March 16, 2018

Four GDPR Risk Areas to Consider for Payroll & HR

With the new General Data Protection Regulation (GDPR) coming into force on 25 May 2018, many employers may be worried that they do not fully understand all the new rules surrounding the Personally Identifiable Information (PII) about an individual they hold and process.

The new legislation will have a huge impact on employers, particularly on their Payroll (and HR) departments. If the new rules aren’t followed, businesses could face eye-watering fines.

To make it easier, we’ve highlighted some of the potential risk areas your business might run into after this legislation comes into force.

1. Personal data

Under GDPR, you must review any personal data you hold about an individual that is required and used by your business. Any data you need to keep, such as for legislative reasons, needs to comply with the legal retention timeframes applicable to that area such as for PAYE, National Minimum Wage (NMW), maternity, health & safety and so on.

For all other types of data you will need to consider the purpose you hold that information and for how long, as it should not be kept longer than is necessary or legally required to do so.

Having reviewed your position this will become your data retention policy – which must be in line with the GDPR – and any data that it is not necessary to be retained should be securely deleted.

2. Data security

Moving your payroll & HR data to an outside source, like a payroll provider or an accountant, carries its own security risks and requirements. In some cases, data is sent via email in a spreadsheet, and historically these have not always been encrypted or password protected by every company.

Now, GDPR will enforce more stringent data security, so you’ll need to ensure all your data is always sent securely. Remember: putting personal & sensitive data within an email or an attachment without suitable encryption is like writing it on a post card.

With the new rules, it’s more important than ever to ensure that payroll & HR data is transferred through a secure system, such as SFTP (Secure File Transfer Protocol). Moorepay uses Moorepayhr, a secure and externally security tested web application and Secure File Transfer Protocol (SFTP) to transmit data.

3. Data access

The GDPR gives individuals more rights:

  1. To view the information you hold for them
  • Is this data correct
    • Is it being used legally
  1. The right to rectification of this data
  2. The right to restriction of the processing of this data
  3. The right to erasure – also known as ‘the right to be forgotten’

And there are many more – see this exhaustive list from the Information Commissioner’s Office for more information.

You also need to consider the question of access to this data by your Data Controller and Data Processor(s). Managers and Administrators who access your records and systems need to be reviewed to make sure they have suitable access permissions for their respective roles.

4. Software security

Since all your payroll data needs to be secure, so does the software it’s held in.

Under GDPR, the responsibilities for checking and correcting any potential weaknesses in the software’s security lie with both the company and the software provider. That means conducting risk assessments over the whole payroll process, end-to-end.

So please contact your payroll provider to check their security and compliance with GDPR.

Advice for Moorepay Customers

To discuss your exposure to the GDPR please contact us in your usual way, email us at or call 0345 184 4615.

Share this article

About the author

John Spooner

About the author

John Spooner

With 48 years’ experience in payroll, John (now retired) worked in both the public and private sector including 18 years in outsourcing. His previous roles included Payroll Manager, Operations Team Manager and Best Practice Consultant.

Related Posts

furlough ending what payroll professionals need to do
Furlough is ending: what do payroll professionals need to do?

After supporting businesses for 19 months, the Coronavirus Job Retention or Furlough Scheme finally ends…

View Post
An employer’s guide to handling the pingdemic
An employer’s guide to handling the pingdemic!

Workplaces across the country are suffering from staff shortages, due to self-isolation, caused by the…

View Post
brexit update and right and to work checks
An update on Brexit and Right to Work Checks

The UK has left the European Union (‘EU’) and the Immigration and Social Security Coordination…

View Post

Making payroll & HR easy