GDPR and Payroll Compliance in Ireland
GDPR (General Data Protection Regulation) is coming into effect this coming Friday, May 25th 2018.
This means new rules will come into force that have significant implications on businesses and payroll personnel. So how should your company prepare? The Data Protection Commissioner has developed a useful guide that can help you and your organisation prepare for GDPR:
GDPR & Payroll Personnel Responsibilities
HR and Payroll employees have a responsibility to ensure that their business is compliant with GDPR and the ever-changing payroll legislation to insure their employee and business data is secure and confidential. Here are some key points to help you prepare:
Deal with the data rights of your employees
With GDPR, employees have extensive rights on the personal data that payroll professionals and departments hold, for example, right of access, right of correction and right of erasure. To avoid the risk of dealing incorrectly with employees’ data rights, and thus failing to comply with GDPR (resulting in large fines and damage to your business’ reputation), there are numerous measures you can implement.
For example, to obtain a good understanding of data subject rights under GDPR, develop an intranet page on how you manage workers’ personal data written in clear and plain language that employees will understand, and set up a procedure on dealing with requests from employees.
Complete the data register
GDPR requires organisations to keep a record of data processing activities: you need to know exactly what personal data you process, who is responsible for it and how it is processed, or risk facing hefty penalties (up to 4% of global revenue).
To get a grip on the data held and processed in different departments, businesses should divide their inventory into categories, and assign information owners to each. Owners will need to complete and regularly update the personal data register for their assigned category.
At a minimum, this register should include key information such as identification and contact details of the controller, purpose of the processing and categories of personal data processed.
Implementing an appropriate data retention policy
Once GDPR has taken effect, businesses will need to become explicit on data retention. Existing privacy laws already stipulated that you can only retain personal data for a period that is not longer than the one necessary for the purposes of the data processing.
GDPR puts more emphasis on this in several ways, including attaching significantly higher sanction to non-compliance and introduces the right to erasure (right to be forgotten). Keeping personal data longer than required has become a real liability now: so, get rid of it now!
Developing and implementing a data retention strategy for HR records can be challenging. Go through your data register, and list the reasons you have for keeping your data such as legal minimum retention periods, your liability as an employer and services you deliver to your employees based on the data.
Based on these reasons, define the minimum and maximum retention periods for each category of data and have these validated by your legal department. Once complete, sit together with your IT department and your partners to get these requirements implemented. Remember, this process is often far from easy and technology can be a hindrance. Don’t forget your paper-based records.
How will GDPR impact payroll departments?
As any professional in the industry knows, a lot of data is held in HR and payroll departments—including private, financial data. It is therefore extremely important that such departments prepare for GDPR.
With the regulation in play, employees will have several rights on the personal data that payroll teams handle, including right of erasure and right of access. GDPR also demands that businesses must keep an inventory of all activities involving data processing, including all personal data they hold, the owners of this data and how it is processed, to achieve compliance with the regulation.
Additionally, payroll departments will need to carefully consider new data retention policies. Already, existing data privacy laws state that organisations can only hold personal data for a period that is necessary for the processing purposes—and no longer. GDPR takes this further. As well as introducing the right to erasure (the right to be forgotten) businesses who do not comply will face heavier penalties than ever before.
HR and payroll departments—and businesses overall—need to ensure any data they hold is compliant, and protected according to regulation specifications. That’s not forgetting third party relationships—with GDPR in play, you are liable as a data owner if you cannot guarantee that all third parties, such as business partners, are GDPR compliant.
Clear Group is a payroll outsourcing company based in Dublin, Ireland and is fully GDPR compliant. To ensure your companies payroll compliance and for expert support contact Clear Group today.
Call Us on + 353 1 968 0663 or email firstname.lastname@example.org