For more information visit https://brightpay.co.uk All organisations, regardless of size, will have had to introduce or update existing policies regarding personal data in order to comply with the new regulations. This webinar will look at the GDPR, how it may affect your business and what we have learned from the GDPR 5 months on. We will also have a look at how BrightPay can help your organisation utilise the new regulations for the benefit of you, your customers and youremployees. Essentially, GDPR is an overhaul of the way we process, manage and store individual’s personal data, and that includes your employee’s personal payroll and HR information. We will take you through the impact of GDPR on your payroll processing, highlighting the biggest areas of concern including emailing payslips, employee consent and your legal obligations with regards to payroll, HR and Employment law. The webinar will include a demonstration of how our BrightPay Connect add-on can help you work towards GDPR compliance by offering remote online access to accountants, employers and employees. We will take a brief look at our Bright Contracts software, which as well as providing the user with the facility to create and customise Contracts of Employment and Company Handbooks, now has a new feature which enables the user to create an Employee Privacy Policy which is a requirement under GDPR. We will also unveil our new timesheet rapid input feature. Our exciting new timesheet feature directly connects to the BrightPay payroll and allows clients to import timesheet hours from a CSV or directly input hours for each employee on the BrightPay connect employer dashboard. For accountants and payroll bureaus, clients can easily use the timesheet upload for rapid input of employee’s hours eliminating possible errors. The timesheet feature also allows bureaus to easily run the payroll before sending it back to your payroll client for final approval and validation.

1. -GDPR - 5 Months On!

2. -
CPD Accredited
Fill out survey at the end of the webinar
Q&A Session
Questions Tab or #BPWebinars
Q&A
CPD
On Demand
This session is being recorded
REC

3. The Presenters…
Jennifer Hussey
Employment Law Advisor & Payroll Specialist
Thesaurus Software / Bright Contracts
Rachel Hynes
Marketing Executive
Thesaurus Software / BrightPay

4. Webinar Agenda
•Breakdown of the General Data Protection Regulation
•Processing Employee Data under GDPR
•GDPR and Payroll Processing
•How BrightPay and BrightPay Connect Can Help
•How Thesaurus Software Has Prepared
Questions & Answers

5. -Breakdown of GDPR

6. GDPR, what is it?
General Data Protection Regulation
• Aims to provide better protection for personal data
• Current data legislation dates back to 1998

7. Definition of Personal Data
“Any information related on a natural person or ‘Data Subject’, that can
be used to directly or indirectly identify a person.”
✓ A name
✓ A photo
✓ An email address
✓ Bank details
✓ Posts on social networking websites
✓ Medical information
✓ CCTV images
✓ Records of websites visited
✓ A computer IP address

8. Data Protection Principles
Lawfulness Purpose
Limitation
Data
Minimisation
Accuracy Storage
Limitation
Integrity &
Confidentiality

9. What’s new in GDPR
• Accountability – demonstrating compliance
• Transparency – providing information pre-processing
• Mandatory data breach reporting (72 hours)
• DPO – Data Protection Officer
• Fines – Administrative Fines, Civil Liability
• Strengthened ‘Consent’ obligations
• New and enhanced Data Subject rights
Integrity &
Confidentiality

10. Demonstrating Accountability
Article 24.1- “….the controller shall implement appropriate technical
and organizational measures to ensure and to be able to
demonstrate that processing is performed in accordance with
this Regulation”
• Putting together an inventory of the data you currently hold and
process
• Complete Data Protection Impact Assesment (DPIA)
• Appoint a DPO if necessary
Integrity &
Confidentiality

11. • Details of Data Controller or DPO
• Purpose and legal basis for processing
• Sharing of data – internally / any third
parties
• Storage or transfer of data outside EEA
• Retention periods
• Rights of data subjects
• Consent
• Breach reporting / complaints to supervising
authority
• Any automated decision making processes
• Any Special Categories processed
Transparency
Article 12 - “The controller shall take appropriate measures to provide any
information……..relating to processing to the data subject in a concise, transparent, intelligible
and easily accessible form, using clear and plain language, in particular for any information
addressed specifically to a child”
At the time when personal data is obtained, the data subject must be
provided with information on:

12. Breach Reporting / Fines
Integrity &
Confidentiality

13. 5. Changes to Consent Rules
1. Consent must be:
- Specific, informed,
unambiguous and freely given
- Must be for a specified purpose
2. Where consent is
obtained as part of a larger
document covering other
things, consent must be
clearly distinguished from
everything else
3. Evidence needs to be
retained as to how the consent
was obtained
Forms, brochures signage,
website screenshots etc.
4. Language must be
accessible and easily
understood

14. 9. Enhanced Rights for Data Subjects
The right to
erasure
The right to
restrict
processing
The right to data
portability
The right to
object
Rights in relation to
automated
decision making
Right to be
informed
The right to
access
The right to
rectification

15. -Processing Employee Data under GDPR

16. Who?
• Job Applicants
• Existing Employees
• Leaver
What?
• Name and address
• Payroll information
• Next of kin
• Performance review
• Health or sickness information
HR and Payroll under GDPR

17. Data Management
Payroll and personal data must be processed lawfully, fairly and
in a transparent manner.
- A lawful reason for processing data must exist
- All data must be kept up-to-date and only be used for purposes that
have been communicated
- Only hold information required for as long as it is needed.
- Data needs to be protected and stored in a secure manner.

