Employing people brings with it a lot of paperwork – from information about training, skills and recruitment, to personal and confidential details such as addresses, pay and disciplinary records. While much of this information used to be stored in locked filing cabinets, it is increasingly being digitised. This carries huge advantages – but also big risks.
As the use of cloud-based payroll systems rises, so too does the risk of data breaches. And with an increasing amount of regulation focusing on how personal data is handled, payroll teams must have a clear, strict and transparent process for the storage and use of any data they hold on their employees.
The European General Data Protection Regulation (GDPR) brought the most significant data protection legislative changes for the management of employee’s personal data. Under the GDPR, employers must notify data breaches which carry a privacy risk for employees without undue delay and, where feasible, not later than 72 hours after becoming aware of them. Moreover, employers infringing this, and other GDPR requirements, can be subject to administrative fines of up to €20 million, or in the case of an undertaking, four percent of the total worldwide annual turnover of the preceding financial year.
Another example is Singapore’s Personal Data Protection Act 2012 (PDPA), which similarly governs the collection, use and disclosure of personal data by organisations, recognising individuals’ right to protect their personal data, as well as organisations’ needs to use this data. From 1 October 2022, Singaporean authorities can impose financial penalties of SG$1 million, or 10% of local annual turnover for organisations whose turnover exceeds SG$10 million, whichever is higher. The PDPA reiterates the liability of employers for acts of employees, and introduces personal liability for the improper use of data. Personal liability resulting in a conviction can be punished with a fine, not exceeding SG$10,000, or imprisonment for a term not exceeding three years, or both.
With similar data protection laws being introduced in many other jurisdictions, it is important for payroll teams to adequately manage compliance in every country their companies do business in. However, for payroll teams with global responsibility, it can be very difficult to keep up to date with changes in local data protection procedures and regulations. One way companies are addressing this is to work with partners who have the local knowledge and skills to ensure payroll compliance.
The updated data privacy laws require clear policies, procedures and guidelines to be in place, alongside technical and organisational security measures. Among others, these include:
- Adequately informing the (candidate/former) employees about the purposes their data will be used for in all stages of the (pre-/post-) employment and disclosing with whom the data will be shared and for what reason.
- Being transparent about the international data transfers and only transferring personal data outside the home jurisdiction if communicated in advance, if strictly necessary and upon having the required technical and organisational safeguards in place to protect the personal data to the same standard as in the home jurisdiction. You must use a proper legal basis for such transfer, various jurisdictions require different legal bases.
- Only requesting a new hire’s social security number and other legally required sensitive personal data after the candidate has accepted the position.
- Securely deleting the rejected job candidates’ resumés in accordance with the predetermined data retention term, about which the candidate was informed in advance.
- Seeking consent before using a resumé for a different role than the one the candidate applied for.
- Communicate about and have clear policies on purposes for retaining ex-employees’ personal data, and about the deletion thereof.
|
- Create a data inventory, identify and implement procedures to be able to securely delete all personal data processed in various systems.
- Avoiding monitoring of employees email, computer and telephone usage, unless the necessity has been shown and evidenced through a data protection impact assessment.
- If employees are being monitored on a large scale or if the employer core activity consists of the processing of a large scale of sensitive personal data, the GDPR requires a data protection officer (DPO) to be appointed to monitor the organisation’s compliance, with specific requirements for positioning and the role. Other jurisdictions, like Singapore, require the mandatory appointment of a DPO for all organisations.
- Informing employees about their rights in relation to data privacy laws, and enabling them to exercise these rights through, among other things, raising their awareness.
- Only entrusting the management of employee data to an accredited partner. In the HR and payroll services industry, to provide the required level of data security and information management, the main accreditations and compliance programmes are: International Standard on Assurance Engagements (ISAE) 3402; ISO 27001 – the standard for information security management systems; and ISAE 3402/SOC 1 report for payroll services.
|