Everything you need to know about payroll and GDPR
These are the steps you should be taking when it comes to payroll and the GDPR legislation
The General Data Protection Regulation (GDPR), which comes into force in the UK on 25 May 2018, builds on our existing Data Protection Act 1998. It strengthens rules around personal data and requires organisations to be more accountable and transparent.
Payroll, because it handles so much sensitive information about employees is one of the key HR areas to be affected. But, unfortunately, some questions payroll departments have about the GDPR remain unanswered.
Gillian Dixon, group head of HR at Carr’s Group, says: “I recently attended a training course at a leading law firm on the GDPR and the two areas I came away thinking had the most implications for us were payroll and customer data.
“Nevertheless the session probably raised more questions than answers. The GDPR appears [to be] an incredibly vague piece of legislation. It is guidelines as opposed to set rules, and as an organisation we are still yet to determine the best way to deal with it.”
The Chartered Institute of Payroll Professionals (CIPP) is concerned about a lack of information coming from the regulators and has been arranging summit meetings to address specific payroll regulations the industry needs to think about.
Simon Garrity, sales and business development manager at the CIPP, says: “The GDPR doesn’t specifically talk about an employee’s right to be forgotten. There could be incorrect information held about employees who move on, which could affect a reference in the future. There are also no rules about how data is transferred from one company to another when a third party contract provider changes.
“We may not find out what is and isn’t required by the GDPR for payroll until a company has a high-profile data breach. Then we will start seeing the establishment of a bit of case law.”
Steps to be taken
Nevertheless, for the time being there are a number of steps that in-house payroll departments should be taking, although these are relatively minor for those already 100% compliant with current data protection regulations.
Guy Ellis, a director at HR consultancy Courageous Workplaces, says: “A very big chunk of me asks what all the fuss is about from a payroll point of view. Current good practice should meet most of the requirements of the GDPR as payroll is already a very highly-regulated area. But payroll may need to change some of the language it uses.
Additionally, staff must be properly trained to ensure they know what to do if data breaches occur.
“If payroll messes up on a data breach current law gives you discretion on whether to report it to the individuals affected and the Information Commissioner’s Office (ICO), but the GDPR requires you to notify the ICO at [the very] least,” says Chris Cook, head of employment and data protection at commercial law firm SA Law.
The GDPR also places much greater emphasis on making sure payroll systems have more robust security. A particular concern is if an email from payroll gets sent to the wrong person. So the GDPR strongly encourages sending two emails; one with an encrypted attachment and another with no attachment but with a password to open the first email’s attachment – then a single email going astray won’t cause problems.
Liaising with payroll providers
Where firms make use of external payroll providers they should expect to receive a new contract, and should enquire about this if it has not already materialised.
Payroll providers, considered ‘data processors’ under the GDPR, are much more culpable if anything goes wrong than under current law. So they need to review their terms and conditions with clients.
“Data processors have been slower than expected but some are now starting to produce some quite good contracts,” says Carla Whalen, employment solicitor at law firm Russell-Cooke. “The GDPR has a very specific list of things that need to go into a data processing agreement.
“These include the requirement that the payroll provider’s staff and contractors processing data will be under a duty of confidence. Providers must also only act on the written instructions of employers, must delete or return all personal data to employers at the end of the contract, and must only engage sub-processes with the prior written consent of the employer.”
Want to find out more about GDPR? Register for our webinar in partnership with Sage People on 14 March