GDPR for payroll

25 May 2018 will see the General Data Protection Regulation (GDPR) come into force, and it's important you're ready. The Chartered Institute of Payroll Professions provides comprehensive training. Learn more below about GDPR, and about our GDPR training courses and resources.


The changes that we will see introduced as part of GDPR are largely based on how personal data is managed, and as payroll is a key data processor in an organisation, there will be the need to adapt to a new way of working to ensure compliance.

Below are some of the key changes your payroll teams will need to be aware of:


Employers will need to obtain informed consent from employees to process their data. This means that employers will need to ensure that employees understand the changes and their rights to enable an employee to make an informed decision. Employees also have the right to withdraw consent at any time. Therefore, it is essential that a process is put in place to manage employees opting in and out. 

Enhanced access rights

Employees have enhanced rights to access their data, have it corrected or deleted. Unless self-service is available in your organisation, this task will sit with payroll.

In the current Data Protection Act, employees and ex-employees can request to see what information is held about them. This remains similar under GDPR however the period in which the data processor (payroll) must respond has been reduced to 40 days.

Payroll teams must have a way to easily extract personal data to meet the timeframe. This might sound achievable if all your personal data is held in one centralised system, but if your organisation is using multiple systems or you are still relying on excel spreadsheets or paper-based documents, then this task will be tricky and time-consuming.

Data breach

When personal data has been lost or compromised, the breach must be reported to the Information Commissioner within 72 hours and all employees impacted must be notified. As the personal data sits within payroll, it is likely that the process of reporting the breach and notifying employees will sit with payroll.

All businesses operating in the UK hold information about individuals (whether they be employees, customers or anyone else) and so are affected by data protection laws.

Since failure to comply with requirements can result in regulatory action and criminal as well as civil liability, no organisation can afford to ignore the issue of data protection.

In addition, the General Data Protection Regulation (GDPR), which builds on the existing DPA legislation introduces some substantial new aspects, including for example that fines for non-compliance can be an eye watering €20m or 4% of annual group turnover! (Brexit is not an escape clause – the GDPR comes into full effect UK in May 2018, when the UK will still be in the EU). And, there is also a new Privacy Regulation to come into force in the same time scale.

GDPR training, courses and resources

To help you cope with this, the GDPR training and resources can be of benefit to anyone working within data protection, information security and privacy.

It is particularly useful for those working as, or aspiring to be Data Protection Officers (DPO) as the courses provide essential knowledge of the core legislation and best practices.

Data protection training enables you to learn about the Data Protection Act and other key legislation such as GDPR, which in turn provides the foundations to ensure your organisation is fully compliant.

Our Data Protection courses can also be of value for those working payroll and human resources, where an understanding of the law will help to provide confidence and inform decision taking.

Our GDPR course includes comprehensive training on the incoming EU General Data Protection Regulation (GDPR) that will be in place from 25 May 2018.