GDPR changes that came into effect in May 2018 updated the previous guidelines that were set in the 1998 Data Protection Act. As the payroll process manages sensitive employee information, the delivery of payslips could be impacted by the new changes to GDPR.
Companies are legally required to provide employees with payslips prior to or on payday. Most companies currently provide this information via email, so there is a concern that payslips contain private information and therefore should not be delivered using email. There is no definitive answer on emailing payslips, but there is a clause in the GDPR guidelines stating “appropriate technical measures” must be followed. Companies must ensure compliance with new GDPR regulations as they hold and process employee data for payslips, and make sure any supplier providing payroll services maintain GDPR compliance as well. Payslips present a potential risk to GDPR compliance since they contain personal and identifiable information, so this is one area we will need to watch after the GDPR changes.
Since companies are legally obligated to provide employees with payslips, you do not need employee consent to send a payslip. You must demonstrate that the way you process and protect the employee data is GDPR compliant.
In most cases, the largest fines for non-compliance will be for negligence in several areas of data privacy and protection. Payslips are just one part of GDPR compliance, so if your company had several breaches in addition to a payslip breach you would be more likely to get a fine than if you just had a payslip breach that was contained. In most instances, a company that is not following proper protocols will receive penalties, and if you are demonstrating the “appropriate technical and organisational measures” to ensure security, you will most likely not be fined.
Limit your potential liabilities
Be prepared for an audit by the ICO
If you have proper measures in place to avoid a breach, you can demonstrate to the ICO that you are compliant with GDPR regulations and avoid penalties.
Payescape Limited is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (register number 821826) for the provision of payment services.