With GDPR fast approaching, what steps should payroll bureaus take to prepare?
Under the Data Protection Act 1998, employers are required to provide employees and job applicants with a privacy notice, setting out certain information. Under the terms of the GDPR coming into effect on 25 May 2018, employers might now need to provide much more detailed information.
Recap on the main GDPR issues for employers
More detailed privacy notices
Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:
how long data will be stored for
if data will be transferred to other countries
information on the right to make a subject access request
information on the right to have personal data deleted or rectified in certain instances.
Employees may have an enhanced right over any use of their data in a professional environment. Employers may need to take steps to ensure that employees have expressly consented to the use of their data. This may be via a separate consent form and not just included in an employment contract. ACCA has updated its employment law factsheets specifically for GDPR and these will be available to members shortly.
The employer must have suitable systems in place to notify the regulator (and, potentially any affected data subjects) if a data breach should occur. They must be able to inform their staff on the correct procedure and response when needed.
Generally there is a requirement for companies to issue notifications of data breaches within 72 hours of becoming aware of them.
GDPR granted data subjects specific rights in relation to the data shared with controllers and processors. Some of these rights are absolute and have to be complied with, some only apply under certain conditions.
So how should a payroll bureau prepare for GDPR?
This is best answered in a questions and answers format:
Should we re-issue engagement letters?
First and foremost the bureau should update and re-issue its engagement letters to the client. This should be done as soon as possible.
When agreed with the client, engagement letters define the terms and limitations of the engagement. In particular, the engagement letter will specify the relative responsibilities of the bureau and the employer to make it clear that the employee’s personal data will be provided to the bureau to process the payroll for the business and that the employer still has responsibilities under GDPR.
ACCA has updated its engagement letters/terms and conditions specifically for GDPR and these will be available to members shortly.
What are the divisions of responsibilities between the bureau and the employer?
Responsibilities of employers:
Employers must provide employees and any job applicants with a privacy notice setting out certain details about how their information is managed.;
A clear HR policy to determine the process of retaining PAYE records and setting the duration of record keeping (subject to legal requirements as stated above);
The employers will need to inform their employees that they are sharing their personal information with a third party;
Accountants/ Payroll bureaus do not need to seek consent from individual employees that the payroll is processed for and it should be clarified in their letter of engagement.
All employers must ensure that their payroll bureau or accountant is taking action to protect their employees’ payroll information under GDPR.
ACCA has updated its employment law factsheets specifically for GDPR and these will be available to members shortly.
Responsibilities of accountants/ payroll bureau:
Accountants/ payroll bureaus should keep only the personal data that is strictly required for the purpose of the payroll. This is referred to as data minimisation or privacy by default. They are legally obliged to protect payroll information on behalf of their clients where you must:
keep client and employee payroll information safe and secure
ensure client’s data is relevant and up-to-date for the purpose of processing the payroll
only hold information you need and for as long as you need it to manage the payroll
allow clients or their employees to view their personal information that is kept upon request
only collect information you need for the specific purpose of completing the payroll on behalf of your clients
review all the data they hold and on what grounds the data is held (by category). Following on from this, it will be easier to decide whether it is still appropriate for the data to be held and draft retention polices
put new engagement letters in place (see above) in place with all clients including GDPR requirements to set out your internal policies on:
stipulating time for the preservation of records;
procedure followed after the stipulated period for the secure disposal of the data.
the letters will also need to provide a schedule confirming data-processing details with the employer. These will typically include:
subject matter of processing
duration of the processing
nature and purpose of the processing
type of personal data
categories of data subjects
any additional instructions
approved international transfers
technical and organisational security measures such as encryption.
How long a client’s pay records should be retained?
The storage limitation principle under the GDPR (Art 5(1) (e)) isn’t materially different to the existing principle under the Data Protection Directive. Basically, personal data should not be retained longer than necessary, in relation to the purpose for which such data is processed.
In relation to retention of books, files and working papers ACCA's rule book guidance can be found in ‘Section B6 Retention periods for documents’.
Tax files and other papers that are legally the property of the client or former client shall be returned to the client (or former client) after 7 years or his/her specific authority obtained for their destruction.
Per HMRC guidance, all employers must keep PAYE records for three years from the end of the tax year they relate to. A typical PAYE record would generally include:
details of employee’s pay and the deductions;
reports and payments made to HM Revenue and Customs (HMRC)
employee leave and sickness absences
tax code notices
taxable expenses or benefits
payroll giving scheme documents, including the agency contract and employee authorisation forms.
Many employee records contain sensitive information so it’s crucial you ensure they are disposed of correctly, this may include the cross shredding of paper records and the secure disposable of hard drives, which should be destroyed rather than formatted. Specific recommendations on retention of records is contained within the soon to be issued ACCA engagement letters.
Can a former client request that their data is deleted?
This will depend on why the data was held originally. Where the bureau is holding data for taxation purposes then it can’t be deleted if this is before the end of the legal retention period. Remember that personal data should not be retained longer than necessary, in relation to the purpose for which such data is processed
However you should also ensure that you only retain that which you need to meet your contractual, legal or regulatory obligations.
We store client data on the cloud – does this matter
Yes – the bureau will need to ensure that the servers and storage is GDPR compliant. This is part of the compliance issues that the client would need to be aware of (see below).
What does the client need to know about our GDPR compliance
The bureau should be able to demonstrate to its client that they are GDPR compliant and all data is securely protected. As part of the data breach rules the bureau would need to be able to demonstrate that it was GDPR compliant and had procedures to protect all data.
Are there any issues with the client’s employees?
payroll bureaus do not need to seek consent from individual employees that the payroll is processed for
an employer will need to inform their employees that they are sharing
their personal information with a third party
it employers responsibility to ensure that their payroll
bureau or accountant is taking action to protect their employees’ payroll information under GDPR
an employee cannot withdraw their consent for their personal data to be used as part of the payroll processing
bureaus should only keep the personal data that is strictly required for the purpose of the payroll. This is referred to as data minimisation or privacy by default.
Can we still email payslips to employees
Yes – but it is essential that there is strict security over employees passwords and email addresses and that they are up-to-date and are specifically chosen by the employee for this purpose. Encryption of the payslip should also be involved. The ICO has specific guidelines on this issue.