The GDPR is set to be the greatest shake-up to data protection laws in 20 years. Elly Earls finds out how it will impact payroll and how businesses can manage their personal information
Bâ¬20m (£17.6m) or 4% of a company's global annual turnover, whichever is higher.
One department the General Data Protection Regulation (GDPR) will certainly impact is payroll. And in an industry like hospitality - where casual staff, shifts, irregular hours and weekly payments are commonplace - payroll departments will have a particularly momentous task on their hands if they don't have the requisite systems and processes already in place.
So where to start? According to Ian McDonald, regional instructional designer at business software company Sage, who is in charge of running regular GDPR webinars for Sage customers, step one for business owners has got to be learning the basics. While most people who attend Sage webinars know that GDPR is just around the corner, the majority haven't yet grasped what it means for their business or what steps they need to take.
"One of the things I ask at the start of the webinar is how would people rate their knowledge of the GDPR on a scale of zero to 10. The most common response by quite a margin is zero to three," he says. "People know of it and know it's coming, but not a lot beyond that. The priority has got to be education before we even start talking about the practicalities. This includes making sure people in the business who deal with personal data on a daily basis know this is coming and what it entails."
Carrying out a data audit
Next, it's time to carry out a data audit so each department knows exactly what personal data they hold and where it is. "Personal data is anything that could identify an individual, so it's not necessarily just the name; it could be a phone number, an email address, a social media handle or even an internal identity," says Adam Prince, vice-president of product management at Sage.
For payroll, this will mainly be employee information, and the good news, according to Sage product management lead Ceara Metcalf, a specialist in payroll, is that it's generally quite defined. "In order to pay somebody, HMRC requires you to have specific pieces of information about a person: their name, their address, their national insurance number and their date of birth. As there's a legal reason to have this information, you don't need to get consent from the employee, so that makes things slightly easier from a payroll point of view."
That said, HR departments will probably also have pieces of personal data that might not immediately spring to mind, such as next of kin or emergency contact details. And as the GDPR stipulates that you must have a legal basis for holding any personal data, consent may need to be obtained to keep hold of these.
The biggest task will be sifting through the various systems - both digital and paper - across which personal data is inevitably scattered, from spreadsheets to payroll software, or from Outlook contact lists to pieces of paper. Email attachments may also have been saved to local computers.
One of the principles of the GDPR is that companies don't hold data on anybody for longer than necessary, so once you know what you have, the next job is working out what you must delete. For example, HMRC requires companies to keep employee information for a minimum of three payroll tax years; after that, there is no longer a legal basis to keep it and it will need to be removed unless there are reasons to retain it (for example, ongoing legal action).
"For companies in the hospitality industry, where there are a lot of records, there may be a lot of information that needs purging, which could be a big administrative task in itself," McDonald warns.
If any data is required for statistical analysis - the solution is simply to anonymise it. "Say you want to know what overtime you paid out in 2009: you don't need to know which employee got that overtime, but you may want to keep some of the records," Metcalf explains. "You just have to anonymise the people part of it."
The best advice Metcalf can offer is to consolidate as much data as possible, ideally into an online system. "If, from your audit, you know that you hold data in 18 different places and you can get that down to five, that will make things easier," she says. "Online portal technology is considered industry best practice when it comes to keeping things safe and secure."
Updating contracts and processes
Besides the data audit, businesses also need to think about with whom they're sharing employee data, both regularly and on an ad hoc basis. "There are some things you legally have to share - for example, you have to send information to HMRC every time you do a payroll run," Metcalf says. "But if you're buying the team a new uniform and you've collected all their T-shirt sizes, you don't need to send their names or any identifying information such as email addresses to the third party."
It's also crucial for operators to review and update the legal T&Cs and privacy notices that go into contracts. "There's a lot more information that will need to go into a contract than currently and a lot more information you need to tell people in a privacy notice," McDonald says. It all boils down to not collecting any information you don't need and being clear about the data that is being collected - why it's required and what is going to be done with it.
Under the GDPR, employees will also have the right to data portability, the right to be forgotten and the right to be given access to all the information a company holds about them within 30 days (down from 40 days), free of charge. It's here where that earlier consolidation will really start to come into play.
