{"id":4358,"date":"2018-05-30T11:15:24","date_gmt":"2018-05-30T10:15:24","guid":{"rendered":"https:\/\/www.sage.com\/en-gb\/blog\/?p=4358"},"modified":"2025-12-09T16:44:35","modified_gmt":"2025-12-09T16:44:35","slug":"payroll-processes-gdpr","status":"publish","type":"post","link":"https:\/\/www.sage.com\/en-gb\/blog\/payroll-processes-gdpr\/","title":{"rendered":"How to manage payroll processes to be GDPR compliant"},"content":{"rendered":"<header class=\"entry-header has-dark-background-color entry-header--has-illustration entry-header--has-illustration--generic\">\n\t<div class=\"container\">\n\t\t<div class=\"entry-header__row row align-center\">\n\t\t\t<div class=\"col col-lg-7 col-xlg-6 entry-header__content\">\n\t\t\t\t\t\t\t<div class=\"component component-single-header\">\n\t\t\t\t\t\t\t\t\t\t<div class=\"entry-header__misc text--subtitle text--uppercase text--small\">\n\t\t\t\t\t\t\t<a href=\"https:\/\/www.sage.com\/en-gb\/blog\/category\/strategy-legal-operations\/\" class=\"entry-header__link\">Strategy, Legal &amp; Operations<\/a>\t\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t<div class=\"entry-title-wrapper\">\n\t\t\t\t\t<h1 class=\"entry-title\">\n\t\t\t\t\t\tHow to manage payroll processes to be GDPR compliant\t\t\t\t\t<\/h1>\n\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t<p class=\"entry-header__description\">\n\t\t\t\t\t\t\t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n\t<div class=\"single-post-details container\">\n\t\t<div class=\"col\">\n\t\t\t<span class=\"posted-on \"><time class=\"entry-date published\" datetime=\"2018-05-30T11:15:24+01:00\">30 May, 2018<\/time><\/span><span class=\"reading-time\"> min read<\/span>\n\t\t<button\n\t\t\ttype=\"button\"\n\t\t\tclass=\"social-share-button button button--icon button--secondary js-social-share-button\"\n\t\t\tdata-share-title=\"How to manage payroll processes to be GDPR compliant\"\n\t\t\tdata-share-url=\"https:\/\/www.sage.com\/en-gb\/blog\/payroll-processes-gdpr\/\"\n\t\t\tdata-share-text=\"Please read this interesting article\"\n\t\t>\n\t\t\t<span class=\"social-share-button__share-label\">Share<\/span>\n\t\t\t<span class=\"social-share-button__copy-label\" hidden>Copy Link<\/span>\n\t\t\t<span class=\"social-share-button__copy-tooltip\" aria-hidden=\"true\" hidden>Copied<\/span>\n\t\t<\/button>\n\n\t\t\t\t<\/div>\n\t<\/div>\n<\/header>\n\n\n\n<div class=\"wp-block-post-author has-dark-background-color alignfull\">\n\t<div class=\"container\">\n\t\t<div class=\"col\">\n\t\t\t\t\t\t\t<div class=\"co-authors\">\n\t\t\t\t\t\n\t\t<div class=\"entry-author-wrapper\">\n\t\t\t<a class=\"entry-author\" href=\"https:\/\/www.sage.com\/en-gb\/blog\/author\/ashleyhindsmansage\/\">\n\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"40\" height=\"40\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2025\/02\/Ashley-Thompson-350x350.jpg\" class=\"entry-author__image\" alt=\"Ashley Thompson\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2025\/02\/Ashley-Thompson-350x350.jpg 350w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2025\/02\/Ashley-Thompson.jpg 600w\" sizes=\"auto, (max-width: 40px) 100vw, 40px\" \/>\t\t\t\t<span class=\"entry-author__name\">Ashley Thompson<\/span>\n\t\t\t<\/a>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n\n\n<p>The General Data Protection Regulation (GDPR) has dominated small business news headlines and now the legislation has come into force. This means your payroll processes need to be line with it.<\/p>\n\n\n\n<p>As the name implies, this legislation aims to further safeguard all personal data (information relating to individuals) in general as it\u2019s exchanged for various purposes. How does the <a href=\"https:\/\/www.sage.com\/en-gb\/blog\/gdpr-and-payroll\/\">GDPR impact payroll functions<\/a>? How will you need to manage your payroll processes to ensure compliance? Where can you go for support? How will you solve your payroll issues?<\/p>\n\n\n\n<p>Here are three ways <a href=\"https:\/\/www.sage.com\/en-gb\/blog\/gdpr-guide-small-businesses\/\">the GDPR<\/a>&nbsp;impacts your firm\u2019s payroll function and three ways to manage your payroll processes, bearing these caveats in mind:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This is not an exclusive list, nor is it a substitute for receiving legally qualified advice or examining your own procedures and methods in depth (see the Sage Legal Disclaimer at the end of this piece).<\/li>\n\n\n\n<li>At the time of writing, the exact impact of the GDPR isn\u2019t yet known. For example, we lack practical examples of what supervisory authorities, such as the UK&nbsp;<a href=\"https:\/\/ico.org.uk\/\">Information Commissioner\u2019s Office<\/a>, are likely to find acceptable or objectionable, and some of the wording of the <a href=\"https:\/\/www.sage.com\/en-gb\/gdpr\/\">GDPR legislation<\/a> is open to interpretation.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-immediate-impact-on-nbsp-payroll-processes\"><strong>Immediate impact on&nbsp;payroll processes<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-security-and-security-management\"><strong>1. Security and security management<\/strong><\/h3>\n\n\n\n<p>One of the obligations under the GDPR is to implement technical and organisational measures such as secure workstations, servers and storage space. You also need to implement specific security policies and confidentiality clauses to establish best practices and proper protocol.