25th May 2018 is an important day for companies in the UK & EU as The General Data Protection Regulation, or GDPR is due to come into force on this day.

This new legislation will be the biggest change to Data Protection laws in over twenty years. The Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) will have a number of significant changes to the way in which organisations are permitted process, manage and store personal data or personally identifiable data.

Personal data can be anything about an individual: a name, an email address, NI number, bank details and so on. All businesses and institutions handle personal data about their clients, customers, employees, so how will GDPR affect employers in terms of processing employee data?

Important points to note about GDPR:

  • GDPR will standardise data protection laws across the EU (the UK has enacted appropriate legislation and will maintain it after leaving the EU)
  • Organisations outside the EU must be compliant in order to supply goods and services to EU countries – as such, the new rules will have a global impact
  • GDPR broadens and clarifies the definition of ‘personal data’ to mean any data that can be used to identify an individual’
  • Rules for obtaining valid consent to keep and/or use personal data will be more positive – ‘Data subjects’ (that is, people on whom data may be held) cannot be ‘opted in’ by default
  • Organisations will be encouraged to adopt a ‘privacy by design’ approach when building new systems and processes that use or store personal data
  • Data Subjects will have new and stronger rights of access to personal information that is held about them and there will be strict rules for the time span for which data may be held
  • GDPR ensures that significant penalties can be imposed on employers or organisations who breach GDPR legislation – fines of up to €20 million or 4% of the businesses annual turnover, whichever is greater – thereby, penalties will be more proportionate and compliance likely to be more rigorous

Personal data in the employment context will include information about individual recruitment candidates, about new employees (obtained during induction and ‘onboarding’), and of course, information that you hold on current and previous employees. The rules will apply regardless of the method or medium of storage. This will include hard copy personnel files, HR database systems, and information in emails, fax transmissions, paper correspondence and voice recordings.

How does GDPR specifically impact your use of payroll software systems and/or your relationship with an outsourced payroll service provider?

As a user of an outsourced service, you, the client, would be considered a ‘data controller’ under GDPR. The Bureau or service provider is a ‘data processor’.

Previous data protection legislation mostly placed the responsibility for compliance with the client when they enter into an agreement with a provider who acts on their behalf, using personal information about their employees. Under GDPR, payroll service providers as data processors have significant responsibilities and will be subject to penalties enforced by the Information Commissioner’s Office (ICO) if they fail to adequately protect data that they process.

Generally, payroll service and systems providers are already geared towards a good level of data protection, since personal (and sensitive) information is the bread and butter of our professional activity. Payroll Business Solutions had already achieved ISO 9001 & ISO 27001 certifications and had been a Bacs Approved Bureau for some time. We began our GDPR compliance and readiness process by conducting awareness sessions and staff training, appointing a GDPR practitioner, and ensuring that appropriate modifications were made to our Accord Payroll Software system (and to our processes and documentation) in good time.

As with previous improvements to statutory requirements, Payroll Business Solutions are fully supportive of the aims of GDPR and have been happy to incorporate specific stipulations into our already thorough approach to data protection.