On 25 May 2018 the General Data Protection Regulations (GDPR) will come into effect, replacing the current UK legislation. This much publicised change to the way in which businesses and organisations in the UK hold and manage personal data is expected to have a significant impact on both businesses and those providing payroll services for them.
The new regime has been developed to harmonise the way in which personal data is managed across the EU and also brings current legislation up to date to take into account the impact of increased globalisation and changes in technology which have changed the way that data is stored and transmitted.
What does this mean for Employees?
The new regime will increase the powers of employees to ensure the protection of their personal data held by their employer and any third party payroll providers they use in a number of areas:
The rules around consent for data processing are being strengthened and additional conditions imposed. Employers will need to look at their current consents and potentially re-obtain them. All permission requests will need to be clear and unambiguous and make it easy for the consent to be cancelled.
- Access to Data
Employees both current and past should be able to easily request and obtain the data held about them and they should be able to do so without charge.
- Right to be Forgotten
They will have the right to request that their personal data is removed subject to some exemptions in certain circumstances.
What will be the impact on Employers?
Businesses or Organisations employing staff and holding personal data about them will need to ensure compliance or face potential fines of up to 20 million euros or 4% of global turnover if greater.
In particular they will need to ensure that:
- Their current data protection and management procedures are reviewed and updated in line with the changes that come into effect with GDPR.
- All staff are made fully aware of the changes and how they impact on the data management of the organisation.
- Data processing consent requests for new employees are amended and if necessary new consents are obtained from existing staff.
- They have a system in place to identify reportable breaches and submit them to the ICO. This will be mandatory, with breaches requiring reporting within 72 hrs.
- Any in house payroll systems and procedures are compliant and will enable them to manage, store and transfer data in the required way.
- Their outsourced payroll provider, if one is being used, is fully compliant with the changes and has the necessary processes in place to deal with data breach reporting, information requests, data transfer and deletions.
- The way they transfer data not only between themselves and external suppliers but also to employees is safe and secure.
The Role of the Payroll Provider
As a payroll provider, the likelihood is that as with other changes to legislation over recent years you will not only need to ensure full compliance with the GDPR changes for your own organisation but provide guidance and support to your clients as well.
Reviewing the payroll software you use to understand how it will enable you to accommodate the changes to the way in which you hold, manage and transfer your client data will be key.
At Qtac as a payroll software provider and outsourced bureau we have been working on GDPR for many months. Current development on a cloud based platform, the Qtac Portal, will give employees, employers and their payroll providers, individual secure access to payroll data in real time giving greater accessibility to data and removing issues around data transfer between the individual parties.