GDPR came into force in May 2018 and replaced the 1995 data protection directive. GDPR is the most stringent of privacy laws in the world. GDPR covers all companies inside of the EU and also those outside of it, but they are covered under this law if they provide services to those in the EU or if they monitor people’s behaviour in the EU.
Whenever a company processes personal data, they need to comply with GDPR. Processing data is something companies do every day. Personal data is any information that could be used to identify a person.
Why is payroll data classed as sensitive data?
Within a payroll system there is highly sensitive data that is held, and therefore we ensure that our payroll software is only accessible by authorised individuals. Our payroll software is encrypted to get into the actual software, and then each companies payroll is encrypted again. We also ensure that we only ask for the data we need, therefore we don’t ask our clients for any information that is not mandatory on submissions to HMRC, for example we would need to know employees’ race, ethnic origin, trade union membership, genetic data etc.
How is data shared?
Sharing data between employees or clients puts all data held at risk of being intercepted. Therefore, we have added the below steps to ensure that this risk is minimised:
- Data being shared with us – we always ask that anything our clients send us is password protected and that no sensitive data is included within the body of an email.
- Data being sent to client, employees, or authorised third party processors – When we send any data to our clients, we ensure that all reports are encrypted with a pre- arranged password, no data is included in the body of an email, and data is only sent to an authorised connection held on that clients account.
What steps do we have in place to minimise risks?
- Reports are always encrypted.
- Emails do not include sensitive data – this is added to an attachment that is then encrypted.
- Phone calls are monitored, and we always ask for a series of data protection questions before passing over any data.
- Every client has a contact list that they must ensure is up to date, we will only pass data to anyone recognised within that list.
- We do offer confidential payroll reports – this means that we do allow our clients to split their payrolls, for example the head office department can be processed separately to the main payroll, so that the head office staff are not included within the main payroll, and they can keep their details confidential.
- Payslips are sent to employees encrypted along with their P60s, P45s, and P11Ds as appropriate
- All payroll managers screens are out of view of not only visitors but each other – this means that if anyone comes into the office their computer screens are not visible.
- All payroll managers are asked to lock their computers when they step away even for a short amount of time.
- We operate a clear desk policy meaning that when away from their desk no paperwork is left unattended and is locked in a secure cabinet in the office.
- Our office is also securely locked at the end of every day, and key holders are only those that have been trained in all our data protection and GDPR policies.
Rest assured that we do audit all data on a regular basis, and we do update our processes to ensure we are always up to date and complying with GDPR within our practices.
If you have any further questions, please don’t hesitate to get in touch with our Data Protection Officers:
Fay Cooper – Data Protection Officer
Andrew Conway – Deputy Data Protection Officer