The EU General Data Protection Regulation (GDPR) is the most important change in data regulations in 20 years, replacing the previous Data Protection Directive. It has been devised to change data privacy laws across Europe, to protect and strengthen the rights of the citizen and their data privacy. As well as ensuring companies compliance to data privacy processes, standards and security.
GDPR not only applies to businesses within the EU but it also applies to companies located outside of the EU, if they offer goods or services to, or observe the behaviour of, EU data subjects. It refers to all companies processing and managing the personal data of subjects living in the European Union, regardless of the company’s location.
GDPR puts the duty on data controllers, the person that determines the purposes, conditions and means of processing of personal data. And processors, an individual who processes personal data on behalf of the controller, to seek and resolve potential issues of data security in the business and analyse the need and use for this data.
GDPR will have a significant impact on businesses and their HR and payroll departments in particular, which you will need to be aware of and prepare for. So here are some areas of risk for HR and payroll that you should examine in your business:
Is data access appropriate?
Most HR and payroll software offers the ability to limit the access and rights to specific data within the system. High-level access control and password restrictions should come as standard. However, all too often, users are granted more access than needed. GDPR will drive companies to review the current user rights management to assess the access levels of all employees and re-adjust accordingly. Going forward ensure that members of your payroll department have access to the data the need. Likewise, if you offer employees a Self Service facility, ensure that the accessible and editable data here is limited to, as is necessary. If you’re unsure how to do this, check with your payroll provider.
Is your data secure?
One of the greatest risks for HR and payroll is with moving data outside the confines of the companies controllable security. That can be to managed payroll providers, banks or even Revenue. In many situations, the data is given by email with a spreadsheet file. However, these may not be sent as encrypted or password protected for security. GDPR have significantly strengthened data security; stating that the “entire lifecycle of the data must be accounted for”. Going forward, ensure all data sent is done so securely. And if you are working with an outsourced payroll provider, ensure they securely transfer your payroll data using FTP (File Transfer Protocol), a portal or document storage system.
Do you need the data?
It is important to exclude data from payroll or HR systems when it is no longer required by the business. Though it is necessary to hold onto some data for a period, especially to meet any statutory requirements, a timeframe on maintaining such information should be decided and enforced by the company. Begin a process of purging historical information from your in-house systems. And if your records go back to the day’s paper and files, engage the services of a document shredding company who provide a certificate of destruction. GDPR has stated that this will become an obligation for businesses going forward so start the movement now.
Is your software secure?
Data held in HR or payroll systems has to be secure. Therefore you need to be sure that the software itself is secure. GDPR address data security in systems as a major point of this movement. However, the onus is on the company and the software provider to examine the weaknesses in the systems and adjust the process accordingly. Risk assessments should be conducted by both parties to ensure satisfaction on security to the very end of the payroll process. So contact your software provider and ensure that they are doing all the can to secure their software and are GDPR compliant.
Many of the steps needed to secure our HR and payroll data are straightforward and effective. Though GDPR doesn’t come fully into effect until May 2018, it’s best to get ahead of the curve now ensure your business is GDPR ready. Visit the GDPR website for more information and assistance.