Food for thought: processing payroll

Introduction

A company's accounts' / payroll department sends staff payslips in a pdf file by email to the directors / line managers for approval.

The company is concerned about the processing of payroll post GDPR as the directors / line managers dont have access to the payroll system.

Before we look at 2 scenarios, regardless of GDPR, you need to ask yourself the question: "would I like my own pay related data to be processed in a non secure way?"

Scenario 1: Payroll is processed internally

  • You could put a secure folder structure on a server for the directors / line managers to view and approve. Then remove the files when finished.
    • Ensure only relevant people have access to the folder(s)
    • Audit the access rights on a regular basis
  • You also need to:
    • introduce a procedure for the accounts' / payroll department
    • introduce a procedure for the directors / line managers
    • train staff in the accounts' / payroll department 
    • train the directors / line managers

Scenario 2: Payroll is processed externally

  • You need to find a way to securely share the information and remove when done.
  • You also need to:
    • introduce a procedure for the accounts' / payroll department
    • introduce a procedure for the directors / line managers
    • train staff in the accounts' / payroll department 
    • train the directors / line managers
    • ensure you have a processing agreement with your payroll company, with the ability to audit.

Alternative thoughts

You need to ask yourself the question "is there an alternative way to approve the payroll?".

In cases where the payroll is based on time worked, it may be easier to set the approval at timesheet level. Once approved, the payroll department can take the figures and generate the payslips. Introduce a procedure to do quality tests to ensure the right amount goes from the timesheets to the payroll system.

You could still send the payslip by encrypted email, but you need to ensure that all information is deleted when approved. In our experience, it may be difficult to ensure information is deleted once stored through a mail server.

Disclaimer

GDPR compliance varies from organisation to organisation. While we explored a couple of scenarios, what is highlighted in this post may not guarantee full DPR compliance.