January 30, 2023

Volume XIII, Number 30


January 30, 2023

Subscribe to Latest Legal News and Analysis

January 27, 2023

Subscribe to Latest Legal News and Analysis

EU Regulator Discusses Enforcement Priorities for the GDPR

On March 27, 2018, Helen Dixon, the data protection commissioner for Ireland, outlined the enforcement priorities of the Irish data protection authority (DPA) for the General Data Protection Regulation (GDPR) during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C. The Irish DPA has been ramping up its compliance capabilities for the GDPR and will undoubtedly serve as the lead DPA for GDPR enforcement for numerous U.S. companies that are headquartered or have locations in Ireland.  

Dixon recognized that many organizations will struggle to fully comply with the GDPR by the May 25, 2018, effective date but confirmed that the Irish DPA will begin to enforce the GDPR on that day and that there will be no grace period for companies that fail to comply. Additionally, Dixon stated that the Irish DPA will focus its enforcement efforts on resolving complaints filed with it as the GDPR requires DPAs to investigate all complaints. Dixon shared that, in 2017, the Irish DPA handled approximately 2,600 complaints. Over half of those complaints involved data subject access requests, and a majority of complaints involving data subject access requests were filed by employees who complained that their employers failed to adequately comply with their data access requests. 

Further, Dixon emphasized the importance of transparency and accountability under the GDPR. Thus, the Irish DPA will scrutinize privacy policies and notices to ensure that data subjects are fully informed about how and why their personal data is being processed. Additionally, the Irish DPA will review organizations’ data protection governance documents to determine whether the organizations have made a commitment to data protection or have merely “ticked the boxes” to demonstrate minimal compliance with the GDPR.

Finally, Dixon stated that the Irish DPA takes seriously its duty under the GDPR to raise awareness about the GDPR and will allocate significant resources to providing guidance and advice to organizations about the GDPR, in addition to carrying out its obligations to enforce the GDPR.

Key Takeaways for Employers

Although employers are required to be fully compliant with the GDPR by May 25, 2018, they may want to prioritize and concentrate their efforts on high risk compliance areas. With less than 60 days until May 25, 2018, and based on Dixon’s comments, employers may want to take the following actions:

  1. Prepare compliant privacy notices for applicants and employees
  2. Develop effective data subject access request protocols to properly and timely respond to such requests and reduce the likelihood of employee complaints to DPAs
  3. Prepare comprehensive data-handling policies and procedures that assign specific roles and responsibilities to individuals and provide meaningful consequences for noncompliance (Such documentation should include the Article 30 record of processing, which demonstrates that the employer has thought through the purpose, legal basis, and retention periods for processing personal data as well as the organizational and technical measures needed to protect the data.)
© 2023, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume VIII, Number 94

About this Author

Grant Petersen, Labor, Employment, Ogletree Deakins

Mr. Petersen represents and counsels employers regarding a broad range of U.S. and international labor and employment law issues, Foreign Corrupt Practices Act and other anti-corruption law issues, and data privacy and data protection law issues. He represents clients in a wide variety of industries, including manufacturing, service, healthcare, financial, retail, and food processing, as well as multinational companies and trade associations.

Simon McMenemy, Labor Employment, Managing Partner, New York, OgleTree Deakins law firm
Managing Partner

Simon is an experienced employment law practitioner. He was called to the Bar in 1995, and subsequently qualified as a solicitor while working in the employment and incentives team of a major global law firm. He has advised on the employment aspects of many major international and multi-jurisdictional mergers and acquisitions. He also has a wide range of experience in advising companies on change management, particularly in relation to acquired rights, pensions and benefits. Simon advises on the increasingly complex issues arising on data privacy and data protection in the workplace and is...

44 (0)20 7822 7620
Hendrick Muschal, Ogletree Deakins, Employment Attorney, Germany
Managing Partner / Certified Specialist for Employment Law

Hendrik Muschal is a partner in Ogletree Deakins’ Berlin office.  He advises numerous German and international clients on all aspects of individual employment law, collective employment law in both the private and public sector, international employment law and criminal labor law.  Hendrik is strongly involved in international business activities, particularly in the field of international investments and cross-border transactions as well as global HR management.

One of the focal points of Hendrik’s work regarding global HR management is data protection and monitoring inside the EU...

+ 49 (0) 30 862030 161
Stephen Riga, Ogletree Deakins Law Firm, Labor Law and Privacy Attorney
Of Counsel

Mr. Riga concentrates his practice in the area of employee benefits and privacy and security issues.

Mr. Riga's benefits practice includes work with funds and employers to design, maintain, merge and terminate qualified retirement plans and health and welfare plans. Mr. Riga prepares determination letters and voluntary compliance program submissions and assists employers and funds on COBRA, Medicare Part D, and HIPAA compliance. Mr. Riga evaluates contribution and withdrawal liability obligations, and identifies retirement and health and welfare...