Is your payroll GDPR compliant?
After being in the business news headlines for what seems like forever, the deadline for the General Data Protection Regulation came and went on 25th May 2018. GDPR came into full effect for all businesses within the EU on that date.
Whilst you may have heard a great deal of advice when it comes to keeping your customers’ personal data processing compliant under the legislation, you may not be aware that your payroll functions may also be affected.
GDPR was put into place to safeguard all personal data relating to individuals – that includes your employees. Your internal data is just as important as your customer data when it comes to protecting the privacy and rights of your staff.
If an employee came to you and asked to see all of the data you have on them, would you be able to show them? Would you be able to locate and access the information? How long would it take you to pull everything together?
A significant part of GDPR is transparency as is protecting your employees’ right to access their own personal data. That means, should they come to you, you need to be able to produce all of their records that you hold. You’ll have to think about everything from HR records and interview submissions to absences and expense claims too.
And, with payroll information, you need to be especially diligent. Employee names, national insurance numbers, dates of birth and rates of pay are all extremely sensitive types of data and protecting them is paramount.
GDPR has had a huge effect on payroll functions since its introduction, including:
GDPR is all about data protection, and that includes protecting employee data from breach. Under the rules, your company is obligated to implement various technical and organisational measures in order to ensure the data you hold is safe.
This could be securing workstations, servers and storage space, as well as implementing new security and confidentiality policies in order to establish proper protocol across your business.
If you use a payroll management software, your service provider may be able to arrange these new security protocols for you through your software.
Let’s say that your system is password protected for each employee. This would give them a secure way of viewing their personal data and payroll reports whenever they wish. All sensitive data can be stored in a single, secure hub; honouring your employees’ right to access whilst keeping information safe.
This is another of the core principles of the General Data Protection Regulations. It makes your company responsible for complying with the new legislations, and it states that you must be able to prove your compliance.
You’ll need to assess and implement a number of changes in order to demonstrate your business’ accountability – including documenting any policies and actions that are put into place.
For payroll in particular, you’ll need to make your accountability for protecting data well known. This should be highly detailed and made easily accessible so those handling your payroll functions are able to reference it.
Another procedure you need to put into place is what to do if an employee requests to see their own data. You’ll need to be able to respond to any number of requests, including their right to be forgotten and the right to access.
Newer payroll management software tends to include additional functionalities that allow you to respond to such requests effectively whilst maintaining compliance with GDPR.
If you’re still concerned about what you can do to keep your payroll processes in line with the new rules, there are some things you can do to make your life much simpler.
Many GDPR experts recommend migrating from printed payslips to a digital alternative. This helps keep all payslip data online and in one place, meaning you can control who has access to this sensitive information and ensure it is secure.
If you’re currently using paper timesheets to keep track of the hours your employees work, it is also a good idea to switch to a software management system. This will help you comply with your data storage requirements whilst helping your employees access and track the time they have worked.
These online systems also mean your processes are easier to check should you need to prove your compliance with the GDPR.
Cloud based payroll management systems also provide an easy way for employees to submit holiday requests and sick days; meaning payslips are automatically updated.
Businesses are also being urged to assign their own data protection officer if they process any kind of personal data if they are a public body or if their core activities involve managing individuals on a large scale. If yours is a much smaller business, think about DPO-as-a-service for your organisation.
If you outsource your payroll functions to another company, it is likely you had to sign a revised contract before GDPR was enacted that reflected the new rules. These service providers are considered data processors under the GDPR, meaning they are much more culpable than previously should something go wrong.
“Data processors have been slower than expected but some are now starting to produce some quite good contracts “The GDPR has a very specific list of things that need to go into a data processing agreement,” says Carla Whalen, employment solicitor at law firm Russell-Cooke.
“These include the requirement that the payroll provider’s staff and contractors processing data will be under a duty of confidence. Providers must also only act on the written instructions of employers, must delete or return all personal data to employers at the end of the contract, and must only engage sub-processes with the prior written consent of the employer.”
Of course, there are a huge number of changes that your company will have made prior before the GDPR deadline. That’s why it is essential that you consult your accountant to ensure your business is fully compliant and that your payroll functions are prepared for the stricter rules now that they are in effect.
To find out more, please call 01235 768 561 or email firstname.lastname@example.org.