Blog: Collecting, processing and protecting payroll data
Companies all around the world collect highly sensitive information about their workforce in order to process payroll timely, accurately, and legally.
Whether you deal with data in-house or outsource it to a third party, you have an obligation to make sure it is collected for the right reasons, and that is stored in the right way.
Legally, the collection and storage of personal information is regulated by the General Data Protection Regulation, or, GDPR.
What is GDPR?
Replacing the 1998 Data Protection Act, the General Data Protection Regulation (GDPR) was adopted in April 2016 and came into force in May 2018. Its primary aim is to give individuals control over their personal data, and it sets out:
- What data is deemed as sensitive or personal
- Legitimate & legal reasons for capturing and storing that data
- How you should store information
- Your areas of liability, and consequences for GDPR breaches
Now the Brexit transition period has ended, there are two versions of the GDPR that UK organisations might need to comply with:
- The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
- The EU GDPR, which continues to apply to the processing of EU residents’ personal data
There are some subtle differences between these regulations, particularly around the age of valid consent, who can make what decisions about the regulations, and potential breaches. You can read more about the specific GDPR post-Brexit changes in this Government document.
What is sensitive information
GDPR is specifically concerned with the protection of personal or sensitive data. As with other HR functions, a lot of the information required to process payroll is personal, and is, therefore, classed as sensitive.
GDPR defines personal data as ‘information that relates to an identified or identifiable individual’, so data like names, addresses, pension information, and bank details all count.
There are also additional special categories of data that require even greater levels of protection. This includes information about race, ethnic origin, trade union membership, and health, biometric and genetic data.
What are legitimate reasons?
Under UK GDPR you must have a legal basis for processing information.
Legitimate interest is the most flexible lawful basis for doing so. Three things need to be considered to determine if data can be processed under legitimate interest:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
The UK GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential basis legitimate interest, but you can’t just rely on it as our legal basis or assume it’s always the most appropriate.
Article 6 of the regulation deals with this aspect, and it’s complicated. You should therefore establish what your legal reasoning for processing any data is in conjunction with legal advice.
GDPR requires you to:
- Document the personal data you hold, where it came from, and who you share it with
- Minimise, if possible, the amount of data that you hold – only keep what is essential and for no longer than necessary
- Review and amend privacy notices to ensure that they comply with the new regulations
- Control access to payroll information using appropriate safety measures
- Safeguard and comply with specific data subject rights, e.g. the right to be informed, the right to access personal data, etc
- In some cases, appoint a data protection officer
GDPR also requires you to implement technical and organisational measures to safeguard the personal data you hold, such as secure workstations, servers, and storage space; encryption protocols; and specific security policies.
A risk assessment can help you determine if the users, processes, and systems you have present are adequate to keep data safe, and GDPR compliant.
Once this is done, you can rectify any issues and can create internal controls and policies to address them moving forwards.
Here are some practical examples of what you could do to ensure you adhere to GDPR data protection rules when processing payroll information:
Consequences of GDPR breaches
Ultimately, it’s in everyone’s best interests to ensure that data is collected and stored as per the GDPR, and the consequences of failing to do so are severe.
- The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.
- The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.
High-profile fines over the last few years include:
$56.6m for not giving users more control of their personal data within consent policies
$41m for employee monitoring violations
- British Airways
$26m for failing to prevent a security breach that left 400,000 customers’ personal information exposed
If you have a third-party partner working on your payroll and haven’t had a GDPR conversation, we encourage you to do so now.
MPA has an in-house GDPR compliance officer working in collaboration with our payroll team to ensure how we collect, store, and process all of our customers’ information is legally sound and fully protected.
Get in touch if you’d like to know more about keeping your payroll information safe and the benefits of working with a provider like MPA.