The General Data Protection Regulation (GDPR), that came into force in May this year, is transforming how personal data is managed. This new legislation is designed to specifically protect the individual information of citizens within the European Union (EU). This includes all Personally Identifiable Information (PII) – whether it can be used indirectly or directly…
GDPR is based in the EU. However, its mandate is not de ned by geography. If an organisation processes any EU citizen’s data, then it must comply with the legislative requirements – regardless of where its of ces are. Failure to do so could result in penalties of more than 20 million Euros.
It doesn’t matter if your business is based in America or Africa. If you employ people from the EU and/ or do business in the EU, then you must comply with GDPR. It’s also worth thinking ahead. Your business may not fall into either of the above-mentioned categories right now, but an opportunity to do business in Europe could be on the cards. Or, the new sales director you decide to hire in a few months could be an EU expat. If your processes are already GDPR compliant your business growth won’t be hampered by legislative delays.
The impact on global HR and payroll teams
HR and payroll functions process a lot of personal information; departmental leaders can expect increased complexity. They will have to manage a range of new responsibilities with greater oversight to ensure compliance with GDPR.
Some examples include sharing privacy notices with all existing employees and job applicants. These will specify what their personal data is being used for and if it needs to be used outside the EU. Any transference of data outside of the EU has to meet the regulatory requirements.
Maintaining compliance is a weighty responsibility. However, if HR and payroll processes are outsourced, then the company shares the responsibility with its payroll provider. The latter assists with compliance by implementing technical and organisational measures to protect data. Their focus is on encrypting and securing stored data, software and data backups. Overall compliance with the core principles of GDPR is the responsibility of the company’s data controller.
Top preparation tips
To comply with GDPR, you need to build an inventory of PII. How is information collected, stored, managed and used within your business? Who in your organisation is handling sensitive information – and is their access critical to business operations? There is no need for all employees to have access to data that is only of use to some. Reduce superfluous employee access and this will improve your security measures – as well as reduce the scope of GDPR across your organisation.
To make sure you comply with GDPR, your entire payroll process must be thoroughly reviewed. If your business’ payroll software integrates with, or sends data to, other software programs, you need to make sure those platforms are secure too. PaySpace, for example, integrates with Xero. Both platforms are serious about data security and enforce strict policies in line with international guidelines.
Rather than view GDPR as a headache, see it as an opportunity to analyse your data and identify what is absolutely crucial to your business. It’s a way of spring- cleaning your archives. With greater data clarity, decision-makers will be able to prioritise needs, move forward quickly, and ensure that that their teams focus on collecting, securing and storing only essential information.
GDPR is transforming business processes – and change can be difficult for employees to accept. It’s important that an employee awareness drive is part of your GDPR preparation. This extends to relevant contractors too. One approach that has already proven to be very successful, is to appoint GDPR ‘champions’ who can run internal communication campaigns. A critical element of this approach is to encourage discussion and questions. Everyone who is involved in handling sensitive information needs to know how GDPR will affect their job.
As GDPR is now in force, businesses that haven’t done so yet, are under pressure to ramp up their processes in line with the legislation. Rather than trying to do it on your own, work closely with your payroll provider – specifically one that is already GDPR compliant. Know where your PII is, clean up your data stores and follow the rules.
Do that, and you’ll be ahead of the game.