GDPR covers pretty well all areas of business life. This article simply looks at some of its implications for payroll.
The General Data Protection Regulation (GDPR), which comes into force in the UK on 25 May 2018, builds on the existing Data Protection Act 1998. It strengthens rules around personal data and requires organisations to be more accountable and transparent.
Payroll, because it handles so much sensitive information about employees is one of the key HR areas to be affected. Here, we look at some of the key areas about GDPR and Payroll. However, these are only guidelines. Please seek legal advice if in any doubt.
Firstly, some Unresolved issues
The Chartered Institute of Payroll Professionals (CIPP) is concerned about a lack of information coming from the regulators and has been arranging summit meetings to address specific payroll regulations the industry needs to think about.
The GDPR doesn’t specifically talk about an employee’s right to be forgotten. There could be incorrect information held about employees who move on, which could affect a reference in the future. There are also no rules about how data is transferred from one company to another when a third party contract provider changes.
We may not find out what is and isn’t required by the GDPR for payroll until a company has a high-profile data breach. Then we will start seeing the establishment of a bit of case law.
Steps to be taken
For the time being there are a number of steps that in-house payroll departments should be taking, although these are relatively minor for those already 100% compliant with current data protection regulations.
Current good practice should meet most of the requirements of the GDPR as payroll is already a very highly-regulated area. But payroll may need to change some of the language it uses.
Staff must be properly trained to ensure they know what to do if data breaches occur.
If payroll messes up on a data breach, current law gives you discretion on whether to report it to the individuals affected and the Information Commissioner’s Office (ICO), but the GDPR requires you to notify the ICO at the very least.
The GDPR also places much greater emphasis on making sure payroll systems have more robust security. A particular concern is if an email from payroll gets sent to the wrong person. So the GDPR strongly encourages sending two emails: one with an encrypted attachment and another with no attachment but with a password to open the first email’s attachment – then a single email going astray won’t cause problems.
Liaising with payroll providers
Where firms make use of outsourced payroll providers they should expect to receive a new contract, and should enquire about this if it has not already materialised.
Payroll providers, considered ‘data processors’ under the GDPR, are much more culpable if anything goes wrong than under current law. So they need to review their terms and conditions with clients.
The GDPR has a very specific list of things that need to go into a data processing agreement. These include the requirement that the payroll provider’s staff and contractors processing data will be under a duty of confidence. Providers must also only act on the written instructions of employers, must delete or return all personal data to employers at the end of the contract, and must only engage sub-processes with the prior written consent of the employer.
We’re GDPR compliant at J L Payroll
Everyone has known that GDPR has been coming for c.2 years. You can be confident that here at J L Payroll Services our outsourced payroll services are fully compliant with the requirements of GDPR.