The EU General Data Protection Regulation (GDPR) has been in force since 25 May 2018. It requires businesses to consider how they store and process the data they hold on individuals, including employees. Here are five steps payroll professionals need to take to comply with the requirements of the GDPR.
1. Appoint a data protection officer
While this is not an explicit requirement under the GDPR for all organisations, you will need to appoint someone to oversee your data protection strategy and ensure compliance with the GDPR if you handle a large amount of sensitive personal data.
2. Decide why certain data needs to be held
The GDPR requires that organisations can demonstrate a lawful basis for using personal data. Payroll departments will usually be able to rely on the ‘legitimate interest’ basis. This has three elements that much be satisfied: identify the legitimate interest, show that processing the data is necessary to achieve this interest, and balance the legitimate interest against the individual’s interests, rights and freedoms.
3. Define how data is collected and stored
To comply with the GDPR, payroll departments need to be sure of how they collect, store and process personal data. Use the advent of the new data protection regime as an opportunity to undertake a data ‘audit’ and make any necessary changes, such as updating the organisation’s privacy policy. This is especially important if you share personal data or transfer the data you hold to other countries inside or outside the EU.
4. Update your internal processes
One of the key requirements of the GDPR is that personal data is processed by means of ‘appropriate technical and organisational measures’. It is therefore crucial to undertake a review of your current data handling procedures and, if necessary, upgrade to a more appropriate level of security. Once in place, it is important that your security procedures are enforced and regularly reviewed.
5. Report your data breaches
Under the GDPR, you are required to report any data breaches to the Information Commissioner’s Office within 72 hours of discovery.
Penalties for non-compliance with the GDPR can be up to four per cent of annual global turnover or £20m for the most serious breaches, so it is important that organisations are aware of their obligations. The good news is that if you were already adhering to the rules set out in the Data Protection Act 1998, complying with the GDPR should not be too much of a stretch; however, the GDPR does introduce some new rules, which could impact how payroll data is handled going forward.
Recruiters love this COMPLETE set of Accredited Recruitment & HR Training – View Training Brochure