The legal obligations of processing data under GDPR: Part 1

In the context of Payroll & HR, the employer acts as a ‘controller’ and any cloud service, bureau or outsourced provider as ‘processor’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.

For processors, GDPR places legal obligations to maintain records of personal data and processing activities. There are now significantly more legal liabilities where there is responsibility for a breach.

For controllers, GDPR places further obligations to ensure contracts with processors comply with the new Regulation. It applies to processing carried out by organisations operating within the EU and organisations outside the EU that offer services to individuals in the EU. These measures will still apply to the United Kingdom when it leaves the European Union in 2019.

For organisations keeping HR records and processing payroll, this data does fall within the scope of the GDPR. It applies to both automated personal data and to manual filing systems. Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

The GDPR does not apply to certain activities (including processing) covered by the Law Enforcement Directive such as for national security purposes. Processing carried out by individuals purely for personal/household activities is not covered by GDPR.

HR and Payroll is a key area that requires inclusion in any GDPR assessment. You may need to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions.

The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations that are assisting with your HR and Payroll record processing.

A major aspect of payroll is compliance with the law, dealing with national tax collectors, agencies for social or national insurance and dealing with the courts. Personal records used for these purposes do not necessarily have a right for erasure under ‘right to be forgotten’ or for requests to change where the information applied is relevant to legal record keeping requirements.

So, in the organisation GDPR documents, it is important to identify the ‘lawful basis’ for processing activity, document it and update your privacy notices to explain it. HR and Payroll will need to explain the lawful basis for processing personal data in any privacy notice and when answering a subject access request.

 

Look out for Part 2 of Simon’s blog on Monday 4th December.