<\/p>\n\n\n\n<p>If you\u2019re using payroll management software, or plan to start soon, your service provider may be able to help you satisfy some of the security requirements inherently through your software.<\/p>\n\n\n\n<p>For example, if your <a href=\"https:\/\/www.sage.com\/en-gb\/payroll-software\/\">payroll software<\/a> is password protected for each employee, you can give them sole access to their personal data. Sensitive employee documents can be stored and shared in one place where accessibility rights to things such as payroll reports or disciplinary documents are controlled.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-report-and-respond-to-requests\"><strong>2. Report and respond to requests<\/strong><\/h3>\n\n\n\n<p>You\u2019ll also need to establish a procedure to document requests for information and to store the responses to those requests. New generation payroll management software is equipped with functionality that helps you maintain compliance while responding to different types of requests in a way that protects your employees\u2019 personal data rights.<\/p>\n\n\n\n<p>In order to deal with <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-the-general-data-protection-regulation-gdpr\/individual-rights\/right-to-erasure\/\">right to erasure requests<\/a>, for example, newer software includes personal data deletion and correction features, import\/export functions, and selection functions to make it simple to isolate and eliminate data as needed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-demonstrate-accountability\"><strong>3. Demonstrate accountability<\/strong><\/h3>\n\n\n\n<p>Once you\u2019ve assessed and implemented the necessary changes to demonstrate accountability, you\u2019ll need to document those processes and implemented actions. This documentation needs to be highly detailed and easily accessible so anyone handling a payroll function can reference and execute.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-tips-to-manage-payroll-processes\"><strong>Tips to manage payroll processes<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-digital-payslips\"><strong>1. Digital payslips<\/strong><\/h3>\n\n\n\n<p>One recommended approach to the GDPR security requirements is to migrate from <a href=\"https:\/\/www.sage.com\/en-gb\/blog\/business-processes-gdpr\/\">printed payslips to an online digital alternative<\/a>. This will consolidate all of your employee data in one secure place where you can control access to sensitive documents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-consolidate-timesheet-data\"><strong>2. Consolidate timesheet data<\/strong><\/h3>\n\n\n\n<p>If you use paper timesheets to track employee hours, you may find it easier to comply with data storage requirements through a software management system.<\/p>\n\n\n\n<p>This way employees can easily access, track and reference their time worked, and approved data controllers can easily filter through specific data points so it remains up to date and relevant.<\/p>\n\n\n\n<p>Also, it&#8217;s best to get a jump on how you organise correspondence such as sick notes, emails and text messages requesting holiday leave.<\/p>\n\n\n\n<p>A <a href=\"https:\/\/www.sage.com\/en-gb\/payroll-software\/\">cloud-based payroll management system<\/a> will allow your employees to submit holiday time requests for their line managers, which can be approved remotely. Those requests are automatically updated to reflect on employee payslips.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-assign-or-employ-a-data-protection-officer\"><strong>3. Assign or employ a Data Protection Officer<\/strong><\/h3>\n\n\n\n<p>Under the GDPR, companies and any third parties that process personal data on their behalf will need to appoint a <a href=\"https:\/\/www.sage.com\/en-gb\/blog\/gdpr-12-important-things\/\">Data Protection Officer<\/a> (DPO) if:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>They are a public body<\/li>\n\n\n\n<li>If the core activities of the business or third parties involve monitoring of individuals on a large scale<\/li>\n\n\n\n<li>Or if the core activities consist of processing on a large scale of special categories of personal data, including data relating to criminal convictions and offences.<\/li>\n<\/ul>\n\n\n\n<p>The DPO needs to have expert knowledge of data protection law, although this doesn\u2019t necessarily need to be an employee \u2013 instead, they could be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to the supervisory authority, such as the ICO in the UK.<\/p>\n\n\n\n<p>Even if you don\u2019t need to appoint a DPO by law, you should still make someone responsible for data protection matters and who will be able to respond to enquiries from individuals.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"#gate-bd7e5bca-51df-4b7b-816e-26cf4d8ba1a6\">Download GDPR: A guide for small businesses<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-sage-legal-disclaimer\"><strong>Sage Legal Disclaimer<\/strong><\/h2>\n\n\n\n<p>The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.<\/p>\n\n\n\n<p>While we have made every effort to ensure that the information provided herein is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an \u201cas is\u201d basis without any warranties, express or implied.