The EU’s General Data Protection Regulations (GDPR), which will be implemented in the UK in May 2018, updates the provisions of the Data Protection Act 1998 (DPA). The changes place greater obligations on organisations, with potential fines for breaches as high as €20 million or 4 per cent of global turnover. Organisations need to act now to prepare for the potential changes to their systems and procedures.
Fortunately, a good payroll software can help with simple and basic procedures to stay compliant:
Privacy by Design
Privacy and data security should be at the core of your software and payroll procedures. A processor might have the permission to view the data, however the default configuration of the system should be to restrict the visibility of the personal data.
The processor must make explicit request to view the data if necessary. The request can be considered, if there is a valid justification to see the confidential data, the processor should be able to lease the data from controller or data protection officer.
Moreover, logs of who viewed what confidential data and when must be logged by the software to make data leak investigation easy. This mechanism prevents the data leaks, but should it happen, these logs make it easy to investigate. Organisations will be able to prove “Privacy by Design” to investigating authority.
Masking of personal data
Masking is an intelligent way of hiding any personal data of an individual that is being processed by the processor. Processor can do the processing and use the information however he should not be able to see the data. For an example they can email the payslip to an employee of the processor however they cannot see payslip or the email address of the employee.
Transfer essential information through the system by encrypting the data in such a way which can be accessed only through the decryption keys or password. Over and above encryption, the sensitive data must be automatically archived or destroyed. This reduces the risk of data loss. Personal data should also be stored in the secure or encrypted format.
Right to information. Right to be forgotten.
Employees have the right to access their information, being processed. Through the employee portal, an employee can easily view all their personal data, request for data change, view documents or even request deletion of personal information, with ease.
Protect vital documents
A system, where essential documents should be password protected and auto destroyed after it has served its purpose. Processor/controller should be able to upload any documents and store the information only for the required period and later destroy automatically. Employee can view essential documents sent by the employer without getting the processor in-between. The controller can control what information can be shared with the processors and the processors can release data which they no longer need.
In order to maintain privacy, processors should be restricted to view any confidential data. There should be a granular roles and permissions. Means everyone sees what they need to see, without compromising the data security and confidentiality. For an example timesheet processor does not need to see payroll data. A software with such roles and permission feature can reduce the data breach risks at the source.
Capture information transparently
A software should be able to capture a starter’s information electronically from controller and/or employees. This increases GDPR compliance because processor only sees the relevant data and at the same time the payroll processing errors are reduced.