GDPR is Here – and is Being Felt Throughout the Business World
The GDPR is now in effect and has an impact of every part of an organisation. Here, we look at how the payroll function needs to adapt.
When the GDPR came into force at the end of May, there was a general flurry of furious activity among marketing and customer service teams as they prepared for the big day. And in the initial weeks, we have all started to get used to filling in interminable forms and checking boxes every time we visit a website.
However, the regulation has a knock-on effect that can be felt by other non-customer-facing functions. Payroll is a prime example. It is a department that handles plenty of highly sensitive personal data, such as home addresses, bank account details and so on, and might often need to share or send this, for example when a third party is used to process payments.
Here are ten points to keep in mind and questions to ask yourself in relation to GDPR and payroll data.
1) Do you know what you’ve got?
You should have a clear handle on exactly what data your payroll accounts function collects. Not just that, but you need a picture of how they collect it, where they store it, how they use it, who can access it and with what, if any, third parties they share it.
2) Do you need this data?
A core tenet of GDPR is the requirement for firms to demonstrate that they are using data on a lawful basis. In the case of payroll, this means showing they have a legitimate interest in the data.
3) Is the data up to date?
There needs to be a process in place to ensure that any inaccurate or outdated payroll data is either corrected or deleted.
4) You might need a DPO
The GDPR does not make it mandatory for businesses to appoint a Data Protection Officer (DPO). However, for any business that processes sensitive personal data in any kind of volume, it is an appointment well worth considering.
5) Incorporate compliance by design
If data privacy is incorporated into your systems by design, there is less chance of things going wrong. Ensure you are only capturing data that you actually need in order to process payroll.
6) Be ready to report
The GDPR gives you just a 72 hour window to report any breaches from the moment you become aware. Don’t delay or the consequences will only be worse.
7) Penalties are significant
There are fines of as much as €20 million or four percent of a business’s annual turnover, whichever is the higher, for GDPR breaches.
8) It applies to everyone
It’s unsurprising that the first high profile stories are about the biggest companies, but remember that the GDPR applies to any business that processes personal data.
9) GDPR will help you focus
GDPR is not going to magically put an end to data breaches, but it will certainly help businesses tighten up their processes and focus their attention on reducing their likelihood and severity.
10) The Brexit factor
It’s worth keeping in mind that under GDPR, there are restrictions on transferring personal data outside the EU. From midnight on 13 March 2019, outside the EU will be right here, when Brexit takes place.