Hot topic
Processes to adhere toGDPR are no doubt in place, but howoften do you audit your data? It’s important to ensure you are holding information in a way that’s consistent with GDPR. Implementing a data retention policy and ensuring all relevant staff members are aware of the need for regular data protection auditing is as important as setting up rules and processes in the first place. Whether that be in-house processing or checking your bureau provider. It’s important to remain GDPR compliant and, as we start to regain a new life in the post-pandemic world, where remote or hybrid working is firmly on the agenda, is now the time to run an audit on your processes? Working from home provides a better work-life balance, however, we need to recognise it poses new challenges to GDPR compliance. New security standards could need to be introduced for remote working. These standards may differ from those used when everyone was working in the office. Even when working from home, employees are still in charge of handling personal and business data. Regardless of the location in which the work is done, GDPR requires the same security measures to be applied, to ensure data security and avoid data breaches. People who are working remotely are, in some respects, more likely to be exposed to security risks and threats. Whether your payroll is handled in-house or outsourced to a third party you must continue to bear in mind your responsibilities under general data protection regulations
Howcan data be held? There was a time when everything was paper-driven. Working off clock cards, the payroll team would calculate and write out the total hours to be paid or check handwritten timesheets completed by employees and authorised by line managers. Sick notes from a medical doctor or self- certified notes were all gathered in A4 lever arch files. No wonder payroll departments were housed in lockable offices, or cubicles in the corner of the large open-plan office. Thankfully there’s now a better, and safer way, of filing documents and information. In this electronic age, we can’t forget that GDPR means understanding the personal data you hold, where you hold it and ensuring it’s held securely. The data may be held on-site or remotely in the cloud. A combination of both storage types could also be used.
such as laptops or smartphones, which may not have the same security measures used by company equipment in the office. This lack of security could see exposures to external threats, such as clicking on unfamiliar web links, opening attachments or visiting unsafe websites. Using personal devices could mean employees mixing company data with their personal data ● may not be aware there can be differences between accessing company data from the office and accessing that same data in a remote location, such as home. The data may be the same, but it could lose its integrity when handled without the appropriate technical safeguards in place ● may have to share their space with other family members or roommates, which could put their work at risk. GDPR does not make distinctions about places or conditions where data is processed; it simply requires appropriate security against potential risks, wherever that data may be ● should be clear about how to handle data. The data must be kept safe when it’s transferred from server to workstation, and when in storage, such as a pen drive or portable hard drives when it is transferred. GDPR requires security measures to be adopted, such as encryption, to protect data from inappropriate use. Encryption is always easier to adopt when working in a company’s offices, but it must also be implemented in devices and software in remote environments. Access to company data, whether business or sensitive, should always be controlled. Remote employees should have the right to access only data that’s necessary to accomplish their daily tasks. Access to the company server should be through a secure and private network connection such as a virtual private network (commonly referred to as a VPN). Make everyone aware of their responsibilities As payroll professionals, it’s essential to have, maintain and audit a remote working policy for you and your team. It does no harm to remind everyone about how to keep personal information and company data safe, especially when working from home. Keeping employees aware of the role they play in keeping data safe, whether working from home or at the office, is all part of GDPR compliance. n
Cloud storage:
● means you always have easy access to your data and enables your company to have total control of that data. It means reducing or disposing of previous manual storage systems. Holding information on company computers and local servers is no longer required, which stops the risk of corruption and destruction if individual devices are damaged ● means lowering the risk of loss because you won’t be relying on a single device to store your data. Your storage provider would have security measures in place and be able to provide information, such as how often back-ups are carried out. In addition, the flexibility of the cloud means you and your employees can access the information from anywhere you need to ● means you must trust the cloud storage provider that your data is secure. Under GDPR, ultimate responsibility for the data security still remains with you. Appropriate checks and due diligence should be carried out before deciding on which storage provider to use ● can also be used by your payroll bureau, and, in your role as the controller, you still need to satisfy the security measures required under GDPR.
Remote workers:
● could be using their personal devices,
47
| Professional in Payroll, Pensions and Reward |
Issue 79 | April 2022
Made with FlippingBook - Online magazine maker