"If the data is kept in as few areas as possible, it will make it much easier when it comes to a subject access request," Metcalf says. "Thirty days sounds like a long time, but when you start to think about email attachments, deleted items and data being in places you might not think of - an employee could also be an emergency contact for another employee, for example - it might not seem like such a long time."
Accountability: "Assume you will be responsible"
The GDPR specifies three main actors - the data controller, who makes the decision to store personal data; the data processor, a person or organisation, such as a payroll bureau who is following the data controller's instructions; and the data subject, the person whose data is collected. A hospitality business is the data controller, which means the primary responsibility for complying with the law and ensuring that any member of staff who deals with personal data understands how to comply with it, is theirs.
"The Information Commissioner's Office (ICO) recommends you nominate someone in your company as the go-to person for the GDPR - they're responsible for making sure employees, such as payroll clerks, who are processing personal data, understand the regulations and understand what part they can play in making sure the company is following best practice," Metcalf explains. "So, if you do an audit and you find a note in a record four years ago where something's been written about someone, they know the company shouldn't have that."
Prince emphasises: "The best advice is to assume you may be responsible unless you've had legal advice confirming you're not. Don't assume you can just ignore it."
Knowing where to start
It's only two months until the GDPR comes into force, and the vast majority of UK businesses aren't ready, according to Prince. "Of large businesses, I'd say 15%-20% have very robust, well-executed plans that are on track, another 10%-20% are working on it, and the remaining 60%+ still haven't got there," he estimates. Their biggest challenge? According to surveys carried out by Sage, knowing where to begin.
McDonald, Prince and Metcalf recommend reading the '12 steps to take now' document on the ICO website, which is designed to help businesses prepare for the new law. Steps include awareness, individuals' rights, subject access requests and consent. The organisation also offers free templates on how to carry out a data audit and other free resources. Then, if a business can't afford or find legal advice - according to Prince, many of the quality resources are now fully booked - dedicated GDPR process software may help and there is an emerging range of products focused in this area.
The Sage marketplace, for example, includes partner products for GDPR that can walk any business, whether they run Sage software or not, through the workflow of what they need to do - from working out what data they hold to where it's stored and who's got access to it. The government-backed Cyber Essentials scheme, which helps businesses protect themselves from cyber security threats, is another great resource for companies looking for information on how to store their employee data in the most safe and secure way.
For Prince, complying with the GDPR essentially comes down to doing the right thing. "Consider the individual rather than you or the organisation when you're trying to work out what to do," he advises. "If you think about it from the individual's point of view, they will care about who's storing their data and what happens to that data."
The team must understand the consequences of bad data control
At contract catering company Bartlett Mitchell, which implemented a GDPR-compliant payroll system last year and notified employees of their data privacy rights as if the law had already come into force, the upcoming legislative changes are not set to have a huge impact in the context of payroll.
"As a business, we have very robust systems and processes in place, so we haven't had to change too much," says founder and executive chairman Wendy Bartlett. "We were well-prepared for this."
The biggest challenge and the most important part of the process was to ensure that the team understood why the GDPR was happening and what the consequences of bad data control could be. "The regulation is quite complex and full-on, so it is really easy for people to disengage with it if they find it overwhelming. That's why it's important to put all of this into context and explain how it can impact them directly," Bartlett says.
As part of this, Bartlett Mitchell has provided its senior team with one-to-one training sessions and will also be rolling out further online training to management and the rest of the business.
Bartlett's biggest tip for other hospitality businesses is to engage an external advisor to audit their activity. "While we were confident in our systems and procedures, it was important to have an independent resource to audit exactly what we did," she explains. Our advisor was able to sense-check our activity and make any recommendations accordingly. Throughout the process, what has become quite apparent is the fact that a lot of it is based on applying common sense to how you gather, store and manage data."
Another practical change she advises is ensuring transparency. "Each employee should know they have access to their payroll information and how they can quickly access it, update their file and review the information on file," she says.
The company has also digitised all payroll documents so team members will eventually have access to all their files via a payroll app. "Technology can be a good enabler for compliance," Bartlett concludes.
Sage has over 30 years' experience supporting business with compliance. For more information on the GDPR, please visit Sage's GDPR portal. For more details on Sage Payroll solutions, visit Sage's website
You need to be a premium member to view this. Subscribe from just 99p per week.
Already subscribed? Log In