With the new General Data Protection Regulation (GDPR) coming into force on 25 May 2018, many employers may be worried that they do not fully understand all the new rules surrounding the personal data they hold and is processed for an individual.
The new legislation will have a huge impact on employers, particularly on their Payroll (and HR) departments. If the new rules aren’t followed, businesses could face eye-watering fines.
To make it easier, we’ve highlighted some of the potential risk areas your business might run into after this legislation comes into force.
1. Personal data
Under GDPR, you must review any Personal data you hold about an individual that is required and used by your business. Any data you need to keep, such as for legislative reasons, needs to comply with the legal retention timeframes applicable to that area such as for PAYE, NMW, Maternity, Health & Safety etc.
For all other types of data you will need to consider the purpose you hold that information and for how long, as it should not be kept longer than is necessary or legally required to do so.
Having made the review this will become your data retention policy which must be in line with the GDPR, and any data that it is not necessary to be retained should be securely deleted.
2. Data security
Moving your payroll/HR data to an outside source, such as to a payroll provider or an Accountant, carries its own security risks. In some cases, data is sent via email in a spreadsheet. Historically, these have not always been encrypted or password protected by every company.
Now, GDPR will enforce data security such as this, so you’ll need to ensure all of your data sent is always sent securely. Remember that to put Personal & Personal Sensitive data as part of an email, or an attachment, without suitable encryption is like putting it on a post card.
With the new rules, it’s more important than ever to ensure that payroll/HR data is being transferred securely using a secure system, such as SFTP (Secure File Transfer Protocol). Moorepay uses Moorepayhr, a secure and externally security tested web application and Secure File Transfer Protocol (SFTP) to transmit data.
3. Data access
The GDPR gives individuals more rights:
- To view the information you hold for them
- Is this data correct
- Is it being used legally
- The right to rectification of this data
- The right to restriction of the processing of this data
- The right to erasure – ‘to be forgotten’
There is also the question of access made by the Data Controller and Data Processor in this, so Managers and Administrators access to the records and systems need to be reviewed to make sure they have suitable permissions to access for their respective roles.
4. Software security
Since all your payroll data needs to be secure, so does the software it’s held in.
Under GDPR, the responsibilities for checking and correcting any potential weaknesses in the software’s security lie with both the company and the software provider. That means conducting risk assessments over the whole payroll process, end-to-end.
Contact your payroll provider to check their security and compliance with GDPR.
John Spooner, Moorepay