Strategy, Legal & Operations

How to manage payroll processes to be GDPR compliant

The General Data Protection Regulation (GDPR) has dominated small business news headlines and now the legislation has come into force. This means your payroll processes need to be line with it.

As the name implies, this legislation aims to further safeguard all personal data (information relating to individuals) in general as it’s exchanged for various purposes. How does the GDPR impact payroll functions? How will you need to manage your payroll processes to ensure compliance? Where can you go for support? How will you solve your payroll issues?

Here are three ways the GDPR impacts your firm’s payroll function and three ways to manage your payroll processes, bearing these caveats in mind:

  • This is not an exclusive list, nor is it a substitute for receiving legally qualified advice or examining your own procedures and methods in depth (see the Sage Legal Disclaimer at the end of this piece).
  • At the time of writing, the exact impact of the GDPR isn’t yet known. For example, we lack practical examples of what supervisory authorities, such as the UK Information Commissioner’s Office, are likely to find acceptable or objectionable, and some of the wording of the GDPR legislation is open to interpretation.

Make sure your payroll processes are in line with what the GDPR requires

Immediate impact on payroll processes

1. Security and security management

One of the obligations under the GDPR is to implement technical and organisational measures such as secure workstations, servers and storage space. You also need to implement specific security policies and confidentiality clauses to establish best practices and proper protocol.

If you’re using payroll management software, or plan to start soon, your service provider may be able to help you satisfy some of the security requirements inherently through your software.

For example, if your payroll software is password protected for each employee, you can give them sole access to their personal data. Sensitive employee documents can be stored and shared in one place where accessibility rights to things such as payroll reports or disciplinary documents are controlled.

2. Report and respond to requests

You’ll also need to establish a procedure to document requests for information and to store the responses to those requests. New generation payroll management software is equipped with functionality that helps you maintain compliance while responding to different types of requests in a way that protects your employees’ personal data rights.

In order to deal with right to erasure requests, for example, newer software includes personal data deletion and correction features, import/export functions, and selection functions to make it simple to isolate and eliminate data as needed.

3. Demonstrate accountability

Once you’ve assessed and implemented the necessary changes to demonstrate accountability, you’ll need to document those processes and implemented actions. This documentation needs to be highly detailed and easily accessible so anyone handling a payroll function can reference and execute.

Try the Payroll Solver tool

What's your biggest payroll roadblock? Accuracy? Poor outsourcing service? Try the Payroll Solver tool to find out.

Find out more

Tips to manage payroll processes

1. Digital payslips

One recommended approach to the GDPR security requirements is to migrate from printed payslips to an online digital alternative. This will consolidate all of your employee data in one secure place where you can control access to sensitive documents.

2. Consolidate timesheet data

If you use paper timesheets to track employee hours, you may find it easier to comply with data storage requirements through a software management system.

This way employees can easily access, track and reference their time worked, and approved data controllers can easily filter through specific data points so it remains up to date and relevant.

Also, it’s best to get a jump on how you organise correspondence such as sick notes, emails and text messages requesting holiday leave.

A cloud-based payroll management system will allow your employees to submit holiday time requests for their line managers, which can be approved remotely. Those requests are automatically updated to reflect on employee payslips.

3. Assign or employ a Data Protection Officer

Under the GDPR, companies and any third parties that process personal data on their behalf will need to appoint a Data Protection Officer (DPO) if:

  • They are a public body
  • If the core activities of the business or third parties involve monitoring of individuals on a large scale
  • Or if the core activities consist of processing on a large scale of special categories of personal data, including data relating to criminal convictions and offences.

The DPO needs to have expert knowledge of data protection law, although this doesn’t necessarily need to be an employee – instead, they could be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to the supervisory authority, such as the ICO in the UK.

Even if you don’t need to appoint a DPO by law, you should still make someone responsible for data protection matters and who will be able to respond to enquiries from individuals.

Sage Legal Disclaimer

The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.

While we have made every effort to ensure that the information provided herein is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.

Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.

What are your biggest challenges with GDPR and your payroll processes? Let us know in the comments below.


Need help with meeting your GDPR obligations and making sure your businesses processes are working in the correct way? Here's what you need to know.

Find out more
GDPR is coming - are you ready?