As a payroll processor, you are responsible for some of people’s most sensitive data – name, address, National Insurance Number and bank details.
That’s to name just a few of the critical pieces of information you handle on a daily basis.
But are you sure you’re fulfilling your data security obligations at your payroll bureaux or practice?
Are you confident that your compliance work is solid? Are you certain you will not fall foul of the rules?
Fines and reputational damage
Failings could result in a large fine from the Information Commissioner’s Office and reputational damage, with long lasting effects on the state and stability of your organisation.
So, payroll security is paramount. You need to ensure that your processes are airtight, and your software is even more secure.
To understand what you need to do to ensure security and avoid that uncomfortable encounter with the information commissioner, it’s important to delve into how GDPR and the Data Protection Act 2018 have improved the requirements for payroll security – and how you can meet them.
A few of the most important changes that you need to be aware of and understand are as follows:
The right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
The right of access
As you are a third-party payroll processor, it’s paramount that you ensure clients and their teams have access to their personal information – whether it’s at all times through an online portal such as the IRIS Payroll Professional myePayWindow, or alternative channels that are put in place.
Individuals have the right to access their personal data - commonly referred to as subject access. Individuals can make a subject access request verbally or in writing. You have one month to respond to a request.
What are the consequences of failure?
If a client or an employee makes a Subject Access Request (SAR), you need to be in a position to respond and provide them with a record of all personal information that you hold on them within the specified time limit, set by the ICO.
If you are unable to respond to a SAR by the deadline, you will be faced with ICO sanctions – which can be up to 4% of your worldwide annual turnover, or €20 million, and they’ll pick the one that’s higher!
How to avoid running into trouble
At IRIS, we have a number of solutions built for accountants and bureaux that will enable you to process your payroll with complete confidence that you’re complying with the Data Protection Act 2018 and the GDPR.