1 March 2018
With just three months to go until the General Data Protection Regulation (GDPR) comes into force, the clock is ticking for HR and payroll managers to get the systems and processes in place to ensure compliance. The regulation, coming into effect on 25 May 2018, updates data rights for today’s networked world, and organisations ignore it at their peril.
A major infringement could cost a company up to 4% of its global revenue, while there is a penalty of 2% of global revenue if records are not in order, or a supervising authority and data subjects are not notified within 72 hours when personal data is exposed in a security breach.
Here are six things you should be doing now to prepare for GDPR:
In essence, GDPR comes down to the rights of individuals and their data and the way organisations manage and protect that data. While many of the rights are already covered in existing legislation, there are significant enhancements including the new right to erasure (commonly known as the right to be forgotten) and the right to data portability. Those in HR and payroll will need to consider payroll and employee benefits data, employee performance data and recruitment data.
It is vital to get leadership buy-in and ownership of the adoption of GDPR. Create a corporate policy – a company statement explaining how you manage employee data, such as what information is collected, how it is collected, how long it is stored for, what systems are used and how data is stored. This information has to be delivered in plain language that can be easily understood, so don’t write it in ‘legalese’ with a large disclaimer!
Make sure you can demonstrate that you have provided this to employees, for example through an intranet. Set up standard operating procedures, such as how and where employees can issue a request to access their data, how you can validate the identity of that employee and who in HR will be responsible for dealing with data requests. Create a process for checks. For example, you may need to check with legal if there is an ongoing dispute with that employee before changing data.
This is likely to be the first thing GDPR enforcers ask to see. However, you can’t protect what you don’t know you have.So, the first thing to discover is exactly where all types of data sit in the organisation. Check what software applications you have, spot potential gaps such as legacy software, consider what is used locally and what is used globally, and check for any applications currently in development versus ‘live’.
Developing an exhaustive register is not easy so start by making an inventory, but don’t go too deep – you don’t want 900 fields in payroll! Is there a centralised corporate register already in existence to which you can attach your employee data? Assign an information owner to each category of data and ensure they are tasked with keeping the register updated, with at least one review a year.
Existing regulation specifies that companies should not keep data longer than needed but there is little enforcement of this. Under GDPR, you not only need explicit consent of the person for each specific purpose for which you are using it, but also you need to be explicit about how long you keep data records – and there will be a significantly higher sanction for non-compliance. The principle is one of minimisation, or privacy by design. In other words, the default settings or processes should protect the privacy of the employee without his or her manual input.
So, clearly communicate how you will use data and define minimum and maximum retention times. Don’t forget to get this validated by your legal team, for example to ensure compliance with other employment laws. As mentioned, employees can withdraw their consent at any time, request a copy of their data and request its erasure. In HR, it’s important to consider other legal implications of this right to be forgotten, for example the need to keep records for any potential litigation.
GDPR says you have to access risks and take appropriate measures to ensure the integrity of data. So, look at your own processes and ask yourself, what could go wrong in terms of the confidentiality, security and availability of personal data? What if it were your own data, or that of your mother or best friend? Would you feel your data was safe and the procedure clear? What if you are an employee in a different geography?
Define and document all regions in which employees work. What if you work in an open environment? Think about clean desk and clean screen policies. And lead by example – this is not just an IT issue.
One of the biggest challenges is embedding GDPR principles into the culture of the business. Provide training and guidance to employees to ensure data rights protection is part of the DNA of the business. Think about the ‘small’ things. For example, how many times have you picked up printed CVs or Excel sheets before the person who printed it got to the printer? What about email? Employees need to be mindful of ‘Reply All’ or sending emails to the wrong person in their address books.
You are not alone in the data ecosystem. Make sure you challenge your HR and payroll providers to ensure they are compliant. Review agreements with third party providers and review software and the design of that software. Any reputable third-party provider, such as SD Worx, will be happy to collaborate and help you to move to GDPR compliance.
