As a payroll professional you already have plenty to think about. Paying people accurately and on time takes a little bit of work, and quite a lot of data. Data which has to be stored, processed and handled with care.
Whether you manage payroll in-house or outsource it to a payroll provider, you’ve got to be sure that all that personal data is safe, and that you’re working in line with UK GDPR.
Where does the UK GDPR fit into payroll?
There are rules you have to comply with when handling personal employee data through your payroll. It’s all set out in the General Data Protection Regulation (GDPR).
In this article we’ll give you the lowdown on payroll and UK GDPR to put the “Gee, that’s simple” into GDPR.
The key principles of UK GDPR
- Lawfulness, fairness and transparency: As long as you follow UK GDPR guidelines the way you collect, process and hold data should be lawful and fair.
- Purpose Limitation: You’re clear about why you need data and what you’re going to do with it.
- Data minimisation: You only process data that’s relevant and collect only what you need.
Accuracy: You keep data up-to-date and accurate. Always!
- Integrity and confidentiality: Unlawful and unauthorised processing is a big no no. You process everything securely to protect against damage, loss or destruction of data.
- Accountability: You’re always monitoring for compliance. Good tech and watertight policy will help you to do this.
How these principles relate to payroll activities
Funnily enough, these key principles align closely with how a good payroll department should be run.
To find out how the UK GDPR impacts your payroll department, start by looking at how you currently do things. Then ask yourself some pertinent questions to determine if you’re complying with UK GDPR. Oh, how we love compliance!
Let’s start with data collection.
Data collection, processing and storage
- Do your people know what data they actually should collect?
- Is the data you collect actually necessary / do you need all of it?
- Have you taken necessary steps to avoid data breaches (and are you prepared for if one happens and what to do about it?)
- What are your processes for updating or removing data that’s inaccurate or expired? Do you even have one?
- What systems do you have in place for compliance with UK GDPR?
- Is your data secure? How do you protect personal data?
- Are your people able to access their data?
- What data are you storing?
- Are you storing personal data purely for the purposes for which it’s necessary and nothing else?
- Have you established the lawful basis for the collection of personal data?
Employee data and UK GDPR compliance
Data is what makes the payroll world go round. So, what do you have to do to make sure UK GDPR and payroll compliance is all above board? Let’s start with the data you may hold on your employees. That’s everything to do with your teams and what and how to pay them, such as:
- Full names of employees
- Addresses
- Bank account branches, numbers and sort codes
- Tax codes
- Salary information
- Number of hours worked
- Leave entitlement
- Benefit payments
Different categories of personal data
So, what constitutes “personal data” under the UK GDPR? It’s easy. Personal data is information that can be used to directly or indirectly identify an individual. This includes basic data such as name and location, but also a range of other factors such as their cultural or social identity. An example… David Smythe is 52, lives in Sidebottom Street in Slough and is a practising Christian. All of that? Personal data.
Special category data
But, like any aspect of compliance, it goes a little bit further. Here are some additional categories of data laid out by the UK GDPR that are considered sensitive, and as such are afforded extra protection:
Data concerning:
- Health information
- A person’s sex life or sexual orientation
- Biometric data
- Genetic data
Extra protection is also afforded for personal data that reveals an employee’s:
- Race / ethnic origin
- Political leanings
- Religious beliefs
- Trade union membership
Employee Rights and UK GDPR
Under UK GDPR, employees have individual rights granted to them. Things like being informed that you’re collecting and processing their data and your purposes for doing so, how long you’ll keep their data and who you might share it with. This is known as “privacy information” and when you’re collecting data, you have to inform them at the time.
Access: Your staff can exercise their right to access any data of theirs you hold (as well as any other information). This request can be made in writing, via social media or verbally and is known as a Subject Access Request (SAR).
Correct inaccuracies: People have the right to have incorrect or inaccurate information about their data changed.
