GDPR and Payroll in the UK

Data protection is one of the most significant challenges facing businesses in the information age, and a comprehensive strategy is needed to deal with the stringent regulations that apply.

GDPR (General Data Protection Regulation) was introduced in 2018 to govern data protection and privacy within the European Union (EU). While it applies primarily to personal data, it has implications for various business processes, including payroll.

GDPR encompasses all personal data, which includes employee names, addresses, bank details, and national insurance numbers, all of which are commonly processed by Payroll teams.

This blog will outline the main ways GDPR affects Payroll teams in the UK.

Does GDPR still apply to the UK after Brexit?

Despite the UK’s exit from the EU, GDPR has been retained in domestic law (known as UK GDPR). The rules of UK GDPR are broadly the same as the EU regulations, with a few further implications relating to transferal of data between the UK and the European Economic Area (EEA).

GDPR compliance for Payroll processing

Compliance with GDPR for Payroll is mandatory, and the responsibility for this compliance is with the employer. In simple terms, GDPR requires companies to have dedicated controls and systems in place to safeguard the personal data of all employees, as well as ensuring it is processed appropriately and securely in the eyes of the law.

So what does this mean in practice?

Training staff in data protection

To begin with, it is essential that any and all employees who have any access to personal data are appropriately trained in data protection best practices, and that they fully understand what is required from them under the rules of GDPR.

Storage and retention of personal data

GDPR rules state that all payroll data must be:

• Up-to-date and accurate
• Retained only as long as necessary
• Processed consistently and transparently
• Store in a secure manner with robust protection against unauthorised access or loss.

Keep up to date records

It is also essential that all companies maintain up-to-date and accurate records on all the personal data that is recorded and processed, with emphasis on why the data is used. For example, National Insurance numbers will generally be recorded for the purposes of taxation and benefits.

Have appropriate security controls in place

Appropriate data security controls and measures should be in place to ensure compliance with GDPR. Not all of these measures are mandatory, but all are encouraged as part of an appropriate Payroll system. These measures include:

• IDAM – Identity & Access Management: This helps prevent unauthorised employees from accessing personal data. Employees must only have access to information that are directly related to their job.
• DLP – Data Loss Prevention: This helps prevent personal data from being lost in breaches by restricting personal data transfers outside of the organisation’s network.
• Encryption: GDPR does not explicitly require encryption of personal information, but it is regarded as an appropriate data protection measure. It is, therefore, recommended as a good practice.
• Pseudonymisation: This is defined in GDPR as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” Essentially, this means removing personally identifiable information from data to protect individuals in the event of a breach.
• IRP – Incident Response Plans: Unfortunately, data breaches may occur even if measures are taken to prevent it. In such an occurrence, it is important to have an Incident Response Plan in place. This will look at identifying why and how the breach occurred, eradicating the breach, recovering data, and assessing lessons learned.

Have appropriate contracts in place

If third parties, such as an outsourced Payroll service provider, are involved with the processing of personal data, it is essential that appropriate contracts are in place that clearly set out the GDPR obligations of both the employer and the third party.

It is also essential, when working with a third-party Payroll service provider, to ensure that they too have all appropriate data protection and security measures and controls in place.

Employee access to their own information

Employees must be able to access and alter/correct their personal information if needed, and processes must be in place to enable this.

Penalties for non-compliance with UK GDPR

Non-compliance with UK GDPR may result in significant penalties, the nature of which will depend on the size of the company and the significance/severity of the infringement.

• A “Lower level” GDPR penalty may be up to £8.7m (UK GDPR) or €10 million (EU GDPR), or 2% of the company’s annual global turnover.
• A “Higher level” GDPR penalty may be up to £17.5 million (UK GDPR) , €20 million (EU GDPR), or 4% of annual global turnover.

Fines relating to GDPR are issued on a case-by-case basis and will depend on a number of factors, including the type of infringement, its severity, whether they voluntarily reported the issue in appropriate time, the response of the company to limit damage, adherence to best practices, the types of data involved, and whether it was an organisation’s first infringement.

Do you require Payroll assistance?

GDPR compliance is just one of the many complexities surrounding Payroll, especially for businesses with many staff members.

By working with a Payroll specialist that is trained and equipped to meet the stringent standards of UK GDPR, you can rest assured that your organisation is doing things right, and minimising risk of issues.

Contact the Shorts Payroll team today if you require assistance.