COMPLIANCE
ensure compliance with. The European Data Protection Board provides further guidance on this and ICO [Information Commissioner’s Office] is constantly updating its guidance too.” While payroll professionals have always taken privacy and security seriously, McClymont believes the introduction of the GDPR has heightened awareness and provided an additional focus on how businesses treat their own and other’s personal information. “Understanding the risks of data privacy and ensuring the right security is in place to mitigate these risks is an ongoing activity for all businesses,” he says. “This is now very much part of day- to-day business.” Gimes concurs, commenting: “As part of any risk assessment, it is crucial that we identify whether it is necessary to hold all the information we have on an individual. I believe payroll professionals have always been very conscientious of the information they are holding on employees. However, I believe GDPR did make us stop and think about whether all the information we hold on employees was truly necessary.” Northover highlights three areas for “never-ceasing consideration”: ● People – Well-trained, motivated staff can be a great asset in GDPR compliance. However, poorly trained, demotivated staff can be a weak link. Are employees’ responsibilities and accountabilities clearly laid out, documented and agreed for everyone who handles personal data? ● Processes – It is vital that documented payroll processes are regularly reviewed from end to end to ensure every transaction affecting personal data has been addressed, leaving no gaps in any risk mitigation objectives. ● Software security – Constant review is needed to identify potential weaknesses in
this area. While compliance is of course a priority, Thomson believes the introduction of GDPR “sent many a payroll and HR professional into a frenzy” and also invited many unnecessary ‘sharks’ who made a considerable amount of money from it. “In reality,” she says, “payroll has always looked after personal data and taken great care in this respect. Therefore, the only difference is there are higher penalties and
independent audit of their procedures and engaging with CIPP’s PAS. Thomson recommends enlisting the help of IT experts, ensuring penetration tests are carried out regular intervals. “Robust firewalls and password encryptions must be maintained and always require some improvement to keep ahead of the naughty people in the world who are determined to exploit personal data for criminal means,” she says. According to Dutton, it is worth remembering that many payroll systems today are likely to be managed in the cloud and there will be regular updates in place. Organisations will consequently need a strong and robust model for consuming updates and ensuring they don’t break the payroll calculations in the process. He observes that many businesses that have moved from on-premise payroll engines to cloud applications struggle with the change in the IT operating model that they need to adopt to manage the risk that comes with those updates. Dutton also says it is worth considering a single human resources and payroll system. “This will enable organisations to avoid duplication of data and the issues associated with keeping two data sources in sync,” he explains. In turn, this will help reduce the administrative burden on people, the overall number of errors made and the risk from processes as a whole, while helping the payroll department focus on doing what they do best: delivering high-quality services in a timely and accurate way. n
...doing what they do best: delivering high- quality services in a timely and accurate way
much more focus.” Dutton, meanwhile, believes data management should go beyond GDPR compliance. “Achieving accredited certification to ISO27001 is another way for organisations to ensure that they are being as thorough as possible in providing effective risk management over sensitive payroll data,” he says. “Equally, in the public sector, achieving cyber essentials certification is key in this area.” It’s all very well organisations putting their risk management systems in place, but how can they be sure their assessment and contingencies are robust? Northover advises that a regular review of procedures is necessary. It is also important to empower all personnel to be responsible for identifying new risks and reviewing existing ones. Where practical, test business continuity and disaster recovery plans, as well as considering an
Payroll risk assessment “Potential risks can fall into many categories and once identified they should be regularly explored and vigilantly reviewed,” says CIPP PAS assessor Julie Northover. While not exhaustive, the list includes: l data loss l system loss
l personnel loss l premises loss l non-compliance l irregular internal audits l fraudulent activity l GDPR breaches l unsuitably trained staff
l insufficient segregation of duties l lack of performance management l out of date documented procedures.
| Professional in Payroll, Pensions and Reward | March 2020 | Issue 58 28
Made with FlippingBook - Online magazine maker