1. The webinar covered how GDPR affects payroll processing and compliance. Personal employee data must be collected and processed lawfully, securely stored, and deleted after the required retention period.
2. Under GDPR, contracts are required between data controllers and processors. Payroll bureaus should work with clients to ensure data processor agreements are in place that outline each parties' obligations regarding employee data.
3. In the event of a data breach, businesses must notify the Data Protection Commissioner within 72 hours if the breach poses a risk to employees. Non-compliance with GDPR can result in substantial fines.
3. Webinar Agenda
What does it mean for
payroll processing?
Understanding GDPR
The contract between
accountants & clients
Template Data
Processor Agreement
Proof of compliance
Securely storing
employee data
Payslips & GDPR
Compliance
Employee consent
Emailing payslips
Recommended self-
service access
Breaching
GDPR
Data breach plan
of action
Non-compliance
and penalties
Thesaurus / BrightPay
& GDPR
Connect: Self
service portal
Enhanced security
measures
6. An Introduction to GDPR
• Protects the personal data and privacy of EU citizens
• An update to the current legislation - Data Protection Act 1998
• Applies to ALL companies – including SMEs, sole traders, etc.
• Article 30 – Technical & Organisational measures
• Accountability – prove compliance
7. 6 principle of Data Protection under GDPR
• Personal data shall be:
Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate, kept up to date and rectified without delay where necessary
Permits identification of data subjects for no longer than is necessary
Processed in a manner that ensures appropriate security of personal data
8. New and Enhanced Rights for Employees
• The most significant development with GDPR for employers is
the emphasis on transparency and accountability
• GDPR also introduces new and enhanced rights for employees
Right to be
informed
The right to
access
The right to
rectification
The right to
erasure
The right to
restrict
processing
The right to data
portability
The right to
object
Rights in relation
to automated
decision making
10. How does GDPR affect payroll processing?
• Businesses must ensure that their data will be processed
securely and responsibly under GDPR
• An updated security process is required to protect the personal
data that we manage
• Changes to the way we currently process, manage and store
individual’s personal data
12. How does GDPR affect payroll processing?
• Provide employees with a privacy notice setting out information
about how their data is managed
• How long will data be held for? How will it be used?
• Employees can request access to personal information that is held
on them
• Employees can request to have it rectified and, in some cases,
request for it to be deleted
14. Understanding GDPR
1. Data Management: Payroll and personal data must be
processed lawfully, fairly and in a transparent manner.
- Employee data must be collected for the legitimate purpose of
completing the payroll
- All data must be kept up-to-date and only be used for processing the
payroll
- Payroll data needs to be protected and secured against loss, damage
unlawful access and cyber attacks
15. Understanding GDPR
2. Data Processing: Data processors can lawfully process data on
behalf of the data controller as long as a written contract is in
place.
- This contract represents a legal obligation for the data processor to
have access to the data in order to complete the payroll
- The GDPR legislation sets out requirements regarding what must be
included in the contract between a payroll bureau & the client
16. Understanding GDPR
3. Transferring Data Internationally: It is prohibited to send
employee’s data outside the European Economic Area.
- It is prohibited to send the employee’s data outside the European
Economic Area unless that country provides an adequate level of
protection for the rights of individual's personal data
- Transferring the employee’s data outside of the EU requires extra
caution and must meet the specific criteria as set out in the GDPR
regulations
17. GDPR Preparation
• Have you reviewed and updated current data protection policies?
