By David McLeod
Businesses across Europe are getting a grip on the GDPR: how is the new data security regulation changing payroll?
Since May 25, 2018, the General Data Protection Regulation (GDPR) has changed the way businesses in Europe handle data security. It’s not good enough to pay lip service to the new rules; the prospect of steep fines for noncompliance means that businesses must take the GDPR seriously and make sure their data-protection strategy fulfills compliance obligations — especially for a highly detail-oriented process like payroll, which relies on vast amounts of sensitive personal data, including bank account information.
With the GDPR now in full force, it’s easier to understand its impact on the payroll landscape — and, by extension, what businesses need to do to up their compliance performance…
To gauge the GDPR’s impact, it’s important to understand the basics behind the regulation. Essentially, the GDPR has harmonized data protection legislation across the EU (including the UK), with a focus on strict accountability rules regarding the storage, use, transfer, and deletion of personal data by businesses.
With this in mind, employers, and employees in payroll departments, have had to develop an understanding of data-security best practice and novel GDPR terms, most notably:
Data subjects: The individuals who own the personal data being handled and processed.
Data controllers: The party (normally the employer) who decides how the business will use the personal data.
Data processors: Those who engage in the actual processing of personal data for data controllers.
With its emphasis on accountability, employers and their payroll employees have had to get used to operating in an environment which places equal responsibility for the handling of personal data on both data controllers and processors. This means the strict compliance fines applicable for GDPR breaches apply to both employers and whoever is acting on their behalf.
While this may not impact employers who process payroll in-house, those who outsource some or all of their payroll to a third party will need to ensure that their service providers are also meeting compliance standards.
The GDPR has brought a range of new training requirements for payroll employees. While it’s obviously good practice for all employees in any business to receive some form of cybersecurity training, those working with or around payroll data, however, must know about specific GDPR compliance requirements. Employers may handle training in-house, or seek options from industry institutions, like the Chartered Institute of Payroll Professionals, and the American Payroll Association, which offer specific courses catering to GDPR compliance.
GDPR Payroll Information
The GDPR has changed the way payroll departments deal with information itself, introducing a set of key principles by which businesses must abide. These principles mean employers must change the way they think about payroll data in the following ways:
Relevance: Under the GDPR, employers must ensure that no irrelevant data is collected from data subjects — that is, no data can be collected which is not required for the purposes of processing payroll. Payroll departments should conduct an internal review to determine whether the data they have collected from their employees is still relevant to the process.
Consolidation: The GDPR requires that personal and private data is consolidated both physically and virtually — meaning payroll departments must streamline the spreadsheets of names, addresses and banking information they use during the pay cycle, and bring that information together so that it can be controlled and processed in accordance with the new rules.
Types of data: The GDPR has consequences for a wide range of data, forcing employers to consider the scope of their payroll process. This has meant considering every instance of personal data in the pay cycle: employee timesheets and overtime requests, correspondence such as emails and text messages, sick notes and medical records — and any other materials which may fall under GDPR jurisdiction.
GDPR Data Security
The severe penalties for the mismanagement, theft or loss of personal data means that all employers have had to think carefully about their security strategies, from both a physical and cybersecurity perspective. Beyond upping cybersecurity protections, for most employers this has meant a review of the environment in which personal data is stored: who has access to physical payroll records or the servers on which they are stored digitally? How are security credentials verified? How are personal devices integrated safely into the network?
When it comes to GDPR and outsourced payroll setups, employers have had to scrutinize their service providers more closely in order to ensure that the accountability requirements of the regulation are being met. While there is a range to look out for when selecting a payroll service provider, major data-security accreditations include:
ISO 27001: Recognized widely across the world, the ISO27001 accreditation in Information Security Management demonstrates a business’ ability to adhere to international data security standards.
The Payroll Assurance Scheme: Administered by the CIPP and indicating general compliance with legislation, and an ability to adapt to changes in the law.
BACS Approved Bureau Scheme: Indicating the safety, confidentiality and integrity of transactions handled under a business’ BACS system.
Payroll Audits & Data Protection Officers
Essentially this means auditing their own data security strategies regularly (both internally and externally) to ensure GDPR compliance. The GDPR actually mandates this by requiring that some organizations appoint a data protection officer (DPO) — an individual responsible for guiding GDPR compliance strategy over the short and long term.
GDPR compliance and payroll should always be considered in synchrony when your business develops or amends its data security plan. One of the best ways to approach the challenge is to develop a GDPR compliance checklist which acts as both the foundation of your wider data-security strategy, and a day-to-day guide for employees during the pay cycle. Your GDPR checklist should be verified during each pay cycle, and might look something like this:
Data: Ensure that your business has an extensive catalogue of all the data it holds, where it is held, and whom that data is shared with.
Accountability: Ensure that the data controller and data processors have clear lines of communication, and that all employees are aware of data-protection protocol. If you have one, your data protection officer may provide oversight.
Rights: Ensure that data subjects are able to exercise their rights regarding their personal information and that your business is upholding those rights in compliance with the GDPR.
This checklist provides only a broad perspective on the data-security protection process which your payroll must deliver. Obviously, there’s no one-size-fits-all solution and it’s incumbent on you, the employer (and data controller), to develop a checklist which fits your specific needs — and maintain the effectiveness of that checklist on an ongoing basis.
About David McLeod
David McLeod works as an Information Security Officer at activpayroll. He has over 18 years Information Technology experience, and has spent the last 6 years working in Information Security and Data Privacy. David has worked in a number of industries including Local Government, Oil and Gas, and Payroll Services.