Call us on:  01933 510 022 
5 Min Read

Blog: Collecting, processing and protecting payroll data

Companies all around the world collect highly sensitive information about their workforce in order to process payroll timely, accurately, and legally.

Whether you deal with data in-house or outsource it to a third party, you have an obligation to make sure it is collected for the right reasons, and that is stored in the right way.

Legally, the collection and storage of personal information is regulated by the General Data Protection Regulation, or, GDPR.

Skip to the protecting payroll data checklist >>

What is GDPR?

Replacing the 1998 Data Protection Act, the General Data Protection Regulation (GDPR) was adopted in April 2016 and came into force in May 2018. Its primary aim is to give individuals control over their personal data, and it sets out:

  • What data is deemed as sensitive or personal
  • Legitimate & legal reasons for capturing and storing that data
  • How you should store information
  • Your areas of liability, and consequences for GDPR breaches

Now the Brexit transition period has ended, there are two versions of the GDPR that UK organisations might need to comply with:

  • The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
  • The EU GDPR, which continues to apply to the processing of EU residents’ personal data

There are some subtle differences between these regulations, particularly around the age of valid consent, who can make what decisions about the regulations, and potential breaches. You can read more about the specific GDPR post-Brexit changes in this Government document.

What is sensitive information

GDPR is specifically concerned with the protection of personal or sensitive data. As with other HR functions, a lot of the information required to process payroll is personal, and is, therefore, classed as sensitive.

GDPR defines personal data as ‘information that relates to an identified or identifiable individual’, so data like names, addresses, pension information, and bank details all count.

There are also additional special categories of data that require even greater levels of protection. This includes information about race, ethnic origin, trade union membership, and health, biometric and genetic data.

What are legitimate reasons?

Under UK GDPR you must have a legal basis for processing information.

Legitimate interest is the most flexible lawful basis for doing so. Three things need to be considered to determine if data can be processed under legitimate interest:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

The UK GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential basis legitimate interest, but you can’t just rely on it as our legal basis or assume it’s always the most appropriate.

Article 6 of the regulation deals with this aspect, and it’s complicated. You should therefore establish what your legal reasoning for processing any data is in conjunction with legal advice.

Storing data

GDPR requires you to:

  • Document the personal data you hold, where it came from, and who you share it with
  • Minimise, if possible, the amount of data that you hold – only keep what is essential and for no longer than necessary
  • Review and amend privacy notices to ensure that they comply with the new regulations
  • Control access to payroll information using appropriate safety measures
  • Safeguard and comply with specific data subject rights, e.g. the right to be informed, the right to access personal data, etc
  • In some cases, appoint a data protection officer

GDPR also requires you to implement technical and organisational measures to safeguard the personal data you hold, such as secure workstations, servers, and storage space; encryption protocols; and specific security policies.

Protecting payroll data

A risk assessment can help you determine if the users, processes, and systems you have present are adequate to keep data safe, and GDPR compliant.

Once this is done, you can rectify any issues and can create internal controls and policies to address them moving forwards.

Here are some practical examples of what you could do to ensure you adhere to GDPR data protection rules when processing payroll information:

If possible, have at least two people manage the payroll process. This can help avoid conflict of interest and minimise fraud risk.

This will help validate data input and changes, and ensure the appropriate authorisation is in place before payment is made

Reports can be run to help you identify who has access to what systems as well as data checks against new hires, leavers, new bank accounts, etc.

This can help identify potential issues and reveal any discrepancies early, such as mistakes in inputting hours, rates of pay and other data, and or fraud.

And ensure payroll operators adhere to it.

And agree procedures on things like encryption, transfer, etc.

Such as firewalls, antivirus, and system patches.

If a single person runs payroll in the business, make sure you know what to do if that person becomes unavailable.

Ideally stored off-site with appropriate security (fireproof safes, locked, etc).

You may find it practical for security and continuity purposes to run payroll software on a dedicated computer to avoid any disruption caused by the failure of other software.

Destroy any trial runs and tests, such as payroll reports, to prevent accidental access to sensitive data, and make sure what physical information you do keep is as secure as your digital files! You may want to consider moving to digital alternatives, for example, online payslips.

If you are using payroll management software, some of its features (such as password-protection, access control, secure storage, etc) may help you to comply with some aspects of the GDPR security requirements.

Consequences of GDPR breaches

Ultimately, it’s in everyone’s best interests to ensure that data is collected and stored as per the GDPR, and the consequences of failing to do so are severe.

  • The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.
  • The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.

High-profile fines over the last few years include:

  • Google
    $56.6m for not giving users more control of their personal data within consent policies
  • H&M
    $41m for employee monitoring violations
  • British Airways
    $26m for failing to prevent a security breach that left 400,000 customers’ personal information exposed

If you have a third-party partner working on your payroll and haven’t had a GDPR conversation, we encourage you to do so now.


MPA has an in-house GDPR compliance officer working in collaboration with our payroll team to ensure how we collect, store, and process all of our customers’ information is legally sound and fully protected.

Get in touch if you’d like to know more about keeping your payroll information safe and the benefits of working with a provider like MPA.