How companies can ensure that their payroll processes are GDPR compliant?
Payroll General Data Protection Regulation (GDPR) policy is something that businesses can't afford to ignore. Since the new GDPR rules entered into force in 2018, there has been added pressure on companies to make sure that their processes meet the requirements of the new regulations.
In this article, we run through the basics of GDPR and explain how companies can ensure that their payroll processes are GDPR compliant.
What is GDPR?
GDPR entered into force on 25 May 2018; however, despite the significant publicity it received, many major European companies failed to understand its importance.
GDPR affects how all European businesses look after their data. This includes how they process it as well as how they store it. The new data protection regulation affects every citizen within the EU and applies to every company operating within the region.
Will companies need to be GDPR compliant after Brexit?
Brexit complicates matters further. The UK is now in a transition period up until 31 December 2020, allowing its leaders to negotiate its future relationship with the European Union.
During this transition period, GDPR, as well as the Data Protection Act 2018, will continue to apply.
The EU will then need to determine if the UK has a robust data protection policy in place and can benefit from an adequacy decision, as it will then be recognised as a "third country".
As these regulations are already in place, and the fact that the UK needs to be recognised as an adequate country by the EU Commission for data transfers, it is unlikely that there will be any drastic change in the near future.
Payroll and GDPR
GDPR affects anything and everything that uses personal data, including payroll. GDPR has added responsibilities to people processing data, meaning that compliance is no longer solely in the hands of the controllers.
A payroll bureau that wishes to remain GDPR compliant now has additional statutory obligations they must follow.
GDPR means that there is an increased number of mandatory terms that must be included in contracts between a controller and a processor.
Everything must be laid out in detail and a clear description of the data involved and the processing applied to it must be mentioned in this contract.
Under GDPR, companies are unable to transfer data internationally. For instance, the country in which the data is sent must benefit from an adequacy decision by the EU Commission.
Payroll software providers
Businesses are required to make sure that the payroll software they use is GDPR compliant. When GDPR came into force, many of the contracts for different software providers needed to be updated to ensure that they were compliant with the new regulation.
✅ Top three actions for ensuring good data protection
❶ Companies must make sure employees know what data they hold
Under GDPR, the data companies hold for an employee should be completely transparent. Companies must inform their employees about data processing — e.g. recipients and storage. In some cases, employers may even have to respond to requests for an employee's data to be changed or even deleted within a month.
❷ Minimise the data — get rid of anything that's not needed
As companies can no longer collect information unless it has a defined purpose, any data that doesn't have a specific use should not be collected. Such information should be deleted, anonymised or archived in a separate and secure database once its purpose has been achieved.
❸ How the employee receives their payslip
Companies can continue to send out payslips to employees by post or by email so long as appropriate security measures are put in place. To ensure general safety and security, it is recommended that this process be moved to a password-protected and two-factor authentication online system.
Due to GDPR, many payroll providers are looking to adopt this service. A self-service option will allow employees to easily view all of their data in one place and provide visibility of other information, such as untaken annual leave.
How can PayFit help?
Through the increased security measures in place, as well as password-protected systems that are easy for employees to access, employers can ensure GDPR compliance by using PayFit as their payroll software provider.
We are fully committed to securing data and ensuring that all best practices are put in place. We are also ISO 27001 certified and undergo external audits on an annual basis to ensure that we still meet the high standards we set ourselves.
Did you know?
PayFit has stringent internal processes in place, including having a product built in accordance with the GDPR principle of privacy by default and design.