It might have been costly to change payroll suppliers twenty years ago, but thanks to modern technology it doesn’t cost nearly as much as resource and time as you might think. Uncover the truth in our blog.14 September 2020
Every year UK businesses lose £12 billion from payroll fraud. In this blog we’ll explain the common types of payroll fraud and share tips on how to stop it from happening to your business.14 September 2020
Simon Parsons, Director of Compliance strategies, SD Worx UK, responds to the Government’s new advice regarding payrolling benefits in kind.9 September 2020
Simon Parsons, Director UK Compliance Strategies, SD Worx UK & Ireland, discusses the Government’s Kickstart scheme which aims to create thousands of jobs for young people across the UK.9 September 2020
No matter the size of your business, or the type of service you provide, Criminal Corporate offence is something you should know about. Simon Parsons, Director of Compliance Strategies, explains in his blog.9 September 2020
HM Revenue and Customs (HMRC) has updated guidance in readiness for the commencement of the second part of the Coronavirus Job Retention Scheme (CJRS). Simon Parsons, Director of Payments, Benefits & Compliance Strategies at SD Worx UK, shares his interpretation of the changes and what this could mean for employers.P. Simon Parsons - 15 June 2020
Our resident payroll and legislation guru answers your questions about furlough and SSP.29 April 2020
What is the process of putting in a claim for furlough? We get to grips with the steps you need to undertake.23 April 2020
We’ll help you make sense of the government’s advice on Statutory Sick Pay and taking care of your employees during COVID-19.24 March 2020
There have been many publications about the Good Work Plan over the past 18 months and it can be confusing to work through complex, legislative documentation to understand how you stay compliant. While the good work plan covers many topics, this blog aims to take you through one aspect of this, Holiday Pay, and asks the simple question – are you ready for the changes?29 October 2019
If you want to learn best practice in handling data in light of the General Data Protection Regulations (GDPR), you can do no better than to look at DuPont. Now part of science giant DowDuPont following a merger last year, data is part of the DNA of the organisation and it has a long history of embedding data protection into its culture.8 March 2018
Here are the top five lessons on implementing GDPR from the session with Gert Beeckmans, Chief Risk and Security Officer at SD Worx, and Frank Rudolf, Director of Payroll at PAREXEL from the SD Worx European Conference 2018, held in London on 6th February.2 March 2018
Clark Hoy, Business Development Manager at SD Worx UK & Ireland shares his top tips for all the new dads and dads to be (D2B) regarding all things paternity!26 February 2018
Retention of the personal data is ‘lawful basis’ where it is necessary, for compliance with a legal obligation, for the exercise or defence of legal claims. For Payroll and HR reasons, employers must hold and retain personal information about their employees and former employees to meet these legal requirements.4 December 2017
GDPR is set to see the biggest shake-up in the way we handle data since the Data Protection Act of 1998. Over the last few years, the processing and control of data has seen many systematic changes. Updated legal obligations set out in the Regulation such as the ‘lawful basis’ of the processing of data is sure to see more changes to data handling.27 November 2017
Read Simon Parson's latest blog where he answers the frequently asked question: 'Do you know if HMRC are likely to want us to include more options for employees that may be transitioning or don’t identify themselves with either gender?'23 November 2017
Increasingly within global organisations we see that individuals have increasing international activity throughout a business’ empire with differing national fiscal obligations. Impact on employees and compliance with a variety of national fiscal government obligations brings into play significant complexities. Some will be available within Payroll Software or service, whereas others, a little more obscure, may require special handling. For UK Payroll, there are a variety of variants (to the normal) Pay As You Earn (PAYE) obligations.6 November 2017
The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It applies to any organisation that processes the personal data of
EU citizens regardless of where they are situated. Brexit won’t let UK companies off the hook as the government has announced that the legislation
will be brought into UK law.
