The General Data Protection Regulation (GDPR) has dominated small business news headlines as the date for implementation draws closer.
As the name implies, this legislation aims to further safeguard all personal data (information relating to individuals) in general as it’s exchanged for various purposes. How does the GDPR impact payroll functions? How will you need to update your payroll processes to ensure compliance? Where can you go for support? How will you solve your payroll issues?
Here are three ways the GDPR will impact your firm’s payroll function and three ways to start prepping today, bearing these caveats in mind:
- This is not an exclusive list, nor is it a substitute for receiving legally qualified advice or examining your own procedures and methods in depth (see the Sage Legal Disclaimer at the end of this piece).
- At the time of writing, the exact impact of the GDPR isn’t yet known. For example, we lack practical examples of what supervisory authorities, such as the UK Information Commissioner’s Office, are likely to find acceptable or objectionable, and some of the wording of the GDPR legislation is open to interpretation.
Immediate impact on payroll processes
1. Security and security management
One of the obligations under the GDPR is to implement technical and organisational measures such as secure workstations, servers and storage space. You also need to implement specific security policies and confidentiality clauses to establish best practices and proper protocol.
If you’re using payroll management software, or plan to start soon, your service provider may be able to help you satisfy some of the security requirements inherently through your software.
For example, if your payroll software is password protected for each employee, you can give them sole access to their personal data. Sensitive employee documents can be stored and shared in one place where accessibility rights to things such as payroll reports or disciplinary documents are controlled.
2. Report and respond to requests
You’ll also need to establish a procedure to document requests for information and to store the responses to those requests. New generation payroll management software is equipped with functionality that helps you maintain compliance while responding to different types of requests in a way that protects your employees’ personal data rights.
In order to deal with right to erasure requests, for example, newer software includes personal data deletion and correction features, import/export functions, and selection functions to make it simple to isolate and eliminate data as needed.
3. Demonstrate accountability
Once you’ve assessed and implemented the necessary changes to demonstrate accountability, you’ll need to document those processes and implemented actions. This documentation needs to be highly detailed and easily accessible so anyone handling a payroll function can reference and execute.
Try the Payroll Solver tool
What's your biggest payroll roadblock? Accuracy? Poor outsourcing service? Try the Payroll Solver tool to find out.
Tips to get started
1. Digital payslips
One recommended approach to the new GDPR security requirements is to migrate from printed payslips to an online digital alternative. This will consolidate all of your employee data in one secure place where you can control access to sensitive documents.
2. Consolidate timesheet data
If you use paper timesheets to track employee hours, you may find it easier to comply with data storage requirements through a software management system.
This way employees can easily access, track and reference their time worked, and approved data controllers can easily filter through specific data points so it remains up to date and relevant.
Also, it’s best to get a jump on how you organise correspondence such as sick notes, emails and text messages requesting holiday leave.
A cloud-based payroll management system will allow your employees to submit holiday time requests for their line managers, which can approve remotely. Those requests are automatically updated to reflect on employee payslips.
3. Assign or employ a Data Protection Officer
Under the GDPR, companies and any third parties that process personal data on their behalf will need to appoint a Data Protection Officer (DPO) if:
- They are a public body
- If the core activities of the business or third parties involve monitoring of individuals on a large scale
- Or if the core activities consist of processing on a large scale of special categories of personal data, including data relating to criminal convictions and offences.
The DPO needs to have expert knowledge of data protection law, although this doesn’t necessarily need to be an employee – instead, they could be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to the supervisory authority, such as the ICO in the UK.
Even if you don’t need to appoint a DPO by law, you should still make someone responsible for data protection matters and who will be able to respond to enquiries from individuals.
Sage Legal Disclaimer
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.
While we have made every effort to ensure that the information provided herein is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.
How are you preparing for the GDPR? What have been your biggest challenges with amending your payroll processes? Let us know in the comments below.
The General Data Protection Regulation will be effective as of 25 May 2018 and businesses that breach it might be fined up to 4% of annual global turnover or €20m, whichever is the greater. Here's what you need to know about GDPR