Payroll management involves processing a lot of sensitive employee data, so it factors highly in concerns surrounding GDPR compliance.
In February’s issue of HR Magazine, Gillian Dixon, group head of HR at Carr’s Group is quoted as saying: “I recently attended a training course at a leading law firm on the GDPR, and the two areas I came away thinking had the most implications for us were payroll and customer data.”
As a data controller, if you’re already compliant with the existing Data Protection Act (1998), any changes you’ll need to make for GDPR compliance may be minimal. If you’re unsure, however, or work with third party payroll providers, here are some tips on how to achieve payroll compliance under the GDPR.
Email encryption for more robust security
Protecting sensitive personal data through robust security measures factors highly under the new regulations. For example, a simple email sent from payroll to the wrong person could land your business in a heap of trouble with the Information Commissioner’s Office (ICO).
Taking the risk of human error into consideration, the GDPR advises that payroll sends two emails: a first with an encrypted attachment, and a second with a password to open the first email’s attachment. That way, if one of the emails ends up in the wrong hands, at least the employee’s personal data won’t be exposed.
Liaising with payroll providers
If you outsource your payroll, you’ll need a new contract, which addresses your responsibilities as a data controller, and their multiple new obligations as a data processor under the GDPR. If you can’t guarantee that the third parties you work with are compliant, the GDPR will make you liable as the data controller.
Payroll providers have a lot more responsibilities under the GDPR, and their terms and conditions with clients will need to reflect these changes. For example, payroll providers must:
- Acknowledge that their staff and contractors who process client data will operate under a duty of confidence
- Act only on the written instruction of their clients
- Delete or return all personal data to clients at the end of the contract
- Not engage in sub-processes without prior, written consent from their client
Staff training on data breaches
Make sure your staff are aware of the implications of a data breach and what they need to do should the worst happen. If personal data has been compromised, you have an obligation to report it to the ICO and – where personal data is stolen, for example – you must also report it to the individuals / employees concerned. Here are some guidelines on how to report a data breach under the GDPR.
To find out more about Me Learning’s online GDPR courses for HR professionals and employees across the business, click here.