The General Data Protection Regulation (“GDPR”) and payroll


Written by: Mark Abbs

The GDPR extends the data rights of the individuals and requires organisations to develop clear policies and procedures to protect personal data.

There are 12 steps, with differing degrees of relevance to payroll, which you should be considering ahead of the legislation taking effect in May 2018. Most businesses have begun a review of client data but it is important to consider the data you hold on your employees and the processes involved in HR and payroll. These 12 steps are:

  • Awareness – decision makers in the organisation need to be aware that the law is changing. An executive sponsor may be required to agree to release the budget to accommodate the changes. They should be aware that penalties can be up to the higher of €20million or 4% of worldwide annual revenues.
  • Information you hold – You should document the nature and source of the information that you hold, including who you share it with. If information is found to be inaccurate you have an obligation to update any third-party organisations you have shared this data with.
  • Communication of privacy information – your privacy notices are likely to need updating. They need to include, among other things, the purposes for which the data will be processed, the categories of data, who will receive it (including whether it will leave the EEA), the period of storage and the consequences of any automated decision making and profiling.
  • Individuals rights – including the rights to be informed, to access data, to rectify errors, and the right to erasure (commonly referred to as the right to be forgotten). There is a new right to data portability that applies on where automated processing applies. Automated processing could include, for example, system-based triggers for sickness absence or attendance bonuses.
  • Subject access requests – in many cases you can no longer charge for these and the time limits for complying are reduced. Your procedures should be updated accordingly.
  • Lawful basis for processing personal data – although it seems self-evident. it is important that you identify and document the reasons. These will typically be a combination of meeting legal requirements and contractual obligations.
  • Consent – existing consents should be reviewed and may need to be refreshed. Consent can’t be inferred but must be through a positive opt in. It needs to be separable from other terms and conditions.
  • Children – there are specific rights for personal data held relating to children. You need to ensure you can verify individuals ages although this is unlikely to be an issue for payroll processing.
  • Data breaches – procedures should be designed to detect, report and investigate a breach. You need to understand when you will be required to report a breach to both the authorities and the individuals concerned.
  • Data protection by design and default – organisations now need to embed privacy considerations in both operational and strategic payroll considerations. This should ensure that only the minimum data is collected and processed, is stored for no longer than necessary and is restricted to that necessary for the purpose.
  • Data Protection Officer – this is not a formal requirement for all organisations but it is considered best practice that someone takes overall responsibility for data protection compliance.
  • International – if you operate payroll across more than one country you need to consider who the lead data processing supervising authority is.

For more information please contact Mark Abbs.