As the amount of data is growing, so are the ways of data misuse and data theft. It automatically calls for an ever-evolving mechanism to ensure data protection. A recent implementation of the General Data Protection Regulation (GDPR), an update to the current regulation which will replace the Data Protection Act 1998, is a step precisely in that direction. The regulation mandates that businesses should protect the personal data and privacy of EU citizens for transactions that occur within the EU. All companies who process the personal data of individuals operating in the EU will come under its ambit. And failure to comply can weaken the financial muscles of organizations. Penalties and fines can be as high as £17 million or 4% of global turnover. Clearly, by ignoring it, companies can easily find themselves on the verge of extinction.
Moreover, GDPR has the notion of ‘joint accountability’ between controllers and processors. It suggests that in case of a breach or compliance failure, both parties will be considered responsible - and share any financial penalties. This scary scenario can send ripples of worry among payroll and accounting service providers. That stems from the fact that payroll providers are always amidst large amounts of personal data including their customers, their customers’ employees, and their own employees. Under the constant threat of cyber-attacks, it’s not an easy feat to guarantees a secure data processing to clients - something that GDPR staunchly demands. It’s then not hard-to-decipher why 33% of HR leaders are concerned about data privacy and GDPR.
The only way to sail through this is to understand GDPR well in entirety and augment yourself accordingly. By listing down some of the must-haves of GDPR, we have eased up your way towards it a bit.
Under GDPR, payroll providers and managers are legally bound to protect payroll information on behalf of their clients by -
- Collecting only that much information which is needed for a payroll completion
- Keeping client and employee payroll information safe and secure
- Assuring the relevancy of client’s data
- Enabling clients or their employees to view their personal information
B) GDPR Terminology:
As GDPR is hell bent upon allocating responsibilities to multiple parties, it has firmly defined the framework of every party.
- Data-subject: The owner of data being handled and processed. In the context of payroll, ‘subject’ refers to the employee whose data is put in a payroll system.
- Data-controller: It points out a person or entity that decides the data processing method. In a payroll context, this refers to the employer-business.
- Data-processor: Data processors are responsible for processing data on behalf of a controller. For payroll, the processor may be an in-house department or a third-party payroll provider.
C) Employee Consent:
It’s mandatory for data controllers to obtain a data subject’s consent. This consent must be freely given, specific and informed. There shouldn’t be any ambiguity in a subject’s wish to submit data for processing.
An employee cannot withdraw his/her consent for personal data usage as part of the payroll processing. It must be noted that payroll providers should keep only that data which is strictly required for payroll processing. This is also called data minimization.
D) Employee Rights:
Apart from the basic right of access and the right to object to how data is used, GDPR ropes in various fundamental rights, such as-
- The right to be ‘forgotten’: It gives subjects the right to have data removed by controllers when it is no longer needed.
- The right to restrict processing: A subject can ask the controller to stop processing personal data under scenarios such as data inaccuracy or breaches of laws.
- The right to data portability: Data subjects have the right to 'port’ their personal data to another controller.
E) Posting Payslips:
GDPR doesn’t prohibit the posting of payslips. But those who do so will have to ensure the security of payslips. It can be done by using security payslip envelopes, marking the envelope as ‘Private and Confidential’ and confirming that it is addressed to a specific person. A registered post can be a viable option here.
F) Emailing Payslips:
Just like payslips’ postings, GDPR allows the distribution of payslips through emails. However, regardless of the mode of transfer, GDPR makes it compulsory that each employee’s payslip is properly safeguarded. When you send payslips through emails, you must ensure that all payslips are password protected with a unique password preferred by an employee. The use of a generic and identical password for all employees is liable to be considered as a breach of GDPR.
Additionally, your payroll provider should assure secure encryption on all payslips and automatically delete payslips that are being sent from their server. See that your payroll provider is delivering this level of security.
G) Self-Service Access:
GDPR legislation clearly states: “A data subject should have the right of access to personal data which have been collected concerning him or her. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”
Though it’s not mandatory, GDPR mentions it as a best practice to provide individuals a secure remote access to the collected information. Through a self-service system, employees can remotely access payroll information including payslips, contact details, and other employee documents. Since leave balance is also considered as a private data, employees can view their annual leave entitlements including leave taken and leave remaining.
Apart from giving employees 24/7 access to their payslips and other documents, self-service access is beneficial for payroll managers too. It can automate the distribution of payslips and payroll reports. After the finalization of payroll, few systems may make payslips and payroll reports automatically available on the self-service portal. This can add one more layer of security against cyber-attacks and eliminate email hacks.