GDPR for payroll

25 May 2018 will see the General Data Protection Regulation (GDPR) come into force, and it's important you're ready. The Chartered Institute of Payroll Professions provides comprehensive training. Learn more below about GDPR, and about our GDPR training courses and resources.

The changes that we will see introduced as part of GDPR are largely based on how personal data is managed, and as payroll is a key data processor in an organisation, there will be the need to adapt to a new way of working to ensure compliance.

Below are some of the key changes your payroll teams will need to be aware of:

Consent
Consent is one of several basis for processing data under GDPR.  It requires an informed decision on the employee's behalf for data to be held, processed and analysed by the payroll department.  Employees can withdraw their consent for certain data to be used at any time, however, as payroll requires certain personal data in order to process payroll and report to HMRC, consent is not the most important basis under GDPR for payroll professionals.

Legal obligation, which is another basis for processing personal data, could be used instead for processing employee data as it’s applicable to situations where you (the employer/organisation) are obliged to process the personal data to comply with the law.

The examples given on the ICO website cite the following scenarios, which are applicable to payroll:

Example
An employer needs to process personal data to comply with its legal obligation to disclose employee salary details to HMRC. The employer can point to the HMRC website where the requirements are set out to demonstrate this obligation. In this situation, it is not necessary to cite each specific piece of legislation.

Example
A court order may require you to process personal data for a particular purpose and this also qualifies as a legal obligation.

Enhanced access rights
Employees have enhanced rights to access their data, have it corrected or deleted. Unless self-service is available in your organisation, this task will sit with payroll.

In the current Data Protection Act, employees and ex-employees can request to see what information is held about them. This remains similar under GDPR however the period in which the data processor (payroll) must respond has been reduced to 40 days.

Payroll teams must have a way to easily extract personal data to meet the timeframe. This might sound achievable if all your personal data is held in one centralised system, but if your organisation is using multiple systems or you are still relying on Excel spreadsheets or paper-based documents, then this task will be tricky and time-consuming.

Data Breach
When personal data has been lost or compromised, the breach must be reported to the Information Commissioner within 72 hours and all employees impacted must be notified. As the personal data sits within payroll, it is likely that the process of reporting the breach and notifying employees will sit with payroll.

All businesses operating in the UK hold information about individuals (whether they be employees, customers or anyone else) and so are affected by data protection laws.

Since failure to comply with requirements can result in regulatory action and criminal as well as civil liability, no organisation can afford to ignore the issue of data protection.

In addition, the General Data Protection Regulation (GDPR), which builds on the existing DPA legislation introduces some substantial new aspects, including for example that fines for non-compliance can be an eye-watering €20m or 4% of annual group turnover! (Brexit is not an escape clause – the GDPR comes into full effect UK in May 2018, when the UK will still be in the EU). And, there is also a new Privacy Regulation to come into force in the same timescale.

GDPR training, courses and resources
To help you cope with this, the GDPR training and resources can be of benefit to anyone working within data protection, information security and privacy.

It is particularly useful for those working as or aspiring to be Data Protection Officers (DPO) as the courses provide essential knowledge of the core legislation and best practices.

Data protection training enables you to learn about the Data Protection Act and other key legislation such as GDPR, which in turn provides the foundations to ensure your organisation is fully compliant.

Our Data Protection courses can also be of value for those working in payroll and human resources, where an understanding of the law will help to provide confidence and inform decision making.

Our GDPR course includes comprehensive training on the incoming EU General Data Protection Regulation (GDPR) that will be in place from 25 May 2018.