GDPR implications and solutions for Accountants and Payroll ProcessorsAashiel Shah
The EU’s General Data Protection Regulation (GDPR), which will be implemented in the UK in May 2018, updates the provisions of the Data Protection Act 1998 (DPA). The changes place greater obligations on organisations, with potential fines for breaches as high as €20 million or 4% of global turnover. Organisations need to act now to prepare for the potential changes to their systems and procedures.
Fortunately, a good payroll software can help with simple and basic procedures to stay compliant:
Privacy by Design
Privacy and data security should be at the core in your Software and payroll procedures. A Processor might have the permission to view the data, however the default configuration of the system should be to restrict the visibility of the personal data. The processor must make explicit request to view the data if necessary. The request can be considered, if there is a valid justification to see the confidential data, the processor should be able to lease the data from controller or Data Protection officer. Moreover, logs of who viewed what confidential data and when must be logged by the software to make data leak investigation easy. This unique mechanism prevents the data leaks, but should it happen, these logs make it easy to investigate. Organizations will be able to prove “Privacy by Design” to investigating authority.
Masking of personal data
Masking is an intelligent way of hiding any personal data of an individual that is being processed by the processor. Processor can do the processing and use the information however he should not be able to see the data. For an example they can email the payslip to an employee of the processor however they cannot see payslip or the email address of the employee.
Transfer essential information through the system by encrypting the data in such a way which can be accessed only through the decryption keys or password. Over and above encryption, the sensitive data must be automatically archived or destroyed. This reduces the risk of data loss. Personal data should also be stored in the secure or encrypted format.
Right to information. Right to be forgotten.
Employees have the right to access their information, being processed. Through the employee portal, an employee can easily view all their personal data, request for data change, view documents or even request deletion of personal information, with ease.
Protect vital documents
A system, where essential documents should be password protected and auto destroyed after it has served its purpose. Processor/controller should be able to upload any documents and store the information only for the required period and later destroy automatically. Employee can view essential documents sent by the employer without getting the processor in-between. The controller can control what information can be shared with the processors and the processors can release data which they no longer need.
In order to maintain privacy, processors should be restricted to view any confidential data. There should be a granular roles and permissions. Means everyone sees what they need to see, without compromising the data security and confidentiality. For an example timesheet processor does not need to see payroll data. A software with such roles and permission feature can reduce the data breach risks at the source.
Capture information transparently
A software should be able to capture starter’s information electronically from controller and/or employees. This increases GDPR compliance because processor only sees the relevant data and at the same time the payroll processing errors are reduced.
We have found that Brain Payroll is one such software which implements most of the above guidelines. All your data is kept secured and only a relevant person sees the data. You can see this in action at AccountEx Booth No. 131 on 23rd and 24th of May 2018.