What HR needs to know about payroll security

As organisations aim to improve their employees’ experience – and, more generally, develop efficient ways of working – the need to make payroll data accessible has become increasingly important.

Easier access to this data is helping companies to meet the heightened expectations coming from staff, the HR team and senior executives. Instant visibility provides businesses with an ability to respond to queries faster and, with reliable data available, they can also take decisions quickly and with confidence.  

As this information is highly sensitive, however, the implications for payroll security needs to be taken seriously - especially when moving private data between systems. 

Transferring data increases the risk that information could fall into the wrong hands and expose an employee’s personal details to cyber criminality. This would not only break a bond of trust between an organisation and its staff, it could also severely damage the reputation of the business and lead to regulatory reprimand. 

It’s imperative, therefore, that this information remains secure, and that organisations are not vulnerable to a potential data breach. Any digital transformation project involving payroll data must be carefully considered with these security implications in mind. 

So, what are the main considerations with payroll security?

1. Payroll compliance
   When organisations take steps to make payroll information more accessible, they must provide clear guidance and put processes in place. Protocols will help HR ensure good governance over how payroll data is being used.
   This will also give the business’s leadership reassurance that their organisation is complying with regulations, such as GDPR and the UK Data Protection Act. This governance should include the creation of an audit trail that will keep a track of where data is stored and how it has been processed. 
   As more HR staff are given access to payroll data, however, organisations will want to ensure access to employees’ private data is restricted to those who need to see it. They may also want to consider broadening the scope of protocols that have previously been limited to the payroll team.  
   For example, to prevent payroll information being misused or leaked, businesses could insist that anyone being granted access to sensitive information is covered by a non-disclosure agreement. 
2. HR and Payroll partners  
   It is essential that any third-party HR or payroll technology partner, whose systems are accessing information, is reputable and can provide reassurances. You will also want to partner with an organisation that does more than just keep your data secure. They should also help your staff comply with the processes governing the use of payroll data. 
   To ensure information is safe, you should check that any stored data will be encrypted when it is ‘at rest’. This is a requirement of GDPR for payroll and the UK data protection act – and organisations failing to adhere to these regulations will face fines and the likelihood of severe reputational damage. 
   When working with a third-party system provider, you should also ensure that you maintain ownership of your data. Using GDPR terminology, your organisation must be the ‘data controller,’ whereas the system provider is the ‘data processor’.  
   You may also want to check what international standards your partner holds. For example, the go-to standard to demonstrate compliance with GDPR is ISAE 3000. This is an international standard that will assesses the design and operation of an organisation’s non-financial data processing controls – while ISAE 3402 is the equivalent for financial data. 
   To obtain this standard, your partner will need to have undergone an external audit following these ISAE guidelines. SD Worx holds both the above certifications.
3. Payroll data sharing
   If an organisation requires a global HR solution, they may need to access payroll data from multiple countries. This potentially means accessing information from several separate payroll engines, which are each required to comply with distinct local regulations. 
   How these separate sources of information are accessed by HR has major implications for payroll security. If steps are not taken to ensure the safety of data in transit, information will become vulnerable. 
   The traditional way to transfer this sensitive information is via secure file transfer protocol (SFTP). This ensures the data is safely encrypted so, should a file fall into the wrong hands, a third party would be unable to read the information without the appropriate digital access key.
   SFTP has worked well for businesses historically, and it is still a preferred method for organisations looking to transfer large volumes of data. 
4. System integration 
   With employees and HR teams wanting to see payroll data in real time, many organisations now want faster access to this information. In order to make data held in payroll automatically visible within HR, these systems must be integrated first. 
   Organisations have the option to build bespoke integrations to enable this to happen. This will likely require the support of a specialist integration partner that has the necessary expertise and experience to secure the connection between these relevant systems. 
   Alternatively, and perhaps preferably, this integration would take place via an application programming interface (API). This would ensure the information is transferred using a tried and tested plugin – and wouldn’t require an expensive integration project. 
   Before deploying any new payroll system, it is well worth checking whether it offers its own API – and whether the system can already integrate with best of breed HR systems such as a Workday, SAP or Oracle.

Security checklist

To help you quickly assess your payroll security you may want to ask yourself the questions in the below checklist:

• Are you maintaining a payroll data audit trail?
• Are all staff accessing payroll data covered by non-disclosure agreements?
• Are your third-party HR and payroll partners helping you to remain compliant with GDPR and the UK Data Protection Act?
• Do your third-party HR and payroll partners hold ISAE 3000 and ISAE 3402?
• Is your payroll data encrypted both when ‘at rest’ and in transit?
• If you are working with a systems integrator, do they have the necessary experience with the specific HR and payroll systems you have or are deploying?
• Does your payroll tech partner offer an API, and does it have existing plugins with best of breed HR systems?