• Check with current software providers, data processors and
contractors - you will likely need to update or amend certain
contracts with your third party contractors or vendors
• Keep a record of how you are storing this information and for
what purpose should you ever be audited or reported
18. 7 Step Preparation Guide
Data
Inventory
Policies &
Contracts
Capturing
Consent
Governance Security
PIAs & Data
by Design
Advise your
Clients
19. GDPR Compliance
• If you are audited, you may need to provide certain information to
prove your GDPR compliance:
• Businesses should keep a record of how they are securely
protecting the data that they process and manage
Agreed
Contract
Fulfilling the
Contract
Legitimate
Reason
20. Securely Storing Employee Payroll Data
• Password protect computers that hold
personal data
• Password protect software applications
that hold personal data
• Password protect or encrypt payslips
and other documents that may be
emailed to employees
21. Retention Periods for Personal Data
• Personal data may only be kept for no longer than is necessary for
the purpose for which it was processed
• Businesses should consider statutory retention periods, individual
business needs and data protection principles
• According to guidelines, you should keep payroll records and
payslips for up to 6 years from the end of the tax year they relate
to
23. Employee Consent
• Consent is not needed from individual employees
• If payroll is outsourced, the employer will need to inform employees
that their personal information is being shared with a third party
• The employer must ensure that their payroll bureau or accountant is
taking action to protect their employees’ payroll information
• An employee cannot withdraw their consent for their personal data
to be used as part of the payroll processing
24. Posting Payslips
• There is nothing in the GDPR legislation that states it is no longer
permissible to post payslips
• Posted payslips must include appropriate security measures to
protect the payslip
• Examples include using security payslip envelopes, marking the
envelope as ‘Private and Confidential’ or using registered post
25. Emailing Payslips
• Nothing that states it is no longer permissible to email payslips
• Steps should be taken to securely protect each employee’s payslip
• Password protect payslips with a password that is uniquely
chosen by the employee
• It is recommended (but not mandatory) to offer a secure self-
service portal to securely send and store payslips
27. Recommended Self-Service Option
• Password protected for each employee
• Provides flexibility and full transparency for employees to retrieve
and update their information at any time
• Employers can login and view payslips, payroll reports and
amounts due to Revenue
• Distribution of payslips and reports are automated and
automatically available to employees
29. Data Processor Agreement
• Whenever a data controller uses a data processor there needs to be
a written contract in place
• Controllers are liable for their compliance with the GDPR and must
only appoint processors who can provide ‘sufficient guarantees’ that
the requirements of the GDPR will be met
• Data processors will have some direct responsibilities and may be
subject to fines or other sanctions if they don’t comply
30. Data Processor Agreement
• The onus is on data controllers to ensure contracts are in place
with third party data processors
• Payroll bureaus should aim to take an active role in educating
their clients about GDPR
• It would be well advised to approach clients and instigate putting
the appropriate contracts in place
31. What does this contract look like?
• To comply with the new requirements under GDPR bureaus could
either:
• Draft new Terms of Service / EULAs / Engagement Letters for
each client to include the new GDPR requirements
• Where you have an existing contract in place you could issue an
Addendum to this contract covering the new GDPR requirements
• Template Data Processor Agreement (DPA)
32. Written Contract
• Under previous data protection laws:
• Contracts were required to be in writing
• They required the data processor to only process data on the
instructions of the data controller
• Appropriate measures needed to be taken to keep all personal
data secure
33. • Under the GDPR the contract requirements are wider. Contracts
must now set out:
• The subject matter and duration of the processing
• The nature and purpose of the processing
• The type of personal data and categories of data subject
• The obligations and rights of the controller
Contract requirements under GDPR
34. Contract requirements under GDPR
The processor must:
• Only act on the written instruction of the controller (unless
required by law to act without such instruction)
• Ensure that people processing the data are subject to a duty of
confidence
• Take appropriate measures to ensure the security of processing
35. Contract requirements under GDPR
The processor must:
• The processor must only engage a sub-processor with the prior
consent of the data controller and a written contract
• The processor must assist the data controller in meeting its GDPR
obligations in relation to the security of processing, the
notification of personal data breaches and data protection impact
assessments
36. Contract requirements under GDPR
The processor must:
• Submit to audits and inspections
• Provide the controller with whatever information it needs
• Tell the controller immediately if it is asked to do something
infringing the GDPR or other data protection law
37. Contract requirements under GDPR
• The contract must include end of contract provisions in order to
ensure the continued security of the personal data
• The processor must delete or return all personal data to the
controller as requested at the end of the contract
• An exemption applies where the data processor is required by law
to retain data
39. Data Breach Plan of Action
• A personal breach - the ‘accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data’
• A business must determine the level of the breach’s severity and
the risk it could present to an individuals rights and freedoms
• If it is considered a risk then you must notify the Office of the
Data Protection Commissioner (DPC) within 72 hours of becoming
aware of them
40. Data Breach Plan of Action
• If there is no risk then you do not have to report it
• Businesses who do not report a breach should keep a record
and be able to justify their reasoning behind their decision not
to report it and document those reasons
• Failing to report a breach can result in an investigation and/or
penalties
41. Data Breach Plan of Action
• It is important to have suitable procedures in place to notify the
regulator where breaches have been reported and identified
• Inform all staff of the correct procedure to follow should a
breach occur
• Individuals also have the option to file a class action lawsuit if a
business does not comply with GDPR
42. Non-Compliance & Penalties
• There are significant fines and penalties for businesses who
breach the GDPR legislation: €20 million or 4% of a businesses
turnover
• The fines are designed to punish any business that wilfully
ignores their GDPR obligations
• Fines can be mitigated against if there is evidence that shows that
a business has prepared and worked towards GDPR compliance