Changes to payroll processes with the introduction of GDPR

1 March 2018

As you are now probably already aware, on 25 May 2018 GDPR (General Data Protection Regulation) comes into play.

GDPR is a comprehensive regulation that unifies data protection in all EU countries.  Non-compliance can lead to severe consequences. Fines may amount to a maximum of EUR 20 million, or 4% of global annual turnover. GDPR requires organisations to implement reasonable data protection measures to protect the personal data of consumers and employees against data loss or exposure.

The rules stipulated by GDPR must be adhered to. It is no longer best practice but a minimum of what is required. With this in mind, we urge you to get up to speed with what is required of you, and take note of the points below that will directly affect your interaction with us.

  • One of the main changes within GDPR focuses on whether information that you hold is relevant, if it isn’t then you should not keep it. This will ultimately change some of the information that we receive – if we do not need to see it then it should not be sent. Examples of what we don’t need to receive include:

a. Employee sick notes – as your payroll processor, we do not need to know why an employee is off sick, only the dates of their sickness;

b. Settlement agreements and employment contracts – we should not be privy to the information held in these documents. For settlement agreement payments we only require the different pay figures and how they should be shown on a payslip. With regards to employment contracts, the only information needed is the employee’s remuneration package.

c. Employee ID documents – for any new employees, the only information we require is a new starter form, bank details and an employment statement.

d. Any additional documents that you may send that are not relevant to process employees pay.

  • Another requirement of GDPR is that employees must be told when their information is being passed to a third party, what data is being passed over and for what purpose. As we are a third party you must inform each employee that their personal data is being sent to UHY for the purpose of payroll processing.
  • Currently, it is common for employees to have their salary paid in to someone else’s bank account. However, under GDPR this won’t be possible unless you have the authorisation of the account holder. You will also be required to inform this individual of where their data is being sent and how it will be processed. If any members of staff currently have their payments made into another person’s account then you will need to ensure that you have permission from the account holder ahead of GDPR coming into force.
  • Information sent via email is no longer secure unless the email is encrypted. To resolve this, we will be introducing a portal system with our new payroll software. To find out more about the new system please click here.

Should you have any questions about this blog or about how GDPR affects payroll, please do not hesitate to contact myself or your usual UHY adviser.