Handling payroll by its very nature requires processing a lot of personal data on employees. What actions do HR and payroll professionals need to take before the GDPR comes in at the end of this month? Anita Hawser from payments company Modulr explains.
As HR and payroll professionals, handling personal information (names, addresses, bank account details, salary information, pension benefits) is your trademark. It’s information you need to do your job.
The availability and accuracy of that information, as well as ensuring it doesn’t fall into the wrong hands, can have serious implications for your business.
A recent survey conducted by B2B payments provider Modulr and payroll publication Reward Strategy found that manual payments handling was the largest payroll overhead for 44% of companies. Nearly 40% of companies surveyed relied on Excel spreadsheets to receive, submit and process payroll data.
With the EU’s General Data Protection Regulation (GDPR) due to come into force on 25 May, payroll managers need to think carefully about how they store, manage and send payroll information to third parties. Under GDPR, data will need to be held securely and protected against unauthorised access.
What data will be covered?
GDPR replaces the 1998 Data Protection Act and is a requirement for anyone or any organisation operating in the EU, or outside of the EU if they provide goods or services to individuals in the EU.
Umbrella companies often produce bulk payment files in CSV or text format from their payroll system, which are emailed to someone who is authorised to make the payment.
The file typically contains sensitive personal information, which could potentially be intercepted by hackers. Even those that don’t distribute payroll files via email may leave them on their laptops or computers, which are prone to hacking.
Personal data is broadly interpreted under GDPR and includes information that could be used to identify someone directly or indirectly (name, address, credit card number) location-based data (web address, IP, cookie data); health; and ‘sensitive data’ (race, ethnicity, religious beliefs, trade union membership, genetic and biometric data).
Essentially, GDPR gives control back to the individual in terms of how their personal data is used. Gone are the days when consent just constituted a box-ticking opt-in exercise. GDPR talks about “genuine consent” and the need for consent to be “freely-given, specific, informed and revocable.”
“The GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent,” UK Information Commissioner Elizabeth Denham wrote in a recent blog post on the ICO’s website. “The [regulation] is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.”
What to do next
With GDPR looming, we’ve put together some key points you may need to consider – and some things you may not have even thought of – when it comes to handling personal information.
1. Why is the data needed? Under GDPR, companies need to demonstrate to the ICO a “lawful basis” for using personal data. Payroll companies could argue that they have a legal obligation to process personal data (make salary payments, provide real-time reporting to HMRC) or a “legitimate interest”.
Identification of a legitimate interest involves three key tests: Why is the data needed? Could it be done another way? Does the individual’s rights override a data-controller’s legitimate interest?
3. Under GDPR, it is mandatory to report data breaches to the ICO within 72 hours of becoming aware of it.
4. Do you have to appoint a Data Protection Officer (DPO)? The GDPR does not explicitly state that you must appoint a DPO. But if you process ‘sensitive’ personal data on a large scale, then you may need to appoint one. By the way, ‘large scale’ does not necessarily mean hundreds of thousands of data subjects.
5. If you think GDPR will put an end to high-profile data breaches, then think again. It should, however, make organisations, like payroll companies, or anyone that handles personal information, focus more on avoiding them. It should also make it easier for people to find out more quickly when data breaches occur.
6. Size doesn’t matter: Whether you’re a one-person payroll bureau or a larger-scale operation, GDPR affects anyone or any organisation that processes personal data.
7. Hefty fines imposed for data breaches: Penalties for data breaches (fines of up to €20 million, or 4% of annual turnover, whichever is higher) are more far ranging under GDPR than under the Data Protection Act it supersedes.
8. Data privacy should be incorporated by design. Make sure you are not capturing more data than you need to process payroll.
9. Personal data must be kept up to date. Inaccurate or outdated payroll data should be deleted or amended.
10. What about Brexit? GDPR imposes restrictions on the transfer of personal data outside the EU, to so-called “third countries” or international organisations. As of midnight on the 13 March 2019, Brexit will take place.
The UK and EU27 recently agreed that there should be an implementation period until the end of 2020 as part of the UK’s Withdrawal Agreement with the EU. At the end of this implementation period, the UK will be classed as a ‘third country’ for the purposes of GDPR, which could have implications for companies within the EU that process payroll for UK-based companies.