Global payroll and GDPR compliance: What international organizations should know and do

It’s hard to think of any business function where so much data is collected and processed as is the case for payroll. Each month, you gather thousands of data items about your employees. This includes names, addresses, family status, salary and tax information, to name but a few. 

Whenever organizations handle and process data, they need to provide an appropriate level of data protection and make sure to comply with any existing laws and regulations concerning data processing. The most important legal data protection framework global businesses need to comply with is the EU’s GDPR. 

The introduction of GDPR has had a major impact on payroll, and the compliance burden on businesses hasn’t lessened ever since. In this blog post, we’ll tell you everything you need to know about GDPR in payroll, including how GDPR affects your payroll processes and what you need to do to ensure GDPR compliance for your global payroll operations.

The General Data Protection Regulation (GDPR) is the European Union’s central data protection law which entered into force on 25 May 2018 - thus replacing the previously valid 1998 Data Protection Act. GDPR is the most important data privacy legislation issued by the EU so far and contains hundreds of pages of new regulatory requirements organizations must adhere to when processing and storing personal data. 

The GDPR’s main purpose is to strengthen data protection in the European Union and to give individuals more rights and control with regard to the collection of their personal data. In order to achieve this aim, the data protection act introduced a whole range of rights for individuals with regard to their data (e.g. right to be informed, right to rectification). 

Under GDPR, organizations now have to fulfill various additional obligations in terms of accountability, data security and justification of use, among others. The appointment of data protection officers (mandatory under certain conditions) and legal obligation to obtain the individual’s consent for processing their personal data are additional elements outlined in data protection rules. 

Needless to say that the regulation has had a major impact on companies conducting business in the EU, or handling personal data from clients, employees or any other person residing in the EU. This entails new responsibilities for HR and, even more so, payroll teams.

GDPR affects anyone and anything involving personal data. For a business function such as payroll where operations evolve purely around data collection and processing, the impact of GDPR is major. Below you’ll find an overview of different aspects you need to consider with regard to GDPR compliance in payroll.

• Distribution of payslips: Online payslips must be provided in a secured way.

• Data security reinforcement: Security measures for processed data must be upgraded to meet new requirements such as the ISO 27001 standards. The appointment of a data protection office in your company may also be necessary.

• Employee consent and information: Getting your employees’ consent for the collection of their personal data is mandatory under GDPR. Also, employees must know exactly what kind of personal data is collected and for which purpose.

• Data access and transparency: Your employees must be able to access their personal information at all times.

• Cross-border data transfers: GDPR imposes strict rules regarding the transfer of data across borders, which can cause problems when working with local payroll service providers all over the world.

• Revision of service contracts: GDPR regulations ultimately also have an impact on the contractual relationship between you and your payroll service or software provider. Contractual clauses must be added and adjusted to meet all the requirements.

• Data selection and re-organization: Under GDPR, organizations are no longer allowed to collect personal data without defined purpose. With regard to payroll, this means that data collected in the payroll process needs to be re-evaluated to make sure no superfluous data is collected.

Payroll data is always personal data and must therefore be processed in a way that complies with GDPR. GDPR defines personal data as “any information relating to an identified or identifiable natural person”, which is the case for payroll data. What’s more, payroll data often includes so-called sensitive data. Sensitive data comprises personal data revealing racial or ethnic origin, health-related data, data on trade-union membership and more. Under EU regulations, sensitive data must be processed and stored with an even greater level of security.

Companies with business activities in different countries around the world are facing various compliance challenges, from complying with local labor laws to ensuring compliance with data protection standards. Failure to ensure compliance with any of the statutory laws and regulations will result in different penalties for the business. 

As data theft and data breach are nowadays a daily occurence, it’s no wonder that jurisdictions all over the world are putting their foot down and releasing new laws to increase data protection. On their website, the EU states clearly that “GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses”. Fines depend on the severity of the violation.  

Fines for “less severe infringements” are subject to fines of up to 10 million euros or 2% of the business’s annual revenue, whichever is higher. For “more serious infringements”, fines can go up to 4% of the company’s worldwide revenue or 20 million euros, whichever is higher. For more information, you can check this EU publication on GDPR fines. 

Given the astronomical amounts the fines can reach, it’s safe to say that GDPR compliance is something global businesses should take very seriously, especially when processing their global payroll data. But which steps do employers have to take to make sure their payroll operations are GDPR compliant?

Organizations need a detailed action plan in order to ensure GDPR compliance for their payroll. The European Union has issued a GDPR checklist for data controllers, i.e. those who decide on the purpose of the collected data. Here is a modified version especially with regard to payroll, containing the central steps businesses need to take in order to avoid fines.

• Conduct an internal audit in order to determine which payroll-related data is processed and who can access it.

• Justify and document your data processing activities.

• Adapt your privacy notices to employees to make sure they know exactly which data you process and why.

• Check the security of your data and take measures to reinforce the level of protection if needed (SSL certificates, ISO 27001 standards etc.).

• Develop protocols and procedures to deal with employee data requests (i.e. when employees wish to make use of their right of rectification, right to erasure and more).

• Check whether you have to appoint a Data Protection Officer.

• Make the distribution of your digital payslips more secure by installing a self-service platform where employees can access their payslips via a password-protected account.

• Put in place procedures to detect and report data breach.

• Double check your service contracts with payroll service and software providers and verify all your providers are GDPR compliant.

• Provide GDPR-focused training to your payroll team as well as to other employees in your company in order to build awareness of data protection.

• If you have operations in more than one EU country: Decide where the main decisions concerning data processing are taken within your organization and determine your lead supervisory authority.

• Get ready for regular audits to constantly check your GDPR compliance.

These are the general outlines that apply to businesses of any size that process payroll data and thus need to comply with GDPR. Depending on the company, there may even be additional steps which need to be taken.

Even with a GDPR payroll checklist at hand, getting your global payroll GDPR compliant will require a lot of work and, more than anything, time. Time that would be better spent focusing on how to bring your business forward.

With Lano’s global payroll solution, you don’t have to worry about data protection and GDPR anymore. Our platform is designed for full GDPR compliance and responds to the highest data protection standards.

Integrate all your payroll providers with our platform and allow secured data transfer and consolidation. Give your employees easy access to their data and payslip via protected accounts and be safe in the knowledge that all your data will be stored safely in a private cloud in the EU. 

Want to know more about Lano’s global payroll solution? Book your free demo call and start simplifying payroll for your global team today.