GDPR (The General Data Protection Regulation) came into force on the 25 May 2018, carrying with it a penalty of up to €20m or 4 per cent of global annual turnover for failure to comply - how does this impact your payroll process?
The first thing to look at is how you are storing your personnel data. You need to make sure that your systems are secure and that you are only holding data that is required. It is good practice to review the data that your company holds and ensure that it is relevant to the purpose you need it for, and that you have consent to hold and process it.
Article 32 of the GDPR states 'the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk'. Whilst Article 32 of the GDPR doesn’t say, it is no longer permissible to desk-drop post or email payslips - how you provide this data is important. Many data breaches have come from unsecure emailed data, which may have been accidentally sent to the wrong contact or intercepted.
If you do have to send personal information by email, then you must encrypt it with a strong password. You should also consider how you distribute that password. Writing it in the email or sending the password in a separate email to that recipient is not sufficient. A safer alternative is the use of an online portal, which is an increasingly common method of data sharing.
All individuals also now have the ‘right to be forgotten’ but payroll data has to be held for the statutory retention period. You may find that you need to 'minimise' the data that you hold about an individual while retaining the data that you are obliged to hold for statutory reasons. For example, if the employee has left then you would not need to retain their bank account details. All data subject access requests must be responded to within a month of the request being received, so it is important to make sure you have a process in place for handling these. Have a look at our article on an employee’s rights to access their personal data for further information.
You will need to have a process in place to handle any data breaches that may occur. If a data breach has occurred, then you must act promptly as a notifiable breach has to be reported to the Information Commissioner’s Office (ICO) within 72 hours of you becoming aware of the breach. The ICO website contains more information on what constitutes a breach and what action you must take.
Reporting of data breaches is another area that you need to have a process for. Failure to notify may result in a fine of up to €10m or 2 per cent of global annual turnover.