What Payroll Needs To Know About The GDPR
Payslip recently participated in our first ever Live Twitter Chat! The chat was hosted by the Global Payroll Management Institute, the topic discussed was the impact of the European General Data Protection Regulation on the Payroll Industry.
We thoroughly enjoyed taking part in this Twitter Chat. Thank you to the GPMI for being wonderful hosts and to the Twitterati for there questions, comments and interactions. We hope to be back live on Twitter very soon!
In case you missed it here is a full recap of the chat.
Q1) What is the General Data Protection Regulation (GDPR) and why should payroll be interested?
Answer: The General Data Protection Regulation (GDPR) comes into force throughout Europe on May 25th 2018. GDPR changes Data Privacy rules and how personal data is handled and processed. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR will have a substantial impact on Payroll. GDPR applies to all personal data including employee data. Payroll departments control and process personal data belonging to their employees on a daily basis.
Q2) Does GDPR just concern data or are other pieces of information included, such as Employee photographs?
Answer: Personal data under the GDPR is defined as information relating to an identified or identifiable natural person and specifically acknowledges that this includes both ‘direct’ and ‘indirect’ identification. Therefore, personal data can include an employee photograph or other identifiers which can identify an employee.
Q3) Does GDPR apply to EU citizens employed outside the EU. For example an EU citizen working for a US owned company based in the US?
Answer: Assuming the US company has no establishment in the EU, it will depend on whether or not it falls under Article 3 (Territorial Scope). Article 3 refers to whether the company is offering goods or services into the EU or is monitoring the behavior of individuals as far as their behavior takes place in the EU. If this is the case, the provisions of the GDPR will apply to that company, and will mean that the company will have to be in compliance with the GDPR.
Q4) How will GDPR apply to Expats in the EU?
Answer: GDPR will apply to Expats living in the EU. Article 3 states that any organization established in the EU which processes personal data as a controller/processor will be subject to GDPR. Personal data of those living in the EU regardless of whether they are a citizen or not will be covered under GDPR.
Q5) Is the Payroll Manager/Department the Data Processor or the Data Controller?
Answer: The Employer which includes the Payroll Manager or Finance Department is the Data Controller. Data Controllers determine the purposes for which, and the way in which the personal data is processed.
Q6) Is the Payroll Partner/Vendor a Data Processor or a Data Controller?
Answer: Payroll Partners or 3rd party vendors who access and process personal data as part of the performance of their services fall into the category of Data Processors. The processor processes personal data on behalf of the Data Controller.
Q7) Who polices GDPR?
Answer: The GDPR is policed by data protection regulators in the EU, otherwise known as supervisory authorities. In Ireland this is the Office of the Data Protection Commissioner who has powers to impose substantial fines and/or corrective measures.
Q8) If you store all of your data in the cloud, will GDPR apply to you?
Answer: Whether personal data is stored on-premise or in the cloud, this does not change the fact that it may be subject to the GDPR. The cloud provider will be considered a data processor and together with the data controller, will have an obligation to process personal data in compliance with the GDPR. They also have an obligation to keep data secure.
Q9) If you are obliged by law to keep data for 5 years how will you manage that with GDPR?
Answer: Under the GDPR you should only keep personal data for as long as is necessary. However, where there is a statutory requirement to retain data for a specified period of time e.g. under employment law, then that statutory requirement will still apply.
Let us show you how Payslip’s unique software can help you prepare for GDPR, sign up for a demo today.