GDPR manual payslips versus e-payslips

22 May 2018

A recent discussion on the CIPP’s LinkedIn group provides some useful comments from its members when asked about the pros/cons/risks of when moving from manual payslips to portal based e-payslips (edited for readability).

  • Portal-based e-payslips would be significantly safer than posted manual payslips, unless the portal is hacked, which is a question for your portal/software/it provider. If your software provider is a cloud-based solution, are they a reputable company? What are their security measures? How can they guarantee the safety of your data? If you are hosting your own data, does your IT team guarantee your systems are up to date and regularly updated to protect against attacks? Perhaps you seek ISO 27001 certification. Weigh up the options, where is data more likely to be intercepted, post or electronically? Mitigate the risk. You can rarely eliminate it, but you can reduce it

  • We have e-payslips via a portal which is probably the best way as the employee is the only one who knows the password to access their information. However, some businesses do not want to have a portal so in this situation they are emailed but the document itself is a pdf document which is password protected

  • It would be important to check the security credentials of the e-payslip provider. Ideally, they should have an accreditation like ISO27001 and give you assurances about data encryption. Check the employee verification and sign-up process, especially considering the new employee's right to be forgotten. Some kind of anonymisation of data, particularly for leavers would be an advantage

  • Portal-based is potentially one of the lowest risk means of payslip distribution. Secure login provides a means for employees to obtain and answer a security question if appropriate. And it is the individual taking action to collect the information. The reality is that many employees actually don't look at the payslip unless there is significant change. The bank credit amount is often seen as the more critical data trigger

With regards to sending emails, unfortunately, individuals change email addresses all the time, if an audit of external emails was undertaken then a proportion would be stale or could be misdirected. So there is a risk which can be mitigated to an extent with a password, as long as the password is not on a post-it note on the screen because the formatting is so convoluted that no one would remember it.

  • Whichever route you use, you will need to document your processes to ensure compliance with the accountability principle of GDPR. There is a myth out there that employees barely open payslips but we find that our payslips have a very high open rate - over 50% of payslips opened each month, so getting the portal right is really important


With over 7,000 members, the CIPP LinkedIn group has a wealth of experience and knowledge to tap into. You don’t even need to contribute if you join, just scan or sign up to receive alerts, and find out what the latest hot topics are, the legislation changes that may slip under the radar, and of course you can ask members for their advice or opinions.


CIPP comment

You can help your organisation become fully compliant with GDPR - the CIPP run a half day training course which will help you understand and prepare for the changes, including how they affect payroll and HR functions.