Are payslips GDPR compliant?

Brought to you by ICPA Limited

Payslips contain personal employee information so tread carefully, says Simon Palmer

Every week, fortnight or month your your clients’ employees receive a financial transaction backed up with some paperwork. That paperwork, commonly know as a payslip, contains personal information about the employee that should be kept private and confidential. So have you ever thought about how secure that information is?

This blog is taken from the ICPA website. Dedicated to supporting and promoting the needs of the general practitioner. You can find us at www.icpa.org.uk or email [email protected] or by phone on 0800-074-2896.

Payslip information has always been private and confidential information so why should you be concerned about it now? Well, in case you've missed it, the EU has introduced the GDPR (General Data Protection Regulation) to update and harmonise data protection practices across the EU. It applies to all EEA countries and any individual or organisations involved in trade. It came into force on 25 May 2018 (before the UK leaves the EU), and UK individuals and organisations engaged in economic activity must ensure compliance with the new regime.

As a payroll services company we at Qtac have seen a rise in our accountants and bureaux who have expressed concern and confusion in relation to distributing payslips.

Payslip delivery can come in many forms these days so what format should you distribute payslips?

Appropriate security

Although there is nothing in the GDPR legislation that states it is no longer permissible to deliver payslips in the methods listed below, you will certainly need to ensure that all appropriate security measures are in place to protect the payslip.

Paper payslips are still regularly posted either to your client’s place of business or directly to the employees’ home address. However, you might consider using security payslip envelopes, marking the envelope as ‘Private and confidential’, and ensuring that it is addressed to a specific person. In some cases, you may decide to use special delivery/registered post.

Emailing payslips has become very popular as businesses look to reduce paper waste and/or save time and money. It's certainly quicker than posting, although you should certainly take steps to securely protect each employee’s payslip. Consider password protection that is uniquely chosen by the employee sent directly to the employee’s chosen email address.

Portal payslips have seen a rise in popularity in recent years, as forward thinking companies have looked at delivering payslips to employees via user managed systems. These systems can provide increased security with end-to- end data encryption.

As well as payslips, other areas to consider when reviewing your payroll service should also include your data collection and retention.

The GDPR requires your business to carry out Data Protection Impact Assessments. These will help payroll teams identify the most effective way to comply with their data protection obligations and meet employee expectations of privacy.

Ensure the way you handle, transmit and retain payroll data meets the requirements of the legislation. In addition, look for ways to ensure payroll data is not held unnecessarily, and only keep personal data that is strictly required for the purpose of the payroll, referred to as data minimisation or privacy by default.

Remember to designate a Data Protection Officer and liaise with them as required regarding your payroll service and data to ensure robust documented procedures and processes around payroll data.

Employee consent also seems to be a topic for discussion among many payroll service providers, but don’t worry, you do not need to seek consent from individual employees receiving payslips.

It is the employer’s responsibility, however, to inform their employees of third-party involvement and to ensure that their payroll service provider is protecting their employees’ payroll information under GDPR. So you should be prepared to have the answer to this questions when your clients come knocking.

By communicating these processes and procedures with your staff and clients, the risk of data protection leaks can be reduced or eliminated to ensure compliance.

So to conclude, the GDPR is a risk- based exercise. So if your review has highlighted risks that concern both your business and your clients, action should be taken in those areas. For example, you don’t password protect emails containing payroll data then implementing a password policy or payroll portal could immediately reduce the risk.

The Qtac Portal provides end-to-end data encryption of payroll reports, payslips and processing data via a secure user managed user account. If you would like to know more please contact one of our team on 0117 9353500 (option 2) or via email [email protected]

• Simon Palmer is Sales and Marketing Director at Qtac Payroll