The impact of GDPR on UK payroll businesses
If you didn’t manage to make Accountex this year - we’re sorry we missed you! It was an awesome opportunity to explore the hot topics in the accounting industry this year - GDPR being one of them.
Funnily enough, I have spent the last 12 months building out the UK version of KeyPay (fantastic payroll software - if you didn’t already know!) which means I’ve learnt far more about GDPR than I ever thought I would. So at Accountex, I led a talk on GDPR and its impact on UK payroll businesses, because what’s the point in keeping all this knowledge to myself? With GDPR being implemented today (25th May), it seemed appropriate to recap Wednesday’s talk and share the things I’ve learned in the past 12 months in this blog post.
So what is GDPR?
The GDPR is the General Data Protection Regulations that are being introduced by the EU to govern the way personal data is collected, stored and transferred. In addition, it gives individuals more control over their personal information and provides explicit measures that businesses must follow when processing and controlling an individuals data.
Why is GDPR important?
Now, one of the most common reasons I hear people say that you should be GDPR compliant is because if you’re not, then you’ll get fined. A LOT. But being GDPR compliant just so you can avoid being fined, is a bit like eating your veggies so your mum won’t yell at you… it’s kind of missing the point.
If you think of what’s happened in the past 20 years, we now live in a world where so much more of your information is being collected, stored and used than ever before. We have companies like Facebook, Google and Amazon, that are data harvesting machines, collecting everything from who we dated in high school to what we had for lunch and it’s not entirely clear what they’re doing with that data... and that’s the problem. Right now, we don’t have any real control over what data is being collected, what it’s being used for and really, how secure that data is. So what the GDPR is trying to do is shift the balance of power away from the companies that are collecting this information, back into the hands of individuals.
So what does this have to do with payroll?
Well, when you think about it, in payroll, we collect, use and store a lot of data about an employee and that data is far more valuable than just holiday pics and their Amazon wish list. We store National Insurance numbers, child support payments and court orders. We have timesheets, expense claims and leave requests. And of course, we have salary information.
It’s clear that in the payroll industry, we’re collecting a lot of information, it’s clear that this is valuable information and what the GDPR is doing is making it clear what our roles and responsibilities are when managing this data. Essentially what they’re really saying is that the days of storing highly valuable, personal data in unsecured, unencrypted servers in the cupboard under the stairs are over.
The impact of GDPR on payroll
GDPR impacts payroll in many ways, but I’m going to focus on 2 big ones:
- Making businesses more responsible for the data they collect
- Giving individuals more power over the data that these businesses hold on them
The first impact of GDPR on payroll is making businesses more responsible for the data they collect by defining their roles (and responsibilities). Here’s some examples within a payroll scenario:
We have Bertie, the owner of ‘Bertie’s Burgers’. He is a business owner, but with GDPR coming into place, he can also be known as a ‘data controller’. This is because Bertie is the entity that determines the purposes and means of the processing of personal data.
Then there’s Nutmeg, who works for Nutmeg Accounting. She processes Bertie’s payroll. Nutmeg in this scenario is also a ‘data processor’, because she processes data on behalf of the data controller - on behalf of is the key wording here.
Finally, there’s KeyBot - the payroll automation system that Nutmeg uses to crunch the payroll numbers, generate payslips and submit the HMRC filings. He’s known here as a ‘sub processor’, because he’s being used by the data processor to process the data.
Note: in the real world, these scenarios can get a lot more complicated and it can get complicated quickly. I’d really encourage you to spend some time understanding the relationships within your payroll structures to ensure that all the parties involved are clear on what their roles are in the post GDPR world.
The second responsibility is about giving individuals more rights over the data being stored on them. And when it comes to the individual’s rights, I want to focus on “the big three”:
- The right to be informed - they’re entitled to know what you’re doing with their data
- The right to be forgotten (erasure)- they’re entitled to ask for you to remove data you own on them
- The right to access - they’re entitled to ask for all data you have on them
So to be clear, these are all rights that employees are entitled to under GDPR and as payroll professionals, we are now responsible to meet the rights of these employees.
With that in mind, here’s 3 things to think about:
- Have you and your clients made it really clear what data you’re collecting on your employees and what you’re using it for?
- What would you do if an employee asked for you to delete all the data you had on them? Now a lot of bureaux tell me that they’re covered by legislative precedence, but ICO makes it clear that the right to be forgotten applies once the personal data is no longer necessary for its original purpose… so thats things like timesheets, leave requests, CVs and all the peripheral data we collect on employees that we don’t need to keep after we’ve processed pays,
- How easy would it be for you to give an employee access to all the data you have stored on them if they asked for it?
These are real rights that will have real impacts on payroll, so we need to be thinking about how we’re going to handle these scenarios.
Things to consider when processing pays under GDPR
Changing way we move and share data has the potential to change the way we’re responsible for that data, even if we’re not the ones that caused the breach. Let’s look at a payroll specific scenario that will help bring this to life:
Let’s go back to Nutmeg the accountant. One Friday, Nutmeg receives a spreadsheet of timesheets from a client via email. It includes specifics on employee names, pay, time worked and other identifiable data. Nutmeg does what she usually does: she updates the time worked for each employee using cloud payroll software, and payslips are then emailed back to the client for distribution. Job done - Nutmeg’s checked out and off for a pint at the local Wetherspoons.
Post-GDPR the way Nutmeg does her normal job will change in a few ways:
1. Common practices
Email distribution of payslips may no longer be considered secure, so looking towards an all encompassing employee self-service portal where employees can access their payslips and personal information is key. Even outside of GDPR, finding a solution that takes care of this for you automatically can save your bureau time, money and effort, and a huge reduction in emails and manual data entry.
2. The way to transmit employee data
Nutmeg will also need to look at the way she’s sharing this data. Gone are the days of sending over an Excel document or emailing payslips. Are you encrypting the data in transit? How is it encrypted? Is the data also secure behind a firewall even when you’re not sending it onto a third party? Each of these questions will need to be answered by your business and an action plan put in place for GDPR.
3. The systems she uses
Nutmeg will now need ensure that any tools or systems she uses such as the cloud payroll software are GDPR compliant, and the information she shares is vital to processing the pay. Are you using a fully compliant software? If not, you’ll need to find a new solution.
GDPR provides us with some great opportunities to engage with our clients, streamline our processes and provide additional value in the services we provide. You can take this time to look at your processes, evaluate what’s working, what systems could be enhanced and where you can change the way you work and pay. If you change your thinking and see GDPR not as a burden, but as an opportunity to evaluate your current data policy, the systems and tools you use and the way you interact with your clients, you be in a far better position to retain your customers and grow your business.
I’m by no means a legal expert, but I’m a stickler for compliance and ensuring my own clients have the right tools for their business. If you’re interested in chatting further about KeyPay, check out the free trial.