March 16, 2018

Four GDPR Risk Areas to Consider for Payroll & HR

With the new General Data Protection Regulation (GDPR) coming into force on 25 May 2018, many employers may be worried that they do not fully understand all the new rules surrounding the Personally Identifiable Information (PII) about an individual they hold and process.

The new legislation will have a huge impact on employers, particularly on their Payroll (and HR) departments. If the new rules aren’t followed, businesses could face eye-watering fines.

To make it easier, we’ve highlighted some of the potential risk areas your business might run into after this legislation comes into force.

1. Personal data

Under GDPR, you must review any personal data you hold about an individual that is required and used by your business. Any data you need to keep, such as for legislative reasons, needs to comply with the legal retention timeframes applicable to that area such as for PAYE, National Minimum Wage (NMW), maternity, health & safety and so on.

For all other types of data you will need to consider the purpose you hold that information and for how long, as it should not be kept longer than is necessary or legally required to do so.

Having reviewed your position this will become your data retention policy – which must be in line with the GDPR – and any data that it is not necessary to be retained should be securely deleted.

2. Data security

Moving your payroll & HR data to an outside source, like a payroll provider or an accountant, carries its own security risks and requirements. In some cases, data is sent via email in a spreadsheet, and historically these have not always been encrypted or password protected by every company.

Now, GDPR will enforce more stringent data security, so you’ll need to ensure all your data is always sent securely. Remember: putting personal & sensitive data within an email or an attachment without suitable encryption is like writing it on a post card.

With the new rules, it’s more important than ever to ensure that payroll & HR data is transferred through a secure system, such as SFTP (Secure File Transfer Protocol). Moorepay uses Moorepayhr, a secure and externally security tested web application and Secure File Transfer Protocol (SFTP) to transmit data.

3. Data access

The GDPR gives individuals more rights:

  1. To view the information you hold for them
  • Is this data correct
    • Is it being used legally
  1. The right to rectification of this data
  2. The right to restriction of the processing of this data
  3. The right to erasure – also known as ‘the right to be forgotten’

And there are many more – see this exhaustive list from the Information Commissioner’s Office for more information.

You also need to consider the question of access to this data by your Data Controller and Data Processor(s). Managers and Administrators who access your records and systems need to be reviewed to make sure they have suitable access permissions for their respective roles.

4. Software security

Since all your payroll data needs to be secure, so does the software it’s held in.

Under GDPR, the responsibilities for checking and correcting any potential weaknesses in the software’s security lie with both the company and the software provider. That means conducting risk assessments over the whole payroll process, end-to-end.

So please contact your payroll provider to check their security and compliance with GDPR.

Advice for Moorepay Customers

To discuss your exposure to the GDPR please contact us in your usual way, email us at info@moorepay.co.uk or call 0345 184 4615.


Want a round-up of stories like this delivered to your inbox?

About the author

John Spooner

With 48 years’ experience in payroll, John has worked in both the public and private sector including 18 years in outsourcing. His previous roles include Payroll Manager, Operations Team Manager and Best Practice Consultant. John is responsible within Moorepay for keeping us up to date with all the payroll legislation changes.