The General Data Protection Regulation (GDPR) is one of the biggest shake-ups ever seen and will affect how personal data should be handled. When the new legislation comes into force on 25 May 2018 in the European Union, it will have a direct effect in all EU Member States. But what about GDPR and payroll?
As your payroll team deals with processing lots of personal data, payroll will one of the areas of your business that will likely require its existing processes to be revised significantly for the GDPR.
When it comes to GDPR and payroll, here are 10 things your payroll team needs to do now to prepare for the new legislation.
1. Consolidate your personnel and payroll data
If you currently have your personnel and/or payroll data in lots of different locations, say perhaps across a number of different Excel spreadsheets, then you need to pull everything together into as few locations as possible. Ideally, having this data in one place will help your payroll team to oversee it properly.
2. Adopt relevant rules and standards
By adopting relevant rules and standards such as ISO27001 – which is a specification for an information security management system – you can make the implementation of GDPR smoother for your business, while also meeting some of the legislation’s security requirements.
3. For GDPR and payroll, consider all sorts of data
It’s a challenging proposition when it comes to people management but to be GDPR compliant, you need to consider lots of different types of data. For example, how will you securely handle and store timesheets? And what about emails or text messages from employees who are asking for holiday leave?
There’s also the question of how you will securely store sick notes – and likely other data you need to consider. Determine what data you have and start to create new processes for how you will securely handle and store it.
4. Give payslips to your employees in a secure way
Do you leave printed payslips on the desks of your employees? When the GDPR comes into force, you will have to make sure they are given to employees in a secure way.
One solution that businesses are turning to is the use of online payslips, where employees can securely access them – they need to put a password in, for example, before they can see them. If your business is still using printed payslips, it might be worth considering following the online lead.
5. Create a GDPR readiness plan
There’s not long to go until GDPR comes into force – but there’s still enough time to get prepared. The date that the new legislation begins isn’t going to change and your systems need to be compliant. To make that happen, create a GDPR readiness plan so you can determine where data is stored and what new processes are required to be compliant.
If for any reason you can’t be compliant by 25 May 2018, you need to make sure you have a documented plan so you can demonstrate that you have been working towards compliance. You will be at serious risk if that isn’t in place and you’re not working to turn the plan into a reality.
6. Get a GDPR audit done
To make sure your processes and systems are GDPR compliant, an audit by a suitably qualified individual is a highly recommended step. Remember, there’s the prospect of fines of up to 4% of annual global turnover or €20m, whichever is the greater, if your business is found not to be compliant – and doesn’t have a demonstrable plan in place that you’re working towards.
Get ready for GDPR with our webinar
Join us for a live webinar so you have a better understanding of GDPR, which comes into force on 25 May 2018, and learn about the steps your business can take to prepare for it.
7. Employ or assign a data protection officer if necessary
According to the GDPR, you need to make sure that data protection is a key part of your firm’s process of designing and operating policies, processes, products and services.
Certain types of businesses will need to appoint a data protection officer (DPO) – who could be someone contracted from outside your firm or an existing employee. Those business examples include public authorities, firms that regularly monitor individuals on a large scale, and companies whose core activities involve the processing of special categories of personal data on a large scale.
The DPO will help you to monitor internal compliance, while also informing your business on its data protection obligations, and they will advise where and when necessary.
8. Remember what data you can and can’t collect
With GDPR in place, you won’t be able to collect and store lots of personal data if there isn’t a particular purpose for it and consent hasn’t been given. Make sure your payroll team is collecting and processing only necessary personal data that is required for each purpose.
9. Give employees full visibility of data you hold about them
Your employees need to know what personal data of theirs your payroll team and business holds. Meanwhile, you will have to respond to subject access requests (SARs) and requests for their personal data to be either rectified or erased.
You do have the right to refuse excessive or unfounded personal data requests, however you will need to demonstrate how they are unfounded in your compliance documentation.
10. Create GDPR-compliant privacy notices for your employees
You need to let your employees know what information they are entitled to as per the GDPR’s requirement for transparency and this must be done in a way that’s clear. Remember, you can’t use your employees’ data for a different purpose without notifying them. And you might need to offer simple functionality that allows your employees to opt out of the different ways you use their data.
How is your business dealing with GDPR and payroll? Share your stories in the comments section below.
An Enterprise CFO's Guide To The GDPR
As a CFO, due to the large quantities of data your finance department handles, it’s important that you have a good understanding of what the GDPR means for you and the wider business. Get your free guide and get ready for the GDPR.