The European Union (EU) is about to enforce the most important legislative update to the protection of personal information in our time. The General Data Protection Regulation (GDPR) comes into effect in May 2018. It’s designed to protect the Personally Identifiable Information (PII) of EU citizens. The legislation covers all information that can identify an individual – directly or indirectly.
By Warren van Wyk, director of PaySpace
While the GDPR is EU legislation its mandate extends to businesses anywhere in the world that interact with EU citizen data. If your business employs people from the EU, or has interests in the EU, it will have to comply. The penalties for non-compliant companies are stiff; with the potential fines €20 million or more.
Your business may not have a foothold in Europe yet – or perhaps not even employ any EU citizens. However, should your company’s plans for the future involve one or the other, or both, it’s best to get your processes in line with the legislation sooner rather than later. That way, when your business is ready to take the next step, you can simply hit play without any delays.
The impact on global HR and payroll teams
GDPR is going to change the payroll landscape quite significantly. Given the data-heavy nature of payroll processes, HR and payroll leaders will have to manage new responsibilities to ensure 100% compliance.
These responsibilities include alerting employees and applicants with privacy notices that specify what their data is being used for – and if it will be transferred outside of the EU. The legislation adds new complexity by stipulating that personal data can only be transferred out of the EU if permitted by GDPR. Should a data breach occur, the HR or payroll manager needs to notify the data protection authorities within 72 hours. Compliance with GDPR can’t simply take place behind closed doors, businesses need to document and demonstrate that their activities comply with the legislation.
Should a company outsource its HR and payroll, the responsibility of ensuring compliance is shared between the company and their outsourced payroll provider. It’s up to the business’ data controller to ensure compliance with the core principles of GDPR. Whereas, it’s the payroll provider’s responsibility to implement technical and organisational measures to protect data and assist with compliance. This includes making sure that all stored data is encrypted and backed up securely.
Preparing your business for GDPR
Before you can implement GDPR, you need to review your existing payroll process. You need to assess how PII is currently collected, used, stored and destroyed. Investigate who is handling this sensitive information and determine whether they need to access it in order to do their jobs. Complying with GDPR can be overwhelming; reducing the number of employees who access vulnerable data can make GDPR easier to enforce across your business.
Another benefit of this review process is that it can help identify your business’ priorities and clarify important goals for the future. Rather than gathering any and all information, you can now focus on data that is critical to your business.
Achieving GDPR compliance is a challenge – but it can be done. To make the process easier, make sure your payroll software is secure and that the provider you work with is already GDPR compliant. It also pays to involve your employees from the get-go and encourage their feedback. It’s important that all payroll personnel are up to speed on GDPR and how it impacts their work, as well as the company as a whole.
If you’re still not certain if the new legislation affects your business, find out now. Do your own research and ask a payroll provider for advice. GDPR is just around the corner so the sooner you prepare your payroll processes the better.