Handling payroll requires processing vast amounts of personal data relating to your employees, including names, addresses, bank account details, social security numbers and salary information. This is all sensitive information, which the law requires you to protect from accidents, misuse, loss and prying eyes.
Does GDPR affect payroll?
Because it involves processing personal data, payroll is one of the key HR areas affected by the General Data Protection Regulation (GDPR). The regulation requires you to:
- document the personal data you hold, where it came from and who you share it with
- minimise, if possible, the amount of data that you hold - only keep what is essential and for no longer than necessary
- review and amend, if necessary, privacy notices to ensure that they comply with the new regulations
- control access to payroll information using appropriate safety measures
- safeguard and comply with specific data subject rights, eg the right to be informed, the right to access personal data, etc
- in some cases, appoint a data protection officer
The GDPR also requires you to implement technical and organisational measures to safeguard the personal data you hold. These measures may include, for example:
- secure workstations, servers and storage space
- encryption protocols
- specific security policies
- confidentiality clauses to establish best practices for data protection
If you're using payroll management software, some of its features (such as password-protection, access control, secure storage, etc) may help you to comply with some aspects of the security requirements under the GDPR.
Protecting your payroll data
A risk assessment can help you determine if the users, processes and systems you have present a risk to your payroll data. Once you identify potential risks, you can create internal controls and policies to address them. For example, you could:
- Manage access to the payroll system - restrict to necessary staff only. Use timeout features to log employees out of the system after a period of inactivity.
- Segregate duties within the payroll team - if possible, have at least two people manage the payroll process. This can help avoid conflict of interest and minimise fraud risk.
- Use peer review and/or approval process - it helps to validate data input and changes. Only make actual payments with appropriate authorisation.
- Run and review payroll control reports, eg for system access, new hires, leavers, new bank accounts, etc. This can help identify potential issues and reveal any discrepancies early, such as mistakes in inputting hours, rates of pay and other data, and or fraud.
- Implement a data retention policy and ensure payroll operators adhere to it.
- Classify data according to sensitivity and agree procedures on encryption, transfer, etc.
- Use and regularly update security measures such as firewalls, antivirus and patches.
If a single person runs payroll in your business, have a back-up plan in case that person becomes unavailable. For example, your business' accountants could provide emergency cover.
Keep back-up copies of the payroll data, ideally stored off-site with appropriate security, eg in a fireproof safe. You may find it practical for security and continuity purposes to run payroll software on a dedicated computer to avoid any disruption caused by the failure of other software.
If you keep paper-based information, such as payslips, you must consider their physical security. Destroy any trial runs and tests, such as payroll reports, to prevent accidental access to sensitive data.
Taking note of the GDPR, you may want to consider moving from printed payslips to a digital alternative. This could help you consolidate your employee data in one secure place where you can control access to sensitive documents.