You know the regulations. But how do you implement them?
Unless you’ve been living under a particularly remote rock, you can’t fail to have noticed that there’s a major change to data laws taking place on 25 May. That’s when the General Data Protection Regulation (GDPR) comes into force, and you are probably sick to the back teeth of hearing about it.
So this isn’t a post about the regulations; you can find those here.
There is, of course, a big leap from regulation to implementation, so if you’re looking at the to do list of GDPR requirements and wondering what the solution actually looks like with regard to your payroll, here are some answers:
Payroll is, of course, already highly regulated, so if you already outsource your payroll to a reputable provider the changes should be minimal. If you manage payroll in house, you will probably have changes to make.
Wrong email, wrong place
The GDPR places a much greater burden of responsibility on organisations handling data to manage that data securely. The most obvious example of that is sending an email containing confidential information to the wrong recipient. So how do you stop that happening?
Few payroll processors will send confidential information by email. If you do, then we’d suggest choosing another, more secure way of doing it – there are a number of cloud services that are far more secure than traditional email.
If you are planning to send payroll information via email, you’ll need to encrypt your message and ensure the recipient can decrypt it.
What happens if your payroll (or any other data) is hacked? There’s no ‘wiggle room’ left in the regulation. If your organisation has its data accessed without permission you must notify the Information Commissioner’s Office within 72 hours. You’ll probably have to inform those affected too, although that does depend on the nature of the breach.
Your staff, therefore, need training now on how to spot a data breach, and what to do when they find one.
Are you ready for the right to be forgotten?
The so called ‘right to be forgotten’ isn’t a blanket right, and it doesn’t supersede other contrary legal rights and obligations. It’s important, therefore, that your staff know what a request to be forgotten looks like (eg the person requesting doesn’t have to use the words ‘data erasure’ or ‘right to be forgotten’), and how to process it – or who to refer the request to – when it arrives.
Outsourcing your payroll? Your provider needs to amend the contract
Under the terms of GDPR any outsourced payroll provider is now considered to be a ‘data processor’ for the purposes of the regulation. That means they are bound by the same strict codes of practice for data processing, storage and security as you are.
The agreement between you and your payroll provider needs to make certain key statements including:
- The payroll provider’s staff and contractors who process your data are under a duty of confidence
- The provider must delete or return all personal data to employers once the contract ends
- They must only engage sub-contractors to work on your data with your prior written consent
We’re already going out to our clients with the appropriate clarifications. If you outsource your payroll, check that your provider is doing the same.
Want help in ensuring your payroll is GDPR ready? Talk to our experts now.