Professional February 2017

Technology insight

GDPR and the payroll industry

Beverley Flynn, head of data protection, and Ayesha O’Connor, associate, at Stevens & Bolton LLP set out some of the key changes for the payroll industry T he new European Union (EU) General Data Protection Regulation (GDPR) will apply from 25 May processing of personal data is properly considered and appropriate in each context, and

organisations should recognise these mandatory rights could apply and take care when scoping the role. Increased penalties Obligations under the rules will be backed by new and larger fines for both data controllers and data processors (including outsourced payroll processors). The maximum fine will increase to £20 million or 4% of annual worldwide turnover in the previous year, whichever is higher. This represents a significant increase to the current maximum penalty in the UK of £500,000 and should be borne in mind when negotiating new contracts. Preparing for implementation Increasing awareness across the workforce, from the top down, will be crucial ahead of implementation in May 2018. From a risk mitigation perspective, some first steps for payroll processors comprise the following: ● Undertake a review of current data Information Commissioner’s Office, has published guidance which aims to help businesses prepare. ● Start reviewing data processing provisions in any standard contracts, as these may need to be updated. Starting early, and considering how any additional risk and costs of increased compliance will be allocated, could give payroll processors a head start in future negotiations. ● Determine whether the organisation acts as data controller or only as data processor in respect of any client personal data. Under the new rules, data processors who exceed their authority (for example, use personal data for their own purposes) could unwittingly become data controllers or joint data controllers with their clients and expose themselves to greater liability, so procedures will need to be put in place to prevent this. n protection practice, identifying any deficiencies. The UK regulator, the

2018, imposing stringent requirements on organisations both in and outside the EU that collect, store, use, process and share ‘personal data’, including employee data. The GDPR will replace the existing regime based on the EU Data Protection Directive, and there are several new concepts and requirements which could have an impact for payroll service providers, both in their capacity as data controllers and data processors. ● New obligations on outsourced processors – Notably, the new rules will apply not only to businesses that control the use of personal data (such as organisations in respect of their own employee data), but some obligations will also extend to data processors (those processing data on behalf of employers, such as outsourced payroll processors). Data processors will need to comply with certain requirements and face fines if they do not. Consequently, the legal framework for outsourced payroll processors requirement for data controllers to register with the regulator and pay a fee will be replaced with an ‘accountability’ principle, whereby they will need to demonstrate compliance with the rules. In particular, they will need to: ❍ adopt internal policies and procedures, which are reviewed frequently ❍ keep records of processing activities (some organisations with under 250 employees will be exempt) ❍ depending on the type of processing, appoint an expert data protection officer (DPO) who will aid compliance with relevant obligations and liaise with the regulator and individuals where necessary (see below) ❍ implement a privacy by design and default approach to processing, so that is set to become more onerous. ● Accountability – The general

❍ conduct privacy impact assessments which consider the risks of processing and how they can be mitigated. Some requirements, for example the need to appoint a DPO, will also apply to data processors. ● Mandatory notification of breaches – Data controllers will need to report certain personal data breaches to the regulator and affected individuals. Notifications to the regulator must normally be made within 72 hours. Data processors will need to notify the data controller of breaches without undue delay. Do you need to appoint a DPO? Under the new rules, public authorities and certain organisations (that regularly and systematically monitor data subjects or process sensitive personal data, including that relating to criminal convictions and offences, on a large scale) will need to appoint a DPO with ‘expert’ knowledge of data protection law and practice. As a result, payroll processors offering services to public authorities may need a DPO but this should become clearer once the regulators publish further guidance. In any event, it is likely the voluntary use of DPOs will become more prevalent and could assist with compliance. As the DPO would need an appropriate understanding of the new regime, organisations should start considering whether existing personnel suit (with training) or whether an external hire will be required. The former may be preferred from a cost perspective, but will only be feasible practically if the DPO can balance the role with their other duties. Once appointed, the DPO must perform their duties independently and not be dismissed or penalised for doing their job. Where appointing DPOs voluntarily,

45

Issue 27 | February 2017

| Professional in Payroll, Pensions and Reward |

Made with FlippingBook - Online magazine maker