The General Data Protection Regulation or GDPR is due to come into force in the UK on May 25th 2018 and will bring about several changes in how organisations need to deal with personal data. Even though the UK is leaving the EU, employers still need to take steps to be compliant with the new regulations because they come into force before Brexit. So what steps need to be taken with regards to payroll?
What is GDPR?
The new laws are a major update to the existing rules on data protection and are designed to combat some of the changes in recent years including the accelerated growth of digital technology and the trend of globalisation. It is aimed at strengthening the also unifying protection for people living across the EU.
As well as affecting companies based in the EU, it will also apply to any company who processes the data of EU citizens in relation to goods, services or even behaviour monitoring.
GDPR for employers
There are a number of changes that will specifically affect employers and their HR departments that mean they need to change their policies regarding the processing and handling of employee data to ensure compliance.
One of these changes is the idea of ‘data protection by design’ which means employers need to make data protection risks a key part of their operating policies, processes, products and services. There is also ‘data protection by default’ which means that only the personal data required for each specific purpose should be collected from someone.
Consent is another big concept in GDPR. There is some question about the idea of employers processing personal data based on employee consent and the balance of the relationship between the two. In the future, there will need to an assurance that consent is given by employees and that is it is ‘freely given, informed, specific and explicit’.
GDPR and payroll
With a specific view towards payroll, there are two main elements that businesses need to be aware of. The first is around what to do if employees ask for data and the other is around the storage of that data.
Employees can ask for all personal data that their employer holds on them and when they ask for this, it must be presented to them as quickly as possible. The business is also required to store all data securely that it holds on employees and be able to show that this is the case.
For companies with large amounts of sensitive data held about employees, it is wise to have a Data Protection Officer who oversees the process and ensures that the company is compliant with all aspects of GDPR.