Food for thought: processing payroll


A company's accounts' / payroll department sends staff payslips in a pdf file by email to the directors / line managers for approval.

The company is concerned about the processing of payroll post GDPR as the directors / line managers dont have access to the payroll system.

Before we look at 2 scenarios, regardless of GDPR, you need to ask yourself the question: "would I like my own pay related data to be processed in a non secure way?"

Scenario 1: Payroll is processed internally

Scenario 2: Payroll is processed externally

Alternative thoughts

You need to ask yourself the question "is there an alternative way to approve the payroll?".

In cases where the payroll is based on time worked, it may be easier to set the approval at timesheet level. Once approved, the payroll department can take the figures and generate the payslips. Introduce a procedure to do quality tests to ensure the right amount goes from the timesheets to the payroll system.

You could still send the payslip by encrypted email, but you need to ensure that all information is deleted when approved. In our experience, it may be difficult to ensure information is deleted once stored through a mail server.


GDPR compliance varies from organisation to organisation. While we explored a couple of scenarios, what is highlighted in this post may not guarantee full DPR compliance.