In the four years since General Data Protection Regulation, or GDPR, came into force both employers and employees have become better informed as to their rights and obligations when it comes to data protection. Employers are aware that they need a legal basis or legitimate reason to hold an employee’s personal data. These reasons can include: the employee consenting to their data being processed; to fulfil parts of an employee’s contract; to take steps at the request of the employee before entering into a contract; to comply with legal obligations in respect of an employee’s vital interests; or for the purposes of the legitimate interests of the organisation.
But whatever the justification for processing an employee’s data the employer must be transparent about how it is being used and ensure that the personal data is safeguarded both inside and outside the organisation.
Payroll deals with employees’ most personal data such as name, address, National Insurance Number/PPS Number, contact information, salary/wage and bank details. If this data were to fall into the wrong hands it could result in more than a headache for your organisation. Fines for data protection infringements range up to £8.7 million under the UK GDPR, €10 million under the EU GDPR or 2% of annual global turnover.
Protecting your organisation from exposure to the wrath of the Data Protection authorities is the responsibility not just of the Data Protection officer in your organisation, but of every employee. Many of the following recommendations may sound like plain old common sense, but 1,500 companies across Europe have been fined and these fines ranged from the low thousands to the €746 million fine imposed on Amazon in Luxembourg for ‘non-compliance with general data processing principles’ in 2021. Even for those who were given low fines, the resources that were needed to respond to the complainants could surely have been put to better use on a more beneficial project.
So, let’s begin with the basics:
1- Who Has Access To Payroll Data?
No matter how small your organisation is, it is not necessary for anyone other than those who need to process payroll to have access to payroll data. The only people who need access are payroll staff, HR, and the business owners or the leadership team. Any employee who does have access, regardless of their level of seniority should complete a stringent training course on data security.
2- Regularly Update Payroll Passwords:
Constantly having to change your passwords (passwords should be changed every two to three months) is one of the bugbears of living in the information age. However, it’s not done so the software vendor or the business can watch employees tear their hair out in frustration as they try to remember their latest login details, it’s done to minimise the risk of breaches and unwanted access to sensitive data. It isn’t the panacea to all payroll security threats, but in this era of hybrid and remote working, it is a safeguard that you ignore at your peril. Best practice would advise that you also adopt multi factor authentication.
3- Update Your Payroll Software!
Staying on top of the ever more sophisticated methods used by criminals who hold companies to ransom when they steal swathes of personal sensitive data is an increasingly complex business. That is the responsibility not only of the payroll software vendor, but of you, their client. Updates are released by software vendors because they have encountered a threat and have put measures in place to prevent hackers using this method in the future. The disruption caused by the relatively small amount of time it takes to update to the latest version, needs to be compared to the days and weeks that will be saved not having to deal with the fallout from a ransomware attack. Hackers plan their attacks to cause maximum disruption and will generally strike on a Thursday night or Friday morning. If you don’t want to spend your weekend working around the clock, update your software as soon as you are notified that a new version is available. Or better again, change your settings to allow automatic updates.
4- Lockdown Sensitive Data
Changing passwords regularly and updating your software are sensible steps to protect your employees’ sensitive data. So too is tightening your computer security. If you haven’t already, then install a firewall to block unauthorised access. Back up your data on a regular basis, and use spam filters to detect unsolicited emails. The level of sophistication of spam emails is ever increasing. Train your staff to NEVER click on a link in an email no matter how innocuous or genuine it may look. Encrypt sensitive data on your computers and other devices and ensure employees log out of the payroll system before they leave their desk.
5- Beware Former Employees.
A former employee is not your friend. Well, they may still be your personal friend, but they are no longer a friend of your organisation. This might sound a little paranoid, but with the level of fines your company risks by breaching data protection rules, a little paranoia goes a long way. When an employee leaves your organisation, even if you believe they never had access to sensitive data, reset their passwords, disable their access to all company software and any hardware that allows them to connect to your network. It doesn’t matter if they left on the best of terms or if they were escorted to the front door by security, carrying their belongings in a box. Either way, ensure once they leave, they no longer have any access to your company’s cloud or servers. It might seem a little like overkill, but isn’t it worth it for the peace of mind that it will bring?
Payroll – A Treasure Trove For Hackers.
If a hacker makes their way into your payroll system they will cause you a world of pain. They will use your employees’ data, their addresses, national security numbers, bank account information and every other piece of information your payroll contains to extract as much money from you as they can. They will disable your network and grind your business to a halt until you pay them what they demand. If you don’t pay, your data could end up being sold to the highest bidder on the dark web. The financial and reputational damage to your business should not be underestimated. Every week organisations like yours are held to ransom by hackers who search for any weakness in security to gain access and wreak havoc. But it doesn’t end with a ransom payment, or a rebuild of your system from the last backup. Under GDPR rules your organisation is obliged not only to inform your country’s data protection agency, but each individual whose personal data has been compromised. Your organisation may face hefty compensation payments and fines. Being able to demonstrate that you had taken every possible precaution is the only way these penalties may be ameliorated.
