The rules concerning how you, as an HR or finance department, process data related to staff, are being transformed. But data concerning payroll! That will be unaffected, right? Well, don’t be so sure.
Under the new General Data Protection Regulation (GDPR) coming into force on May 25th this year, there are six legal bases for processing data – and one such base is contractual necessity, where, to quote the UK regulator the ICO, “the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract”.
Well, if an employee is the data subject, then it is hard to envisage circumstances in which processing their payroll data is not necessary under the conditions of the contract with them.
But this does not give a company carte blanche.
Areas to focus on relate to only holding data when it is necessary, looking at data that may be passed to a third party and being able to respond to subject access requests. There is also an issue related to cyber security.
The first step may be a data audit – what payroll do you hold and where? Is it held on multiple computers? How far back does the data go? How detailed is it? The data audit needs to be comprehensive.
Once complete, a process needs to be in place to ensure that you always have an updated record of the data you hold.
Once you have completed the data audit ensure that the data that is held is indeed necessary. Data on former employees may not be relevant, and ensure it is only held in locations that are necessary.
Another key area relates to data that is held by third parties, for example, an external HR resource or accountancy service. It may be necessary for such an organisation to have access to payroll data concerning your employees, but have they performed a data audit?
Under GDPR, data subjects have subject access rights (SAR). They can request you furnish them with details of the data you hold concerning that particular data subject and you must respond. So it is essential that you have systems in place so that both you and subcontractors holding payroll data can respond to a SAR.
Then there is the issue of security, what systems are in place to protect data from cybercrime for example? Is it sufficiently robust, and in the event that there is a data breach what processes are in place to communicate the breach to data subjects?
Finally, linked to the issue of payroll are expense claims, which can contain sensitive information. Ensuring you apply appropriate steps to comply with GDPR with expense claims might be similar to the steps outlined above, but it is essential such processes are robust.