However, an anonymous whistleblower is still entitled to protections if their identity subsequently emerges.
What other things should employers in Ireland be thinking about?
The new legislation signals a significant change in approach to whistleblowing in Ireland.
Many employers should have reviewed existing policies or prepared new procedures. Training and awareness, especially for management, is also key.
By ensuring that effective internal whistleblowing channels and procedures are in place, organisations will have an opportunity to become aware of concerns at the earliest stages, helping to avoid or limit financial and reputational risks.