18. The data subject has given consent
Necessary for the performance of contract
Necessary for the compliance with legal obligation
In order to protect vital interests of a person
Necessary for public interest or official authority
For the legitimate interests of data controller or yourself the
employer in this case.
Lawful Processing

19. • Under GDPR consent must be "freely given, specific, informed and
unambiguous".
• Consent can no longer be relied upon as a lawful reason for
processing employee personal data
Lawful Processing & Consent

20. Enhanced Rights for Employees
The right to be informed
The right of access
The right to rectification

21. © NEST Corporation 2015
Recommended Self-Service Option
The GDPR includes a best practice recommendation that,
where possible, organisations should be able to provide remote
access to a secure self-service system which would provide the
individual with direct access to his or her information.
24/7 Online
Access
Payroll
Information
Employee
Documents
Annual Leave
Entitlements

22. -GDPR & Payroll Processing

23. Email Payslips
• Yes you can email payslips
• Security measures should be
taken, like password protecting
the payslips
Postal Payslips
• Yes you can post payslips
• Security measures should be
taken, like security sealed
envelopes
Distributing Payslips
• It is recommended (but not mandatory) to offer a secure
self-service portal to securely send and store payslips

24. Recommended Self-Service Option
• Password protected for each employee
• Provides flexibility and full transparency for employees to retrieve
and update their information at any time
• Employers can login and view payslips, payroll reports and
amounts due to Revenue
• Distribution of payslips and reports are automated and
automatically available to employees

25. Securely Storing Employee Payroll Data
• Password protect computers that hold
personal data
• Password protect software applications
that hold personal data
• Password protect or encrypt payslips
and other documents that may be
emailed to employees

26. -Data Processor Agreement

27. Who Processes Payroll?
In-house Payroll Outsourced Payroll
Data Processor Employer Payroll Bureau
Data
Controller
Employer Employer
Data Subject Employees Employees
A written contract must
be in place!
Employees must be
informed, consent is
not required.

28. Data Processor Agreement
• Whenever a data controller uses a data processor there needs to be
a written contract in place
• Controllers are liable for their compliance with the GDPR and must
only appoint processors who can provide ‘sufficient guarantees’ that
the requirements of the GDPR will be met
• Data processors will have some direct responsibilities and may be
subject to fines or other sanctions if they don’t comply

29. What does this contract look like?
• Compliance:
• Draft new Terms of Service / EULAs / Engagement Letters
• Issue an Addendum to any existing contract
• Contract Content
• Mandatory content has expanded
• Template Data Processor Agreement (DPA)

30. -How BrightPay can help

32. -
Standard Licence: £99 + VAT
• One employer
• Unlimited employees
• Free phone & email support
• Full functionality
Payroll Software
Bureau Licence: £229 + VAT
• Unlimited employers
• Unlimited employees
• Free phone & email support
• Full functionality

33. -
How can Bright Contracts help
with GDPR compliance?

34. -
Standard Licence: £99 + VAT
• One employer
• Unlimited employees
• Free phone & email support
• Online HR templates
Employment Contracts,
Handbooks & Privacy Policies
Bureau Licence: £199 + VAT
• Unlimited employers
• Unlimited employees
• Free phone & email support
• Online HR templates

35. -
How can BrightPay Connect help
with GDPR compliance?

36. © NEST Corporation 2015
BrightPay
Connect
•Automated
Cloud Backup
Self-Service
Remote
Access
Password
Protected
Payslip Portal
Secure
Document
Exchange
Accurate
Employee
Records
Right to
Rectification
User
Restrictions
Central
Location for
Documents

37. -
Single Employer:
£49
+ VAT per tax year
BrightPay Connect
Standard Pro Bundle:
• BrightPay Payroll
• BrightPay Connect
• Bright Contracts
Worth: £247
Bundle Price: £199

38. -How have we prepared for GDPR?

39. © NEST Corporation 2015
Key
Changes
•In-Program
Customer
Support
Privacy
Policy
Internal
IT Audits
Secure
Servers
Additional
Consent
Staff Training
& Awareness
Bright
Contracts
Thesaurus &
BrightPay
Connect

40. -Questions & Answers