The General Data Protection Regulation (GDPR) is an update to existing legislation that aims to strengthen and unify data protection for all individuals within the European Union (EU). It also covers the export of personal data to territories outside of the EU. Its primary aim is to give control back to the citizens and residents over their personal data, and protect them from data breaches in an increasingly data-driven world. GDPR comes into force on May 25, 2018.
Many companies already in compliance with current legislation (under the Data Protection Act) are likely to also be in compliance with GDPR in most areas. However, there are several differences and enhancements included in the GDPR that companies need to ensure they’re compliant with.
UK information commissioner Elizabeth Denham has been quoted as saying that the biggest difference refers to accountability.
“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks,” she continued. “It’s about moving away from seeing the law as a box-ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organization.”
The impact of GDPR is expected to be felt across the world, as it will have broad implications for companies that store data. If your company holds personal data for anyone living in Europe, GDPR will apply to your company, even if your company is not in the EU. And, while it is much needed and will be a great relief to individuals, it could present many issues for companies, beginning with fines in the tens of millions of Euros if they breach the new law. For this reason, we attempt to simplify some key points for companies with global payroll.
3 ways GDPR will affect the international payroll industry
- Data Transmission:
Sensitive data should always be sent securely. Unencrypted email should not be used, so many standard practices will need to be changed. New transfer mechanisms may be needed, leading to retraining requirements. - Redundant Data:
Data protection by design, and by default, calls for data minimization and a reduction of the amount of time data is held for. Payroll departments will need to balance existing legislative requirements against those laid out by GDPR. - Processes:
GDPR explicitly states that both the data controller and the data processor must implement appropriate technical and organizational measures a level of security required for the processing taking place. A new level of rigor and compliance is required, and this will undoubtedly affect how the payroll industry operates
3 things payroll practitioners need to do to prepare for GDPR
- Review current processes:
Payroll practitioners will need to carry out risk assessments for users, processes and systems to define a plan to address and mitigate those risks. As previously mentioned, the penalties for not complying with GDPR are significant, up to 4% of global turnover, or 20 million Euros, whichever is greater. - Establish data breach policy:
If the worst should happen there is a requirement report breach, and therefore a clearly defined reporting and escalation plan should be produced. The country’s data protection regulator must be notified within 72 hours of identification. - Prepare for Subject Access Requests (SAR):
Under GDPR, individuals have much more power to access information about themselves. Therefore, you need to prepare to deal with Subject Access Requests (SAR) that you may receive. In some cases, an individual may be able to ask that personal data about them is erased (called the “right to be forgotten”), so provision for that must also be made.
How iiPay has prepared for GDPR
- Comprehensive ISMS in place
– Full policies and procedures
– Regular risk assessments across all departments
– Regular staff training on security and data sensitivity
– Regular ISMS focus meetings by management to review and improve - ISO27001:2013 and SOC1 audits ensure that we are following approved best practices, set us in good stead for GDPR
- Hired specialist compliance talent to ensure successful adoption of GDPR
- We help our clients by reporting their ‘miss-steps’ with data protection back to them. For example, we immediately delete any emails we receive from clients that contain sensitive data, and feedback the proper process to ensure secure data transmission
Contact us for more information about making sure your global payroll data is secure and that your company is ready for GDPR.
Also, Click here to see a set of GDPR guidelines recently released by The Information Commissioner’s Office in the UK. These guidelines were developed to help businesses prepare for GDPR.