With less than 3 months until GDPR Deadline Day (25 May) many companies are now turning their attention to their GDPR obligations in relation to payroll. In this series of blog posts we are breaking down the GDPR obligations and issues into manageable topics, starting with the definitions of the various roles set out in the GDPR and how they relate to payroll.
"Personal data shall mean any information relating to an identified or identifiable natural person. (The Data Subject)” GDPR, Article 4, Paragraph 1
A Data Subject is a natural person, who is either a Citizen / Resident of an EU member state, is a visitor to an EU member state, or whose data is being processed by a business located in the EU. Under the GDPR they are the rightful owner of their own data, this can be personal data, sensitive data, and genetic/biometric data.
In relation to payroll, a Data Subject is an employee whose data is being processed in order to calculate their earnings, deductions, pay etc.
The Data Controller is the organisation that is responsible for deciding how data is handled. Data Controllers determine the purposes, conditions and means of processing personal data.
In relation to payroll, the Data Controller is understood to be the employer who is processing their employees' data in order to calculate payroll. This does not change if the company run their payroll in-house or if they outsource the payroll to a third party such as their accounting firm. The employer is still deciding the means of processing the data even if they are not physically processing the payroll themselves, and therefore they are (and remain) the Data Controller.
Data Controllers have direct obligations under the GDPR and are subject to more onerous direct enforcement of the GDPR principles by Supervisory Authorities than they were previously. We will look at the GDPR principles in the next blog post. Sign up here to receive notifications when new blog posts are available
Data Processors process data on behalf of a Data Controller.
In the case of payroll, a Data Processor could be:
- A payroll bureau or accounting firm to whom the Controller has outsourced their payroll function;
- Payroll software used to calculate payroll; or,
- Other software services used in the payroll process, such as to deliver payslips.
Data Processors have direct obligations under GDPR and must provide assurances and support to the Data Controller. They are also subject to direct enforcement by Supervisory Authorities.
Data Processors can also contract with sub-processors to deliver their payroll service. For example, an Accounting Firm is the Data Processor, however the software that they use to process payroll or deliver payslips is provided by a third party - in this case the software provider is a sub-processor. The sub-processor has obligations to support the Data Processor in exactly the same way as the Data Processor must provide assurances of support to the Controller.
Data Protection Officer (DPO)
A DPO is appointed by an organisation engaged in regular and systematic monitoring or processing of the sensitive data of individuals on a large scale. Their role is to work independently to view a company’s GDPR processes from the Data Subject’s perspective to ensure compliance.
Not all organisations will be required to have a DPO, however penalties may be levied in the event that a company requires but has not appointed a DPO.
In terms of payroll, employers running payroll in-house may or may not require a DPO. It will depend on their size and nature of their business. For general day-to-day HR and payroll purposes it is unlikely that a DPO will be required in many organisations.
All payroll bureaux should seek advice about whether a DPO is necessary for their business due to the scale of their operations – and particularly if the bureau is dealing with BACS payments on behalf of their clients.
Obligations under GDPR
Under the GDPR both the Data Controller and the Data Processor have obligations to observe and uphold the rights of the Data Subject (we'll look at the details of these rights in another blog post). This obligation extends to any Sub-Processors. All must maintain documentation that evidences their compliance with this.
Data Processors and Sub-Processors have obligations to provide assurances of support to the Data Controller. This can be through a number of activities including contractual mechanisms, maintaining documentation, reporting, inspection etc. Additionally, the Data Processor has an obligation to the Data Subject to only process their data upon direction from the Data Controller.
Understanding the roles set out under the GDPR and how your payroll process fits into these is key in taking the first steps to implementing GDPR compliance. With this understanding in place, our next blog posts will look at the rights of data subjects, the various types of personal data being processed, and the Data Protection Principles and their contextual application in relation to payroll.
Join our blog subscriber list and we'll email you when a new blog post has been published. Signup here for blog post notifications
Disclaimer: The information contained in this blog post is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. There is no substitute for organisations seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses. While we have made every effort to ensure that the information provided is correct and up to date, Pay Dashboard Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Pay Dashboard Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.