Now that the 25th of May ’18 has come and gone, don’t be fooled into thinking there is no need to comply with an employer’s responsibilities under GDPR, in relation to the personal data of their employees or that GDPR doesn’t apply to you. If you are an employer, then GDPR applies to you and as the following short article illuminates, there are very good reasons to become compliant, even if it is only somewhat compliant. 


Not only does GDPR apply to you, we would suggest that this is an area where you can very easily get into a lot of unnecessary difficulty. Imagine, you have an employee who is disgruntled with the boss or the company and issues have arisen, either real or perceived or they are now an unhappy ex-employee. One of the easiest way for them to make life difficult for their employer is to: 


The result of this being, an investigation by the DPC, which will use up valuable company resources to deal with and the very real possibility of a large administrative fine being imposed on the Company, for non-compliance with GDPR, by the DPC, as the likely outcome. 

Why leave your company open to the above scenario, when most of it can be avoided with some proper basic GDPR Employer planning. We have set out below the bare minimum things you should consider doing right now, to help you in the future. 

However, please note that we would strongly recommend that you be a lot more proactive and have a full Data Audit, a GDPR Data Protection Policy, SAR, DPIA procedures, training, etc., all in place, in order to be 100% GDPR compliant. You know that complaint to the DPC is coming, its just a matter of time and its going to cost you if you are not prepared.  If unsure, you can always contact Dublin’s leading GDPR Solicitors for advice.

1. Secure your HR files 

  1. Make sure your files on the server/computer are secure from being accessed by anyone other then on a need to know basis
  2. Same for your paper files, paper with personal information and/or sensitive data (now called Special Category Data under GDPR) are considered high risk, so they need to kept secure accordingly (e.g. buy a safe and put them in it and restrict access).

2. Why do you have this information and what do you do with it

Under GDPR you must identify the legal basis on which you rely on to keep and process personal information. In the case of most employee information, we would suggest that you should identify that you keep it for legal, legitimate interests and/or contract reasons. Consent is considered a poor basis of having/processing employee information and is one that the employee can withdraw at any time. You also have to tell employees what you do with their information.

3. The documents that you need to put in place (at a Minimum) 

  1. Privacy Notice – this document sets out the information you collect and what you do with it and also sets out the employees’ rights.
  2. Amend Contract of employment – you will need to amend the employment contract to incorporate the Privacy notice. 


1. Data Protection Impact Assessments

2. Data Protection Policy (DPP)

3. Data Protection Training

4. Data Protection Officer (DPO)

We have specialised in Data Protection Law for many years and can assist you with any queries you may have in relation to complying with GDPR, contact us today.

1 + 12 =


What employers must do to comply with new Data protection laws (GDPR) from 25th May ’18. With under a 100 days to go before the General Data Protection Regulation (GDPR) comes into force, many employers are still wondering what their requirements are under...

Changes in GDPR

This new regulation, the General Data Protection Regulation (GDPR), which came into force on 25th May 2018, acts to strengthen the core values of the 1995 Data Protection Directive with additional principles and rights. The two overarching principles of...


Any Data Controller that is subject to GDPR, will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with, where that third party is a processor, as defined under GDPR. GDPR applies to both Controllers...