socialmedia linkedinsocialmedia twitter

background courses

Don’t let payroll and HR become your GDPR Achilles heel

on Tuesday, 21 November 2017.

Don’t let payroll and HR become your GDPR Achilles heel

Companies are waking up to the fact that GDPR is real, that it will impact their operations fundamentally, that action needs to be taken now and that there are real and significant penalties for doing nothing.

However, we would urge companies to send HR and payroll employees for specific training on how to ensure data in those departments are fully compliant with the rules of the GDPR.

Why does this matter?

While awareness that action is required is essential, at the Learn Centre, our main message for customers is to ensure that GDPR is approached at a departmental level as well as at a corporate level to ensure important details are not overlooked.

As a priority, we would urge organisations to create a dedicated GDPR task force to examine payroll and HR data, as we believe this is likely to be as important an area for non-compliance and litigation as consumer or customer data.

That team will then require training to ensure they are both fully conversant with the new regulation and also how it applies to payroll and HR data specifically.

Organisations that hold high volumes of consumer data are right to focus on this area.

However, employee data poses potentially greater challenges. At the Learn Centre, we liken the extent of employee data to an iceberg – the majority sits beneath the surface, invisible, and potentially posing a risk.

The challenge is that employee data retained in HR and payroll records is often invisibly and unwittingly shared or sought from third parties and devices such as mobile phones.

Many companies may not realise that they are constantly collecting employee data just by equipping a member of staff with a mobile phone that has location services.

A lot of employee data, such as National Insurance numbers and banking details, will be in reasonably regular use and therefore easy to align with the requirements of the GDPR.

But there is so much more.

Employee data is often captured before and after an employee is part of that organisation.

This data could include forgotten references from previous employers, CBR checks, medical records, and information on proof of identity or nationality.

You could be holding details of personal credit and payment cards stapled on to expenses claims, or passport and vaccination details appended to business travel records.

Employees who take childcare vouchers may well retain information on children, a major new area highlighted by the GDPR.

The GDPR also regulates data shared with third parties – benefits companies, travel organisations, company car providers, pension companies among others.

Compliance with the GDPR will require organisations to dig deep through all of this information, to understand what is held and how it is protected, to ensure they have a justification for holding the information and that you are able to keep it up to date where required.

Given the complexities of how employee data is sourced, held, managed and shared, this is likely to be a much bigger task than protecting customer data.

From a legal perspective, a disgruntled employee may cause as much damage to an organisation that is not GDPR compliant as an unhappy customer.

That is why it is vital that businesses dedicate resource to mapping and aligning employee data as an immediate priority, and also to provide GDPR training to their payroll and HR professionals to ensure they understand what they need to do to ensure compliance.

For details of our 1/2 day GDPR for payroll course click here.