For more information visit https://brightpay.co.uk
All organisations, regardless of size, will have had to introduce or update existing policies regarding personal data in order to comply with the new regulations.
This webinar will look at the GDPR, how it may affect your business and what we have learned from the GDPR 5 months on. We will also have a look at how BrightPay can help your organisation utilise the new regulations for the benefit of you, your customers and youremployees.
Essentially, GDPR is an overhaul of the way we process, manage and store individual’s personal data, and that includes your employee’s personal payroll and HR information. We will take you through the impact of GDPR on your payroll processing, highlighting the biggest areas of concern including emailing payslips, employee consent and your legal obligations with regards to payroll, HR and Employment law.
The webinar will include a demonstration of how our BrightPay Connect add-on can help you work towards GDPR compliance by offering remote online access to accountants, employers and employees. We will take a brief look at our Bright Contracts software, which as well as providing the user with the facility to create and customise Contracts of Employment and Company Handbooks, now has a new feature which enables the user to create an Employee Privacy Policy which is a requirement under GDPR.
We will also unveil our new timesheet rapid input feature. Our exciting new timesheet feature directly connects to the BrightPay payroll and allows clients to import timesheet hours from a CSV or directly input hours for each employee on the BrightPay connect employer dashboard. For accountants and payroll bureaus, clients can easily use the timesheet upload for rapid input of employee’s hours eliminating possible errors. The timesheet feature also allows bureaus to easily run the payroll before sending it back to your payroll client for final approval and validation.
2. -
CPD Accredited
Fill out survey at the end of the webinar
Q&A Session
Questions Tab or #BPWebinars
Q&A
CPD
On Demand
This session is being recorded
REC
3. The Presenters…
Jennifer Hussey
Employment Law Advisor & Payroll Specialist
Thesaurus Software / Bright Contracts
Rachel Hynes
Marketing Executive
Thesaurus Software / BrightPay
4. Webinar Agenda
•Breakdown of the General Data Protection Regulation
•Processing Employee Data under GDPR
•GDPR and Payroll Processing
•How BrightPay and BrightPay Connect Can Help
•How Thesaurus Software Has Prepared
Questions & Answers
6. GDPR, what is it?
General Data Protection Regulation
• Aims to provide better protection for personal data
• Current data legislation dates back to 1998
7. Definition of Personal Data
“Any information related on a natural person or ‘Data Subject’, that can
be used to directly or indirectly identify a person.”
✓ A name
✓ A photo
✓ An email address
✓ Bank details
✓ Posts on social networking websites
✓ Medical information
✓ CCTV images
✓ Records of websites visited
✓ A computer IP address
9. What’s new in GDPR
• Accountability – demonstrating compliance
• Transparency – providing information pre-processing
• Mandatory data breach reporting (72 hours)
• DPO – Data Protection Officer
• Fines – Administrative Fines, Civil Liability
• Strengthened ‘Consent’ obligations
• New and enhanced Data Subject rights
Integrity &
Confidentiality
10. Demonstrating Accountability
Article 24.1- “….the controller shall implement appropriate technical
and organizational measures to ensure and to be able to
demonstrate that processing is performed in accordance with
this Regulation”
• Putting together an inventory of the data you currently hold and
process
• Complete Data Protection Impact Assesment (DPIA)
• Appoint a DPO if necessary
Integrity &
Confidentiality
11. • Details of Data Controller or DPO
• Purpose and legal basis for processing
• Sharing of data – internally / any third
parties
• Storage or transfer of data outside EEA
• Retention periods
• Rights of data subjects
• Consent
• Breach reporting / complaints to supervising
authority
• Any automated decision making processes
• Any Special Categories processed
Transparency
Article 12 - “The controller shall take appropriate measures to provide any
information……..relating to processing to the data subject in a concise, transparent, intelligible
and easily accessible form, using clear and plain language, in particular for any information
addressed specifically to a child”
At the time when personal data is obtained, the data subject must be
provided with information on:
13. 5. Changes to Consent Rules
1. Consent must be:
- Specific, informed,
unambiguous and freely given
- Must be for a specified purpose
2. Where consent is
obtained as part of a larger
document covering other
things, consent must be
clearly distinguished from
everything else
3. Evidence needs to be
retained as to how the consent
was obtained
Forms, brochures signage,
website screenshots etc.
4. Language must be
accessible and easily
understood
14. 9. Enhanced Rights for Data Subjects
The right to
erasure
The right to
restrict
processing
The right to data
portability
The right to
object
Rights in relation to
automated
decision making
Right to be
informed
The right to
access
The right to
rectification
16. Who?
• Job Applicants
• Existing Employees
• Leaver
What?
• Name and address
• Payroll information
• Next of kin
• Performance review
• Health or sickness information
HR and Payroll under GDPR
17. Data Management
Payroll and personal data must be processed lawfully, fairly and
in a transparent manner.
- A lawful reason for processing data must exist
- All data must be kept up-to-date and only be used for purposes that
have been communicated
- Only hold information required for as long as it is needed.
- Data needs to be protected and stored in a secure manner.
18. The data subject has given consent
Necessary for the performance of contract
Necessary for the compliance with legal obligation
In order to protect vital interests of a person
Necessary for public interest or official authority
For the legitimate interests of data controller or yourself the
employer in this case.
Lawful Processing
19. • Under GDPR consent must be "freely given, specific, informed and
unambiguous".
• Consent can no longer be relied upon as a lawful reason for
processing employee personal data
Lawful Processing & Consent
20. Enhanced Rights for Employees
The right to be informed
The right of access
The right to rectification
23. Email Payslips
• Yes you can email payslips
• Security measures should be
taken, like password protecting
the payslips
Postal Payslips
• Yes you can post payslips
• Security measures should be
taken, like security sealed
envelopes
Distributing Payslips
• It is recommended (but not mandatory) to offer a secure
self-service portal to securely send and store payslips
24. Recommended Self-Service Option
• Password protected for each employee
• Provides flexibility and full transparency for employees to retrieve
and update their information at any time
• Employers can login and view payslips, payroll reports and
amounts due to Revenue
• Distribution of payslips and reports are automated and
automatically available to employees
25. Securely Storing Employee Payroll Data
• Password protect computers that hold
personal data
• Password protect software applications
that hold personal data
• Password protect or encrypt payslips
and other documents that may be
emailed to employees
27. Who Processes Payroll?
In-house Payroll Outsourced Payroll
Data Processor Employer Payroll Bureau
Data
Controller
Employer Employer
Data Subject Employees Employees
A written contract must
be in place!
Employees must be
informed, consent is
not required.
28. Data Processor Agreement
• Whenever a data controller uses a data processor there needs to be
a written contract in place
• Controllers are liable for their compliance with the GDPR and must
only appoint processors who can provide ‘sufficient guarantees’ that
the requirements of the GDPR will be met
• Data processors will have some direct responsibilities and may be
subject to fines or other sanctions if they don’t comply
29. What does this contract look like?
• Compliance:
• Draft new Terms of Service / EULAs / Engagement Letters
• Issue an Addendum to any existing contract
• Contract Content
• Mandatory content has expanded
• Template Data Processor Agreement (DPA)