GDPR and Payroll
Managing payroll requires processing a lot of personal data on employees. The availability and accuracy of that information, as well as ensuring it doesn’t fall into the wrong hands, can have serious implications for your business.
A recent survey conducted by B2B payments provider Modulr and payroll publication Reward Strategy found that manual payments handling was the largest payroll overhead for 44% of companies. Nearly 40% of companies surveyed relied on Excel spreadsheets to receive, submit and process payroll data.
With the EU’s General Data Protection Regulation (GDPR) due to come into force on 25 May, payroll managers need to think carefully about how they store, manage and send payroll information to third parties. Under GDPR, data will need to be held securely and protected against unauthorised access.
Umbrella companies often produce bulk payment files in CSV or text format from their payroll system, which are emailed to someone who is authorised to make the payment.
The file typically contains sensitive personal information, which could potentially be intercepted by hackers. Even those that don’t distribute payroll files via email may leave them on their laptops or computers, which are prone to hacking.
Essentially, GDPR gives control back to the individual in terms of how their personal data is used. Gone are the days when consent just constituted a box-ticking opt-in exercise.
Key Points to Consider
1. Why is the data needed? Under GDPR, companies need to demonstrate to the ICO a “lawful basis” for using personal data. Payroll could argue that they have a legal obligation to process personal data (make salary payments, provide real-time reporting to HMRC) or a “legitimate interest”.
3. Under GDPR, it is mandatory to report data breaches to the ICO within 72 hours of becoming aware of it.
6. Size doesn’t matter: Whether you’re a one-person payroll bureau or a larger-scale operation, GDPR affects anyone or any organisation that processes personal data.
7. Hefty fines imposed for data breaches: Penalties for data breaches (fines of up to €20 million, or 4% of annual turnover, whichever is higher) are more far ranging under GDPR than under the Data Protection Act it supersedes.
8. Data privacy should be incorporated by design. Make sure you are not capturing more data than you need to process payroll.
9. Personal data must be kept up to date. Inaccurate or outdated payroll data should be deleted or amended.
10. What about Brexit? GDPR imposes restrictions on the transfer of personal data outside the EU, to so-called “third countries” or international organisations. As of midnight on the 13 March 2019, Brexit will take place.
The UK and EU27 recently agreed that there should be an implementation period until the end of 2020 as part of the UK’s Withdrawal Agreement with the EU. At the end of this implementation period, the UK will be classed as a ‘third country’ for the purposes of GDPR, which could have implications for companies within the EU that process payroll for UK-based companies.