Restrict processing: Your employees can ask to restrict your processing of their data. It’s circumstance-dependent, but gives an individual the right to limit how you uses their personal data
Be forgotten: Your people can ask for their “right to be forgotten.” This is where any data you hold on them is deleted.
How should you handle employee data subject requests?
Your people (and in some cases, third parties) have a right to access the information you hold on them.
If they ask to access their data, you have to respond to the request within one month. But this can be extended to 3 months if a request is particularly complex (make sure you extend within the first month, though).
Present data in a clear way that’s easy to use and understand. Make sure that you share that data securely too – you don’t want any breaches at this point.
You can refuse requests in certain circumstances, for example if an exemption or restriction is applied to that case, or if the request is unreasonable (if it’s excessive, for example).
UK GDPR and payroll data done right
One vital role (amongst many!) for your HR department is to make sure your payroll data is kept safe and secure. Your people are placing a huge amount of trust in you to keep their personal data under lock and key. It’s key then to make sure you’ve got robust systems, both at an organisational level and technical level.
Robust internal controls for your payroll are vital to protect your data. They prevent anyone from accessing private data and help you to stay compliant. Here are some of the things you need to think about:
Software security: Your payroll software must protect you against potential breaches. Is security inbuilt? Are they UK GDPR compliant? What are their policies and can you see evidence of it? Are they ISO 27001 certified? Make sure your files are securely encrypted and everything is up to date.
The UK GDPR and consent: You’ll need to get clear on what constitutes your lawful basis for processing your employee’s data. Consent is just one of these bases. If in doubt, it’s best to ask.
Data transfers and third Parties: In a global organisation, you might need to move data outside of the EEA. However, the UK GDPR doesn’t discriminate, and no matter where the data goes, the protection does too. You’ll need to be familiar with how data can and should be moved.
Third-party payroll providers or sharing data with other entities: If you engage a third-party payroll provider, it’s up to you to make sure they’re watertight. Do your research and make sure that your provider has (more than) adequate security in place.
The UK GDPR has your back when it comes to payroll providers because it has certain requirements of third-party processors. and that at the end of a contract, data is given back to you or securely destroyed.
Retention and disposal of payroll data
There aren’t any hard and fast rules as to how long you should retain personal data. Generally, you should only keep the data for as long as you need it. For example, if it’s necessary to hold onto the data for the period of an employee’s employment, you should then get rid of it after they have left your organisation.
Most types of data under the UK GDPR should be destroyed after 6 years (after the end of the current tax year). Of course, this isn’t a one-size-fits-all approach, and it all depends on the kind of data and what it’s used for.
Retention periods for different types of data
- UK GDPR and payroll data: It’s a safe bet to get rid of it as soon as possible. Doing so will showcase your commitment to the UK GDPR. However (there’s always a however…), you must
- Data from the recruitment process: It’s a good idea to keep any data from the hiring process for up to 6 months after your dealings with any applications. That’s because in this time period applicants can make a claim against you if they see fit.
- Employee records: Keep any employee records for 6 years, depending on what data is involved. It seems like a long time, but doing so can help to defend your organisation if any legal proceedings are brought against you by the data subject. Employee records can include contracts, information on performance and anything else relating to their work for your organisation.
Software can help…
If you want to keep your payroll in-house, then payroll software will give you everything you need to ensure accuracy, efficiency, compliance and control in your business. Even better, using a UK GDPR compliant software is a great way to adhere to the UK GDPR without having to shoulder the burden yourself.
GDPR and payroll can be a breeze!
There’s a lot to get your head around here and we get it. That’s why outsourcing your payroll, along with HMRC and UK GDPR headaches, can make your life much easier. Cintra Pay and Cintra Cloud’s payroll services are always up-to-date and will keep you compliant across your entire payroll cycle.
Fancy letting us ease the burden? It’s what we do best. Get in touch today to see how we can help you shine.
Payroll Legislation Guide
The facts, figures, thresholds and allowances for 2024/25 spanning tax, National Insurance, pensions, statutory payments and more.
