A day of reckoning

12 February 2018

This article was featured in the March 2018 issue of the magazine.

Simon Garrity outlines developments and provides advice on GDPR 

With the 25 May deadline fast approaching, the need for payroll-specific guidance surrounding the General Data Protection Regulation (GDPR) is becoming more important by the day.

Against a background of huge fines and penalties, general GDPR discussions are focusing the minds of many in all sectors not just payroll. 

We know the outcome if we breach the rules, but how should we prepare effectively to avoid a breach in the first place?

The GDPR rules are only an evolution of the existing Data Protection Act, and since the Act’s inception there have been just a handful of serious prosecutions. The existing power of the regulator – the Information Commissioner’s office (ICO) – is already formidable, but we hear little in the way of fear because of it. So why, within the press do we see a constant focus on fines and penalties?

It seems to me we have a vacuum, generated by lack of quality information. And we are seeing the same information reprinted again and again.

Historically all payroll managers have a firm responsibility to ensure that their processes are compliant with changing payroll legislation. After all, by its nature payroll changes year by year.

All data must be secure and compliant, we expect that as a matter of course. Ensuring the security personal and confidential data effectively should be a prerequisite. Payroll managers already know that, probably more so than in other roles.

In addition to their own internal obligations, payroll managers must prepare for the significant industry changes from other aspects of the business. GDPR will have a significant impact on all parts of how a business functions. Payroll does not sit in isolation – it interacts with many business systems.

Let’s look at just a couple of the issues. Business must ensure that:

  • only the minimum amount of personal data is collected and processed for a specific purpose, with the extent of processing limited to that necessary for each purpose, and

  • all personal data is stored for no longer than necessary, with access to the data restricted to that necessary for each purpose.


...significant impact on all parts of how a business functions


This raises an interesting question: which data should we keep and how long can we keep it? The answer isn’t clear. The GDPR rules do consider existing legislation. If we need to keep the information for tax purposes, then this is an overriding mechanism. However, what about absence? Or disciplinary data? What if as part of an investigation years from now the data is needed?

What about pension details? Or pension payrolls?

It’s obviously complicated, and the truth is some of the answers will only come later when a breach has occurred, and the courts test the requirements fully.

The next question surrounds consent, as this may offer some comfort to both the data controller and the data processor. Many employers process employee personal data based on consent. Under GDPR, consent must be “freely given, informed, specific and explicit”. 

However, this approach has been increasingly criticised, as the validity of employee consent is questionable due to the imbalance of power in an employment relationship. This may indicate that general consents in an employment contract, that allows the data to be processed may not be valid. 

Further, the requirement that consent be freely given means that valid consent will generally be difficult to obtain in the employment context due to the imbalance of power.

If an employee objects to processing based on a legitimate basis, an employer cannot process the data unless it shows that its legitimate interests are compelling enough to override the interests or rights of the employee. The right to object could cause significant delay and disruption in the context of disciplinary or grievance procedures, redundancies, terminations of employment or even the businesses commercial activities.

Accountability needs to be built into the core of every business. Each department must be mindful of how it interacts with not only the outside world, but interdepartmentally. It is a culture change for all. 

CIPP is digging into these issues as fast as is possible. The Institute has convened a panel of industry representatives from the very top of our sector, in a hope that as we move closer to the 25 May deadline, we may have sourced many of the answers for our industry.

Complying properly with the current law is a first step towards preparing for the new regime. The closer you are to ‘good practice’ as opposed to having a risk-based approach to minimum compliance, the closer you will be to compliance with the GDPR. Compliance with the old obligations, as well as with the new, will inevitably involve you ‘smartening up your act’ in relation to processes and policies.

The key to avoiding problems, is to prepare well. You must be able to demonstrate your seriousness to this new world.