Six tips for protecting payroll data

Payroll is one of the most important tasks for any business. While it is very important to ensure employees are paid accurately and on time, it’s also vital that employees’ personal data is managed securely. Some of the information used to pay employees is very personal and highly sensitive. If a company does not have effective procedures to protect this information, it can put them in breach of General Data Protection Regulations (GDPR) leading to large penalties and reputational damage.

How to better manage your payroll data

1. Have a central source for all employee data

• It is important to have one place to hold current and accurate employee records, for example through an HR system.
• A centralised system can feed employee data to other parts of your business (such as payroll), ensuring accurate and consistent data flows.
• A central data source can also reduce the number of staff members involved and prevent duplication of work.
• A central employee data source reduces the risk of inaccurate information being held about your employees.

2. Limit the number of people that can access employee data

• Limit the access to employee data to those who need to know and use it. Keeping sensitive data available to a select few individuals reduces the risk of a GDPR breach.
• Ask your IT department to tailor access to the data so that individuals can access only the information they need for their role.
• Avoid holding employee information on large shared databases, as this increases the risk of a GDPR breach.
• Ensure usernames and passwords are required to access employee information. Apply strict password requirements – passwords should have to be changed on a regular basis, and require complex passwords that include numbers, special characters and a mix of upper and lower case characters.

3. Train your people

• Employers should ensure that everyone who handles employee data receives regular training on GDPR and privacy regulations.
• Anyone running your payroll, particularly anyone in-house, should have a good knowledge of the payroll data and be able to spot any anomalies.
• Ensure your payroll staff know that they should never disclose employee information over the phone to a third party, even if the party claims to be from a governing body or police. Such requests should be made in writing to your payroll or HR department.

4. Monitor duties carried out by individuals

• The risk of inaccuracies can be reduced by having a clear segregation of duties within the payroll processes. For example, review your processes to ensure the person who inputs data is
• not the same person who checks and reviews it.
• It is best practice to have a sign-off procedure in place, eg a checklist that can be used as an audit trail of who processed the payroll data and who checked it.

5. Use secure communication

• Make sure your data is shared safely if you outsource to a payroll provider.
• Using an encrypted secure communication portal strengthens your data security, as only those with access can log in and review employee data.
• Avoid sending payroll data via email. If you must use email, send the data in a password protected attachment, not in the body of the email.

6. Review data handling processes

• Regular reviews of your processes will mitigate the chance of data breaches or inaccuracies.
• Internal audits are a good way to ensure people who handle employee data are following procedures and requirements of the GDPR and UK Data Protection Act 2018.
• Employers can also run external audits or attain certification to prove they meet requirements. ISO 27001 will improve processes and show employees and potential clients that data is dealt with correctly.

Outsourcing your payroll can ensure data is processed and handled correctly and securely, but you should check that your provider meets the required standards.

These are just a few ways to improve the accuracy and protection of sensitive payroll information. Employers can ensure they are proactively safeguarding their employee’s data by keeping up to date on GDPR and UK Data Protection regulations, and by ensuring regular checks are carried out both internally and with third parties.

For more information on protecting your employee data or any concerns you have about your process, please contact Richard Arthur.