Last week we published a guide on GDPR and payslips - which raised a few questions about whether password protecting an emailed payslip will be GDPR compliant. We felt this question merited further investigation.
Recap - What is the issue with emailing payslips?
Going back to the GDPR basics that we covered in this blog post and this guide - Article 32 of the GDPR states “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Email is widely accepted as not being a secure way of transmitting information - emails are easy to hack or intercept, and something as simple as a typo in an email address can lead to incorrect delivery and a subsequent data breach.
Based on this, there are doubts that emailing a payslip to an employee represents an "appropriate technical measure" - especially as under GDPR it is essential to demonstrate how your organisation is addressing compliance.
So what about password-protecting the payslip?
Password-protecting and then emailing payslips could arguably demonstrate efforts towards compliance, you have taken technical measures in order to protect the personal data that is being transmitted over email. It is certainly more compliant than emailing payslips with no password protection.
However, this does not necessarily solve your GDPR problem, as this guide on password-protected emailed payslips details
- How will you tell employees what their password is? You can not email them the password.
- How are the passwords stored and what risks does this pose for your HR team in particular.
- How do users get password reminders or reset their passwords, and how much work is this for your team?
If you are considering password-protecting email payslips then there are few things to consider, which is why we have put together this guide and checklist for things to ask when emailing password-protected payslips.
Don't underestimate the workload for your team
At PayDashboard we see up to 6% of users each month utilising our automated password reset feature to access their secure online payslip portal. This number increases to over 7.5% in "peak" payroll periods, such as when bonuses are paid or P60s / P11ds are published. Can your Payroll or HR team cope with 6% of employees asking for password reminders/resets each payday?
Ensure GDPR compliance when it comes to payslips
PayDashboard integrates with your existing payroll software in order to deliver online payslips to your employees. Here are just some of the ways that we help you to meet your GDPR compliance obligations:
- PayDashboard allows users to access payslips via a secure online portal.
- User passwords are stored in our database using hashing. Hashing is a one-way transformation on a password, turning it into another string of digits and making it practically impossible to turn the hashed password back into the original password. No PayDashboard users, including our development team, can access the original password.
- Password resets in PayDashboard are fully automated and accounts are locked after too many failed attempts.