GDPR and payroll go hand-in-hand, where large quantities of sensitive employee data must be handled with the utmost care to meet stringent compliance. Failure to comply with the law could lead to businesses receiving a hefty fine up to 4% of their annual global turnover, not to mention severe reputational damage and complete loss of trust from both customers and employees.
Having come into effect in 2018, regulators are becoming increasingly skilled at identifying breaches to personal data with each passing year. In 2020, for example, H&M was fined around £29.7 million after breaching GDPR laws by recording and exposing sensitive employee information without a specific purpose.
In fact, according to Finbold, the cumulative number of GDPR violations across Europe increased by 113.5% between July 2020 and July 2021. As a consequence, the number of fines imposed on companies also surged by 124.92%.
To avoid heavy fines and irreversible damage to reputation, businesses must be aware of the vulnerabilities of payroll data and how to avoid non-compliance. Keep reading to find out exactly how GDPR affects payroll and 5 key things you need to know to ensure your company meets compliance.
How does GDPR affect payroll?
Broadly speaking, the General Data Protection Regulation (GDPR) is a strict privacy and security law that seeks to protect individuals’ personal data. This includes how businesses that collect personal data store and handle sensitive information.
In terms of GDPR and payroll, the laws seek to protect employees’ personal data from falling into the wrong hands, where any data breach could cause significant harm to an individual.
Personal data within payroll can include:
- Date of birth, address and national insurance number
- Genetic data
- Health data
- Bank account
- Payroll deduction information
- Trade union membership
This list is not exhaustive, however, where personal data can be defined as ‘any information which are related to an identified or identifiable natural person’. In that case, businesses have to take action to protect any data that could fall under this broad definition.
Vulnerable payroll data
There are several pieces of data which are targeted by hackers, such as the personal information listed above (name, address, NI number, race, etc.). This data is particularly vulnerable to attacks, especially if they are not protected by password protocols, file encryption and other security measures.
How the payroll data is stored, processed and delivered is also crucial. Spreadsheets are especially susceptible to data breaches, as well as emails containing sensitive information and the sharing of data between employees.
In 2018, a survey of over 90 payroll professionals found that nearly 40% of companies rely on Excel spreadsheets to handle their payroll, suggesting that many companies should be doing more to protect employees’ data.
5 ways to comply with payroll GDPR
If you are completing payroll in-house, you are both a data controller and a data processor. If you outsource your payroll, you remain as the data controller and the outsourced company becomes the data processor.
Either way, you will need to ensure both the processor and controller are meeting security measures and adhering to GDPR. Below we’ve listed 6 key recommendations you should enforce to meet payroll compliance.
1. Use password-protected online payslips
By law, there are several pieces of personal data which must be included on a payslip, including an individual’s name, amount of pay, student loan repayments and pension scheme.
In order to protect this information from reaching unauthorised persons, businesses should ensure payslips are password-protected. Crucially, each password should be unique to the individual and, if possible, be a selection of their choice.
Payroll software designed with compliance in mind should already have this built into the system. For example, Mitrefinch’s payroll software, Flexipay, delivers password-protected payslips to employees, adding a necessary extra level of protection when delivering personal data on a regular basis.
2. Only collect necessary personal data
As a business, you should only be collecting the necessary personal data needed for your employees. Keeping additional sensitive data puts both the employer and employee at risk, and can lead to a violation of GDPR.
It’s crucial that businesses are completely transparent with the data they hold, so make sure to let your employees know what information you are collecting and why it’s needed. Employees also have the right to request deletion of any information that is not legally required or kept for longer than necessary.
3. Keep a record of processing activities (ROPA)
To meet GDPR compliance, you must keep a record of processing activities, or ROPA. This can be defined as the written record of procedures detailing how personal data is processed. This documentation of activity must include information about the purpose of data processing and who will be receiving the data.
While the GDPR states that companies with fewer than 250 employees do not need to keep a record if no risk is posed, we recommend that a record is always kept to avoid the possibility of a GDPR violation.
Finally, if requested, the ROPA must be made available to the authorities – if not, or a record has never been kept, the company will be susceptible to a large fine.
4. Store data safely
One of the most important aspects of data handling is how a business stores it’s sensitive data. If it isn’t held securely, the entire company’s data is at risk.
Organisations usually have two options when it comes to data storage, namely on-site storage and Cloud-based storage. We look at the main features of both below.
Data is held on locally saved files within a local server, meaning information can only be accessed from one location. The benefits of on-site storage means that your business has total control over the data and can access the information easily.
Generally, however, on-site storage requires robust GDPR knowledge from employees and data can be easily lost, corrupted or destroyed if the local server is damaged.
Data is held within the cloud, meaning it is handled by a cloud storage provider and can be accessed from any location. In that sense, the risk of data corruption and loss is much lower as it is not held in a single location or within a local server susceptible to corruption.
As the data is held by an external cloud storage provider, businesses must thoroughly check that the relevant security measures are put in place and make sure the provider performs regular back-ups.
Both options have their benefits and often companies will use a combination of the two to ensure both security and ease of access.
5. Integrate GDPR compliant payroll software
Considered to be one of the strictest privacy laws in the world, GDPR can be complex and demanding for businesses. As we have seen with the increasing number of violations each year, it is easier than you think to breach GDPR law and many companies have become subject to large fines.
This has led to many organisations reaching out to payroll software providers, such as Mitrefinch. Used by over 3,500 UK businesses, our software is designed with strict GDPR considerations in mind, making it easier for employers to securely handle sensitive employee data – without worry of breaching GDPR law.