GDPR - What does it mean for HR and Payroll?

Published on

As you’ll no doubt be aware, GDPR is fast approaching and it’s set to bring the biggest change to UK Data Protection laws in over twenty years. With less than four months to go, GDPR should be at the forefront of any SAP user or business’ mind. Here, we’ll take a look at its potential impact on HR organisations and departments, and in particularly those dealing with payroll.

The basics of GDPR

Before we delve too far into the implications and specifics, let’s take a look at the key facts and changes GDPR is set to bring. From 25th May 2018, GDPR will replace the current Data Protection Act 1998. This new regulation will harmonise data protection laws across the EU (yes, UK businesses still need to comply despite Brexit), taking into account globalisation and the ever-changing technology landscape. The increasing threat of cybercrime is also a key factor.

If you’re a company that processes the personal data of individuals in the EU, then GDPR will apply to you. The most substantial implication is the resulting penalties that are set to be imposed for those who breach GDPR. Significant fines of up to €20 million or 4% of the company’s annual turnover could potentially be the damage.

GDPR isn’t just about customers

While much attention has been placed on complying with GDPR in relation to external data, it’s also crucial to remember that the new regulation extends to the data you hold on your employees. This is why it’s imperative HR teams are aware and complying with GDPR.

Understanding HR data and optimising systems

With the introduction of GDPR, employees will have stronger rights when it comes to requesting what data their company holds and where. This isn’t just about payroll information, it’s also about HR records, interview submissions, expenses claims and even sickness absence. These are all likely to be stored across different systems and desktops, and in some cases different physical locations.

From the end of May, employers may be requested to provide much more detailed information than was previously accepted under the Data Protection Act 1998. GDPR could result in your employers requesting any of the following:

  • How long will my personal data be stored for?
  • From recruitment to payroll, expenses and medical information, what data do you hold on me?
  • How do you keep my data secure?
  • I would like to opt out of data-driven marketing and not have my information for research.

You need to be confident you could answer the above in a timely and efficient fashion. Ensuring you understand what exact data you hold, where it can be found, and how you can prove to employees their requests have been actioned, is essential. The same can be said for reviewing, optimising and organising your data request policies. More about that below.

Preparation holds the key to GDPR compliance

Despite GDPR not coming into force until 25th May, you should already be in the process of making preparations for this major industry reshape. Reading and understanding as much as possible on the subject is a solid starting point. We’re all in the same boat in preparing for GDPR, so rest assured you’re not alone. There’s thousands of articles out there that will provide advice and guidance for your specific role, team or organisation.

As stated previously, ensuring all those within your HR department know how to manage personal data and process requests is absolutely crucial to GDPR compliance. Similarly, it’s never been more important than now to ensure that any changes or updates to policies are clearly communicated to your employees. This should cover guidance so your employees know how and where to issue a data request, who will deal with it and how and when it will be dealt with.

As already touched on, you will be required to keep an inventory of the personal data you process. Importantly, each category of this data (payroll, recruitment, expenses etc) must have its own assigned information owner. If you run a centralised data register, have the information owners complete the personal data register and keep it updated.

Data retention is another key aspect that needs to be consider prior to GDPR’s introduction. Creating and enforcing a strategy relating to data retention will help go a long way to compliance. While this can be a complicated process involving different desktops, drives or physical paper records, it will really help you respond accurately and confidently to requests.

As the current privacy laws already enforce, personal data can only be retained for a period that’s necessary for the data processing purposes. This will continue to be the case under GDPR, so consider listing the reasons you have for retaining data, including minimum retention periods and your liability as an employer. You can check the specifics of these with your legal department, but once these have been considered, you’ll be in a position to define the minimum and maximum retention periods for each data category. Again, double check and validate these with your legal team.

Who else should be aware of GDPR in your business?

You won’t be able to achieve GDPR compliance alone. It’s imperative your organisation tackles GDPR as a whole, head on. A business wide strategy is key, as is working with teams, partners and fellow clients to implement the necessary requirements.

Your IT department will undoubtedly play an important role. The necessary personnel must have the required access to edit, move or delete data in accordance to requests and GDPR rules. As with planning, a structured and transparent process is vital. If large scale change is occurring, consider appointing a dedicated Data Protection Officer if one isn’t already in place.

CEO’s and key business stakeholders are also key to achieving compliance. These business decision makers must be aware of GDPR from the outset, and must actively work with the necessary team or employees to build a strategic plan to address challenges.

If you’d like to find out more about preparing for GDPR, register for our upcoming events. These include a GDPR focussed Public Sector meeting and a GDPR Focussed Audit, Control and Security SIG that will focus on GDPR’s impact on companies running SAP.

Our User Group Community