<\/p>\n\n\n\n<p>Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.<\/p>\n\n\n\n<p>What are your biggest challenges with GDPR and your payroll processes? Let us know in the comments below.<\/p>\n\n\n\n<div class=\"single-cta\">\n\t<div class=\"single-cta__positioner\">\n\t\t<div class=\"single-cta__wrapper has-dark-background-color\">\n\t\t\t<div class=\"single-cta__content\">\n\t\t\t\t\t\t\t\t<h2 class=\"single-cta__title h3\">GDPR<\/h2>\n\n\t\t\t\t\t\t\t\t\t<div class=\"single-cta__description\">\n\t\t\t\t\t\t<p><!-- wp:paragraph --><\/p>\n<p>Need help with meeting your GDPR obligations and making sure your businesses processes are working in the correct way? Here&#8217;s what you need to know.<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<a\n\t\t\t\t\t\thref=\"https:\/\/www.sage.com\/en-gb\/gdpr\/\"\n\t\t\t\t\t\tclass=\"single-cta__button button button--primary\"\n\t\t\t\t\t\t\t\t\t\t\t\t\tid=\"cta-id-3269\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tdata-button-location=\"cta_box\"\n\t\t\t\t\t\t\t\t\t\t\t>Find out more<\/a>\n\t\t\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<img decoding=\"async\" width=\"1440\" height=\"810\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1478421401.jpg\" class=\"single-cta__image\" alt=\"Working on business priorities\" loading=\"lazy\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1478421401.jpg 1440w\" sizes=\"auto, (min-width: 48em) 33vw, 100vw\" \/>\t\t\t<\/div>\n<\/div>\n\n\n<div class=\"single-cta\">\n\t<div class=\"single-cta__positioner\">\n\t\t<div class=\"single-cta__wrapper has-dark-background-color\">\n\t\t\t<div class=\"single-cta__content\">\n\t\t\t\t\t\t\t\t<h2 class=\"single-cta__title h3\">Subscribe to the Sage Advice newsletter<\/h2>\n\n\t\t\t\t\t\t\t\t\t<div class=\"single-cta__description\">\n\t\t\t\t\t\t<p>Join more than 500,000 UK readers and get the best business admin strategies and tactics, as well as actionable advice to help your company thrive, in your inbox every month.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<a\n\t\t\t\t\t\thref=\"#gate-b1a63862-3fa0-4a5e-bb67-c76b88bbc6b8\"\n\t\t\t\t\t\tclass=\"single-cta__button button button--primary\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t>Subscribe now<\/a>\n\t\t\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<img decoding=\"async\" width=\"1440\" height=\"810\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/04\/GettyImages-1073797282-1-1440x810.jpg\" class=\"single-cta__image\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/04\/GettyImages-1073797282-1-1440x810.jpg 1440w\" sizes=\"auto, (min-width: 48em) 33vw, 100vw\" \/>\t\t\t<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The General Data Protection Regulation (GDPR) has dominated small business news headlines and now the legislation has come into force. This means your payroll processes need to be line with it. As the name implies, this legislation aims to further safeguard all personal data (information relating to individuals) in general as it\u2019s exchanged for various [&hellip;]<\/p>\n","protected":false},"author":281,"featured_media":4354,"menu_order":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sage_video":false,"post_featured_image_hide":false,"footnotes":""},"categories":[9],"tags":[117,41,37],"business_type":[4,3],"lilypad":[],"context":[],"industry":[],"persona":[71,73,74],"imagine_tag":[138,91,92,103,109],"coauthors":[354],"class_list":["post-4358","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-strategy-legal-operations","tag-gdpr","tag-hr-process","tag-payroll","business_type-small-business","business_type-medium-sized-business"],"sage_meta":{"region":"en-gb","author_name":"Ashley Thompson","featured_image":"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2018\/05\/DSC0267_All-Uses.jpg","imagine_tags":{"138":"GDPR","91":"Growing business","92":"HR and Payroll","103":"Payroll software","109":"Small business"}},"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Sage Advice UK","distributor_original_site_url":"https:\/\/www.sage.com\/en-gb\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/posts\/4358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/users\/281"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/comments?post=4358"}],"version-history":[{"count":0,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/posts\/4358\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/media\/4354"}],"wp:attachment":[{"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/media?parent=4358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/categories?post=4358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/tags?post=4358"},{"taxonomy":"business_type","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/business_type?post=4358"},{"taxonomy":"lilypad","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/lilypad?post=4358"},{"taxonomy":"context","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/context?post=4358"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/industry?post=4358"},{"taxonomy":"persona","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/persona?post=4358"},{"taxonomy":"imagine_tag","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/imagine_tag?post=4358"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/coauthors?post=4358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}