Payroll and GDPR compliance

Last updated on

Payroll General Data Protection Regulation (GDPR) policy is something that businesses can't afford to ignore. Since the new GDPR rules entered into force in 2018, there has been added pressure on companies to make sure that their processes meet the requirements of the new regulations.

In this article, we run through the basics of GDPR and explain how companies can ensure that their payroll processes are GDPR compliant. 

What is GDPR?

GDPR entered into force on the 25th of May 2018; however, despite the significant publicity it received, many major European companies failed to understand its importance.

GDPR affects how all European businesses look after their data. This includes how they process it, as well as how they store it. The new data protection regulation affects every citizen within the EU and applies to every company operating within the region.

Will companies need to be GDPR compliant after Brexit?

Brexit complicates matters further. The UK is now in a transition period up until the 31st of December, 2020, allowing its leaders to negotiate its future relationship with the European Union. 

During this transition period, GDPR, as well as the Data Protection Act 2018, will continue to apply.

The EU will then need to determine if the UK has a robust data protection policy in place and can benefit from an adequacy decision, as it will then be recognised as a "third country". 

As these regulations are already in place, and the fact that the UK needs to be recognised as an adequate country by the EU Commission for data transfers, it is unlikely that there will be any drastic change in the near future.

Payroll and GDPR

GDPR affects anything and everything that uses personal data, including payroll. GDPR has added responsibilities to people processing data, meaning that compliance is no longer solely in the hands of the controllers. 

A payroll bureau that wishes to remain GDPR compliant now has additional statutory obligations they must follow. 

Contractual relationship

GDPR means that there is an increased number of mandatory terms that must be included in contracts between a controller and a processor. 

Everything must be laid out in detail, and a clear description of the data involved and the processing applied to it must be mentioned in this contract.

International relations

We've already alluded to how Brexit may affect this. Under GDPR, companies are unable to transfer data internationally. For instance, the country in which the data is sent must benefit from an adequacy decision by the EU Commission.

Payroll software providers

Businesses are required to make sure that the payroll software they use is GDPR compliant. When GDPR came into force, many of the contracts for different software providers needed to be updated to ensure that they were compliant with the new regulation. 

PayFit has stringent internal processes in place, including having a product built in accordance with the GDPR principle of privacy by default and design.

✅ Top three actions for ensuring good data protection

❶ Companies must make sure employees know what data they hold 

Under GDPR, the data companies hold for an employee should be completely transparent. Companies must inform their employees about data processing - e.g. recipients and storage. In some cases, employers may even have to respond to requests for an employee's data to be changed or even deleted within one month.

❷ Minimise the data – get rid of anything that's not needed

As companies can no longer collect information unless it has a defined purpose, any data that doesn't have a specific use should not be collected. Such information should be deleted, anonymised or archived in a separate and secure database once its purpose has been achieved.

❸ How the employee receives their payslip

Companies can continue to send out payslips to employees by post or by email – so long as appropriate security measures are put in place. To ensure general safety and security, it is recommended that this process be moved to a password-protected and two-factor authentication online system.

Due to GDPR, many payroll providers are looking to adopt this service. A self-service option will allow employees to easily view all of their data in one place, and provide visibility of other information, such as untaken annual leave. 

How can PayFit help?

Through the increased security measures in place, as well as password-protected systems that are easy for employees to access, employers can ensure GDPR compliance by using PayFit as their payroll software provider.

We are fully committed to securing data and ensuring that all best practices are put in place. We are also ISO 27001 certified and undergo external audits on an annual basis to ensure that we still meet the high standards we set ourselves.

Keen to find out more about PayFit? Book a demo with us today!

PayFit blog author

PayFit blog author


You may also like...

Accountant-run payroll – why payroll outsourcing needs to change

Although some accounting firms may have a payroll department, it is not always an area where accountants hold a great deal of expertise. 

Pauline’s Payroll Problems – End of Tax Year 

In this latest episode of Pauline's Payroll Problems, we look at end of tax year pain points and explain why moving to PayFit has helped Pauline manage this difficult period in the year. 

The Budget: six important announcements

With the help of PayFit's payroll expert, Nichola, we've highlighted six of the most important announcements from the Budget.

Stay up to date with the latest payroll, HR & PayFit news...