Four GDPR risk areas for payroll and HR

With the GDPR coming into play in a couple of months, John Spooner, Moorepay talks about the top GDPR risk areas for the HR and payroll industry.

With the new General Data Protection Regulation (GDPR) coming into force on 25 May 2018, many employers may be worried that they do not fully understand all the new rules surrounding the personal data they hold and is processed for an individual.

The new legislation will have a huge impact on employers, particularly on their Payroll (and HR) departments. If the new rules aren’t followed, businesses could face eye-watering fines.

To make it easier, we’ve highlighted some of the potential risk areas your business might run into after this legislation comes into force.

1. Personal data

Under GDPR, you must review any Personal data you hold about an individual that is required and used by your business. Any data you need to keep, such as for legislative reasons, needs to comply with the legal retention timeframes applicable to that area such as for PAYE, NMW, Maternity, Health & Safety etc.

For all other types of data you will need to consider the purpose you hold that information and for how long, as it should not be kept longer than is necessary or legally required to do so.

Having made the review this will become your data retention policy which must be in line with the GDPR, and any data that it is not necessary to be retained should be securely deleted.

2. Data security

Moving your payroll/HR data to an outside source, such as to a payroll provider or an Accountant, carries its own security risks. In some cases, data is sent via email in a spreadsheet. Historically, these have not always been encrypted or password protected by every company.

Now, GDPR will enforce data security such as this, so you’ll need to ensure all of your data sent is always sent securely. Remember that to put Personal & Personal Sensitive data as part of an email, or an attachment, without suitable encryption is like putting it on a post card.

With the new rules, it’s more important than ever to ensure that payroll/HR data is being transferred securely using a secure system, such as SFTP (Secure File Transfer Protocol). Moorepay uses Moorepayhr, a secure and externally security tested web application and Secure File Transfer Protocol (SFTP) to transmit data.

Discover more around small business payroll

3. Data access

The GDPR gives individuals more rights:

  • To view the information you hold for them
  • Is this data correct
  • Is it being used legally
  • The right to rectification of this data
  • The right to restriction of the processing of this data
  • The right to erasure – ‘to be forgotten’

And more.

There is also the question of access made by the Data Controller and Data Processor in this, so Managers and Administrators access to the records and systems need to be reviewed to make sure they have suitable permissions to access for their respective roles.

4. Software security

Since all your payroll data needs to be secure, so does the software it’s held in.

Under GDPR, the responsibilities for checking and correcting any potential weaknesses in the software’s security lie with both the company and the software provider. That means conducting risk assessments over the whole payroll process, end-to-end.

Contact your payroll provider to check their security and compliance with GDPR. has teamed up with Intuit Quickbooks to help you find the right Payroll software for your business. To find out more about getting your payroll and business finances all in one place, click here

Further reading on GDPR

Owen Gough, SmallBusiness UK

Owen Gough

Owen was a reporter for Bonhill Group plc writing across the and titles before moving on to be a Digital Technology reporter for the

Related Topics


Leave a comment