Stuart Hall MA PGMdip MCIPPdip, non-executive director at the CIPP discusses payroll’s obligations under general data protection regulations (GDPR)

---

What impact has GDPR had on your payroll department? GDPR or general data protection regulation to give it its full title, came into effect in the UK four years ago. It wasn’t a new concept; it was simply a data protection process that upgraded the 1995 Data Protection Act.

However, because of the introduction of the new GDPR rules, many companies had to overhaul how they process, manage and store individual data. Back then, reports in the press discussed large fines for any company that didn’t adhere to the new regulations. And for many, there was a fear they wouldn’t be able to change their software solutions or have the information technology skills necessary to implement the changes in time.

The regulation applied to any company that collected personal data on a European Union (EU) citizen, that is, any information related to an individual. This includes payroll, and for all payroll professionals, adhering to GDPR was, and still is, a matter of standard everyday protocols. You try taking a payroll manger for a coffee and ask about, or try to extract information regarding an individual on their payroll, they will just remain tight-lipped.

 

Consequences of non-compliance with GDPR

In some cases, there have been substantial fines. The Information Commissioner’s Office (ICO), an independent regulatory office with the task of upholding information rights in the interest of the public, has handed out some hefty fines.

With the power to impose a penalty or fine of up to £17 million or 4% of annual global turnover, the ICO has taken several companies to task. British Airways was fined £20 million when their systems were compromised, affecting over 400,000 customers when hackers got their hands on log-in details, payment card information and travellers’ names and addresses. The largest fine to date relating to GDPR, however, was for Amazon, who attempted to force users to ‘agree’ to cookies or make it difficult to ‘opt-out’ of cookies and collect as much personal data as possible. Their fine has been the biggest GDPR fine issued to date, totalling £636 million.

 

Payroll’s obligations

Back to the tight-lipped payroll professional, does GDPR really affect payroll? The quick answer is yes, and don’t underestimate your role even if you think this doesn’t matter because we have left the EU. Whether your payroll is handled in-house or outsourced to a third party you must continue to bear in mind your responsibilities under GDPR. You have an obligation to store data securely, process data lawfully and have systems in place to deal with any data breach.

Of course, your obligations will depend on whether you are a data controller or a data processer. Let’s make that clear:

• if you outsource your payroll function, the bureau is a data processor and you’re the controller of the data

• if you run your payroll in-house, you’re both the controller and the processor of the data.

• Security of your data is key, and any data breach of information could cause significant harm to those employees affected. It would also increase your liability as a controller or processor. Don’t fall into the trap of thinking we only need to consider the payroll software; there are several areas in the payroll office vulnerable to data breaches. There are spreadsheets and emails that may contain personal information and the sharing of information or data amongst the workforce could all increase the possibility of a data breach.

 

 

How can data be held?

There was a time when everything was paper-driven. Working off clock cards, the payroll team would calculate and write out the total hours to be paid or check handwritten timesheets completed by employees and authorised by line managers. Sick notes from a medical doctor or self-certified notes were all gathered in A4 lever arch files. No wonder payroll departments were housed in lockable offices, or cubicles in the corner of the large open-plan office. Thankfully there’s now a better, and safer way, of filing documents and information.

In this electronic age, we can’t forget that GDPR means understanding the personal data you hold, where you hold it and ensuring it’s held securely. The data may be held on-site or remotely in the cloud. A combination of both storage types could also be used.

Cloud storage:

• means you always have easy access to your data and enables your company to have total control of that data. It means reducing or disposing of previous manual storage systems.

• Holding information on company computers and local servers is no longer required, which stops the risk of corruption and destruction if individual devices are damaged

• means lowering the risk of loss because you won’t be relying on a single device to store your data. Your storage provider would have security measures in place and be able to provide information, such as how often back-ups are carried out. In addition, the flexibility of the cloud means you and your employees can access the information from anywhere you need to

• means you must trust the cloud storage provider that your data is secure. Under GDPR, ultimate responsibility for the data security still remains with you. Appropriate checks and due diligence should be carried out before deciding on which storage provider to use

• can also be used by your payroll bureau, and, in your role as the controller, you still need to satisfy the security measures required under GDPR.

 

Processes to adhere to GDPR are no doubt in place, but how often do you audit your data?

It’s important to ensure you are holding information in a way that’s consistent with GDPR. Implementing a data retention policy and ensuring all relevant staff members are aware of the need for regular data protection auditing is as important as setting up rules and processes in the first place. Whether that be in-house processing or checking your bureau provider. It’s important to remain GDPR compliant and, as we start to regain a new life in the post-pandemic world, where remote or hybrid working is firmly on the agenda, is now the time to run an audit on your processes?

Working from home provides a better work-life balance, however, we need to recognise it poses new challenges to GDPR compliance. New security standards could need to be introduced for remote working. These standards may differ from those used when everyone was working in the office.

Even when working from home, employees are still in charge of handling personal and business data. Regardless of the location in which the work is done, GDPR requires the same security measures to be applied, to ensure data security and avoid data breaches. People who are working remotely are, in some respects, more likely to be exposed to security risks and threats.

Remote workers:

• could be using their personal devices, such as laptops or smartphones, which may not have the same security measures used by company equipment in the office. This lack of security could see exposures to external threats, such as clicking on unfamiliar web links, opening attachments or visiting unsafe websites. Using personal devices could mean employees mixing company data with their personal data

• may not be aware there can be differences between accessing company data from the office and accessing that same data in a remote location, such as home. The data may be the same, but it could lose its integrity when handled without the appropriate technical safeguards in place

• may have to share their space with other family members or roommates, which could put their work at risk. GDPR does not make distinctions about places or conditions where data is processed; it simply requires appropriate security against potential risks, wherever that data may be

• should be clear about how to handle data. The data must be kept safe when it’s transferred from server to workstation, and when in storage, such as a pen drive or portable hard drives when it is transferred.

• GDPR requires security measures to be adopted, such as encryption, to protect data from inappropriate use. Encryption is always easier to adopt when working in a company’s offices, but it must also be implemented in devices and software in remote environments.

• Access to company data, whether business or sensitive, should always be controlled. Remote employees should have the right to access only data that’s necessary to accomplish their daily tasks. Access to the company server should be through a secure and private network connection such as a virtual private network (commonly referred to as a VPN).

 

Make everyone aware of their responsibilities

As payroll professionals, it’s essential to have, maintain and audit a remote working policy for you and your team. It does no harm to remind everyone about how to keep personal information and company data safe, especially when working from home. Keeping employees aware of the role they play in keeping data safe, whether working from home or at the office, is all part of GDPR compliance. 

• Policy article
• Professional magazine