Payroll and GDPR – everything that UK employers need to know

Last checked and updated on 10 June 2022

The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and replaces the 1995 Data Protection Act. The regulation applies to organisations with EU or national customers and applies to any type of data, including payroll data.

UK employers need to be aware of the impact of GDPR on their payroll processes and take steps to ensure compliance.

This article provides an overview of what employers need to know about GDPR and payroll, including how it affects internal processing, working with bureaus and outsourced service providers, and records retention.

What is GDPR?

The General Data Protection Regulation (GDPR) is a EU data protection law that came into effect on 25th May 2018. The GDPR replaces the 1995 Data Protection Act and sets out new rules for how organisations must collect, process and store personal data. The GDPR applies to any type of data, including payroll data.

How does GDPR affect payroll?

GDPR compliance is not optional – organisations that process personal data must comply with the GDPR. This includes payroll data, such as employee names, addresses and national insurance numbers.

There are a number of specific requirements that apply to payroll data, including ensuring that personal data is accurate and up-to-date, and only keeping payroll data for as long as is necessary.

Organisations must also have a process in place for employees to access their payroll data and make corrections if necessary.

GDPR compliance and internal payroll processing

As a UK employer, you’re responsible for ensuring that your payroll processes comply with GDPR.

This means that you need to have systems and controls in place to protect the personal data of your employees, and to ensure that this data is processed lawfully, transparently and securely.

There are a few key things you need to do to ensure GDPR compliance in your payroll processes:

Keep detailed and up-to-date records of the personal data you process, and of the purposes for which you process it.
Ensure that all employees who have access to personal data are trained in data protection best practice, and understand their obligations under GDPR.
Put in place robust security measures to protect personal data, both in electronic and paper form.
Ensure that you have appropriate contracts in place with any third-party processors of personal data, such as payroll bureaus or outsourced payroll service providers. These contracts must set out the specific GDPR compliance obligations of each party.
If you transfer personal data outside the European Economic Area (EEA), you must ensure that it is adequately protected in accordance with GDPR.

If you’re not sure whether your payroll processes are fully compliant with GDPR, it’s a good idea to seek professional payroll advice. A qualified payroll specialist can help you to assess your risks and put in place the necessary controls to ensure compliance.

GDPR and payroll records

Employers need to review their payroll records on a regular basis and update them as needed.

Under GDPR, payroll data must be:

  • Accurate and up-to-date
  • Kept for no longer than is necessary
  • Processed in a fair, transparent and consistent manner
  • Securely stored and protected from unauthorised or accidental access, destruction or loss

Organisations that process payroll data must also ensure that they have robust policies and procedures in place to deal with data breaches.

Notifying the ICO of a breach
In the event of a data breach, employers must notify the ICO within 72 hours and take steps to mitigate any damage caused by the breach.

Working with payroll bureaus and outsourced payroll service providers

If you outsource your payroll to a bureau or service provider, you are still responsible for ensuring that your payroll data is processed in accordance with the GDPR.

This means that you need to have a contract in place with your service provider that sets out how they will process payroll data in compliance with the GDPR.

You should also ensure that your service provider has appropriate security measures in place to protect payroll data.

Questions to ask your outsourced payroll provider

  • Do they have a data protection policy?
  • What security measures do they have in place to protect payroll data?
  • How will they ensure that payroll data is accurate and up-to-date?
  • How long will they keep payroll data for?
  • How will they protect employee data from being accessed or stolen?
  • Do they have a process for employees to access and correct their personal data?
  • Will the provider notify employers if there is a data breach?
  • How often will the provider audit their systems to ensure compliance with GDPR?

GDPR payroll checklist – things to check and get right

To help you comply with the GDPR, we’ve put together a checklist of things to check and get right.

  1. Ensure that your payroll data is accurate and up-to-date.
  2. Only keep payroll data for as long as is necessary.
  3. Have a process in place for employees to access their payroll data and make corrections if necessary.
  4. If you outsource your payroll, have a contract in place with your service provider that sets out how they will process payroll data in compliance with the GDPR.
  5. Ensure that your service provider has appropriate security measures in place to protect payroll data.
  6. Make sure your payroll data is backed up and stored in a secure location.
  7. Have a process in place for employees to raise any concerns about the way their data is being processed.
  8. Conduct regular data audits to ensure that your payroll data is being processed in compliance with GDPR.
  9. Use encryption technology to protect payroll data from unauthorised access.

FAQ

Do I need to comply with the GDPR if I process payroll data?

Yes, the GDPR applies to any type of data, including payroll data.

What are the specific requirements for payroll data under GDPR?

The GDPR sets out strict requirements for how organisations must collect, process and store personal data. This includes payroll data, such as employee names, addresses and national insurance numbers.

Organisations must take steps to ensure that payroll data is accurate and up-to-date, and only keep payroll data for as long as is necessary.

Employees have the right to access their payroll data and make corrections if necessary.

I outsource my payroll to a bureau or service provider. Am I still responsible for GDPR compliance?

Yes, you are still responsible for ensuring that your payroll data is processed in accordance with the GDPR. This means that you need to have a contract in place with your service provider that sets out how they will process payroll data in compliance with the GDPR. You should also ensure that your service provider has appropriate security measures in place to protect payroll data.

Do I need to appoint a Data Protection Officer (DPO) if I process payroll data?

You are only required to appoint a DPO if you are a public body, or if your core activities involve regular and systematic monitoring of data subjects on a large scale, or processing of special categories of data on a large scale.

Do I need to carry out a Data Protection Impact Assessment (DPIA) if I process payroll data?

You are only required to carry out a DPIA if you are processing special categories of data or processing data on a large scale.

What security measures do I need to have in place to protect payroll data?

The security measures you need to have in place will depend on the type and sensitivity of the data you are processing.

At a minimum, you should ensure that your payroll data is stored in a secure location and that it is backed up regularly. You should also consider using encryption technology to protect payroll data from unauthorised access.

How long do I need to keep payroll data for?

You should only keep payroll data for as long as is necessary. This will depend on the purpose for which the data was collected and the applicable legal requirements.

Do I need to provide employees with a data protection notice?

Yes. You must provide employees with a data protection notice that sets out their rights under the GDPR.

What happens if I don’t comply with the GDPR?

If you don’t comply with the GDPR, you could be subject to a fine of up to €20 million, or up to four percent of your global annual turnover, whichever is greater. You could also be subject to criminal sanctions.

I’m a small business owner. Do I still need to comply with the GDPR?

Yes. The GDPR applies to all businesses, regardless of size.

I’m a sole trader. Do I need to comply with the GDPR?

Yes. The GDPR applies to all businesses, regardless of size.

Do I need to register with the Information Commissioner’s Office (ICO) if I process payroll data?

You may need to register with the ICO if you are processing special categories of data or processing data on a large scale.

Do I need to comply with the GDPR if I process payroll data outside the UK?

Yes. The GDPR applies to all businesses that process personal data, regardless of location.

What should I do if I have questions about the GDPR?

If you have questions about the GDPR, you can contact the ICO for advice. You can also find more information on the ICO website.

Important – The information provided in our articles is intended to be for general purpose use only, and not advice for you or your business. We strive to publish accurate information, but encourage you to fact-check and seek expert guidance. We recommend that you always speak to a qualified professional to get advice about how to operate your business under your specific requirements and circumstances.