HOT TOPIC
How has GDPR impacted payroll departments?
W hat impact has GDPR had on your payroll department? GDPR or general data protection regulation to give it its full title, came into effect in the UK four years ago. It wasn’t a new concept; it was simply a data protection process that upgraded the 1995 Data Protection Act. However, because of the introduction of the new GDPR rules, many companies had to overhaul how they process, manage and store individual data. Back then, reports in the press discussed large fines for any company that didn’t adhere to the new regulations. And for many, there was a fear they wouldn’t be able to change their software solutions or have the information technology skills necessary to implement the changes in time. The regulation applied to any company that collected personal data on a European Union (EU) citizen, that is, any information related to an individual. This includes payroll, and for all payroll professionals, adhering to GDPR was, and still is, a matter of standard everyday protocols. You try taking a payroll manger for a coffee and ask about, or try to extract information regarding an individual on their payroll, they will just remain tight-lipped. Consequences of non-compliancewith GDPR In some cases, there have been substantial fines. The Information Commissioner’s Office (ICO), an independent regulatory office with the task of upholding information rights in the interest of the public, has handed out some hefty fines. With the power to impose a penalty or fine of up to £17 million or 4% of annual global turnover, the ICO has taken several companies to task. British Airways was fined £20 million when their systems were compromised, affecting over 400,000 customers when hackers got their hands on log-in details, payment card information and travellers’ names and addresses. The largest fine to date relating to GDPR, however, was for Amazon, who attempted to force users to ‘agree’ to cookies or make it difficult to ‘opt- out’ of cookies and collect as much personal data as possible. Their fine has been the biggest GDPR fine issued to date, totalling £636 million. Payroll’s obligations Back to the tight-lipped payroll professional, does GDPR really affect payroll? The quick answer is yes, and don’t underestimate your role even if you think this doesn’t matter because we have left the EU. Whether your payroll is handled in-house or outsourced to a third party you must continue to bear in mind your responsibilities under GDPR. You have an obligation to store data securely, process data lawfully and have systems in place to deal with any data breach. Of course, your obligations will depend on whether you are a data controller or a data processer. Let’s make that clear: ● if you outsource your payroll function, the bureau is a data processor and you’re the controller of the data ● if you run your payroll in-house, you’re both the controller and the processor of the data.
Stuart Hall MAPGMdip MCIPPdip, non-executive director at the CIPP discusses payroll’s obligations under general data protection regulations (GDPR)
Security of your data is key, and any data breach of information could cause significant harm to those employees affected. It would also increase your liability as a controller or processor. Don’t fall into the trap of thinking we only need to consider the payroll software; there are several areas in the payroll office vulnerable to data breaches. There are spreadsheets and emails that may contain personal information and the sharing of information or data amongst the workforce could all increase the possibility of a data breach.
| Professional in Payroll, Pensions and Reward | April 2022 | Issue 79 46
Made with FlippingBook - Online magazine maker