9 October 2017
In order to get to understand Alabaster, we recommend that you know a little about the case precedent behind it.2 October 2017
Our Head of Legal, Leon Daniel, has written some useful information on GDPR and what it might mean for your organisation. This is the second of a series of articles on the steps we are taking at SD Worx to ensure GDPR compliance.14 August 2017
Our Head of Legal, Leon Daniel, has written some useful information on General Data Protection Regulation (GDPR) and what it might mean for your organisation. This is the first of a series of articles on the new Regulation and will cover the steps we are taking at SD Worx to ensure GDPR compliance.7 August 2017
Part two of our blog, our Commercial Director John Cusack and Business Development Manager Steve Knapman, built upon the information outlined by Mercer in part 1 – and discuss how SD Worx’s analysis tools can provide you with in-depth statistics on the gender pay gap. Read more on some of the useful points that we took away from the webinar...10 July 2017
Minimum pay is governed by employment law, and breach is criminal; HM Revenue & Customs are charged with policing its application based on a number of significant factors and structures. In this blog, our Director of Payment, Benefits & Compliance Strategies, Simon Parsons, discusses critical touch points for compliance and recent payroll error examples regarding this legal requirment.3 July 2017
The gender pay gap has been a hot topic for years, dominating discussion in the media and in boardrooms. Seemingly refusing to close, the gap stood at 9.4% in 2016, down from 17.4% in 1997. While the UK is getting nearer and nearer to gender parity in pay, figures suggest it still has a long way to go...19 June 2017
2017 is going to be both interesting & challenging. With Brexit and changing government leadership much is to be done and quickly. Now is the time for the business to come together and plan for change...2 March 2017
In August 2016, HMRC launched a ‘Consultation on salary sacrifice for the provision of benefits in kind’. The indication is to bring in law changes from April 2017.11 October 2016
Often once the deal is done you can’t see the lawyers for dust, so if you receive notice from a supplier or customer that they have been acquired, or if you have been acquired yourself, what do you need to do to keep your current contracts in order?3 October 2016
The way the government funds apprenticeships in England is changing. The 6th April 2017 sees the introduction of a new employment tax on United Kingdom employers. Scotland Wales and Northern Ireland, each having their share of the levy, will have to decide how apprenticeship spending will take place. In this blog I cover some key points that employers should be considering in order to prepare for the upcoming changes...5 September 2016
As a union, the UK has voted to leave the European Union with some Scottish politicians hinting of a further independence referendum, and some in Northern Ireland wanting a joint Irish nation! At the same time, Job Centre Plus has run out of National Insurance numbers and in June 2016, decided in to start issuing NINOs with prefix ‘KC’ - but there is an issue with this...15 August 2016
With the result of the UK referendum to leave the European Union and indication by Scotland's first minister to run a further Devolution referendum, Simon Parsons considers the potential implications for the next few years for Scotland and Payroll services...8 August 2016
So the nation has chosen to progress leaving the EU with a popular vote of 52%. So what's changed, apart from volatility in currency and stock markets? And what major action do we see impacting payroll?26 July 2016
The National Living Wage (NLW) became compulsory for employees aged 25 and above, at a new minimum rate... Have you considered the implications and reviewed your maternity leave payments and made top-ups of SMP?27 June 2016
April 2016 saw some of the most significant legal changes to impact payroll operations and software. I would venture that this year’s new changes have been some of the most impactful yet, more so than the introduction of Real Time Information (RTI). New requirements for Scotland including the Scottish Rate of Income Tax and changes to Earnings and Maintenance Arrestments. A revolution in national insurance with the removal of Contracting out and Under 25 Apprentice NICs being introduced. The list can go on.13 June 2016
Following the judgement of the Employment Appeal Tribunal (9th March 2016), the question of salary sacrifice and maternity rights has been thrown into question! Was HMRC errant in providing guidance? Are employers now off the hook with provision of non-cash benefits in kind during maternity?16 May 2016
In the 2015 Queens speech, the Government set out to create 3 million new apprenticeships by 2020. As part of the Enterprise Bill, apprenticeships would gain the same legal treatment of degrees. ‘The Richard Review’ brings new standards being developed by ‘trailblazers’ and new funding trialled giving employers greater control over spend on training delivery.11 April 2016
We thought 2013 was busy with the introduction of Real Time Information, but looking back it now seems a doddle! 2016 is proving to be one of the most substantial change years ever for payroll, software and service providers and especially payroll managers. Never before have I seen such a wide, heavy plethora of change. Now seems a good time to start the preparations in earnest and put the brain in gear...25 January 2016