To begin with, whichever of Snow’s products is used, users can have complete confidence in the security of their payroll data. Our software will always make use of encrypted data to ensure that it is secure on its servers for complete peace of mind. However, secure servers and encrypted files don’t necessarily mean that General Data Protection Regulation (GDPR) compliance is being met. What is involved with data protection accountability with outsourced payroll functions and what contract requirements does GDPR place on users? Read on to find out.
Accountability With Data Protection
Throughout the EU – including Ireland, of course – GDPR now means that anyone who handles and processes personal data has certain responsibilities. Sometimes, these are at an organisational level, but they can come down to the individual, as well. As such, anyone performing tasks at a payroll office, whether it is in-house or outsourced, should be considered a data processor. Conversely, the client – the business for which the payroll is being administrated – would be referred to as the data controller in GDPR terminology.
These distinctions are important because legacy data protection legislation tended to focus on data controllers. However, the legalistic approach taken with GDPR differs from this traditional model. Now, data processors have significant obligations – as well as potential liabilities – in their own right. To make this clearer, data processors could face fines or other penalties under GDPR if they have not protected data sufficiently well.
Due to the augmented accountability GDPR places on payroll offices, anyone processing personal information needs to be vigilant and ensure that they have a contract with their client. Without one, they are exposed to potential penalties under GDPR. What outsourced payroll offices need, in particular, is a document that lays out their obligations in a precisely defined manner.
Bear in mind that under Ireland’s pre-existing data protection laws, contracts between a client and a payroll office needed to be in writing. This has not changed. It is just that GDPR has placed a further onus on data processors since 2018 in terms of their own accountability.
Contractual Obligations With GDPR
Under GDPR, the contractual requirements placed on data processors of all kinds are more onerous. Since May 2018, outsourced payroll contracts have needed to set out clearly the subject matter and duration of the processing as well as the nature and purpose of the data that needs to be processed. Information on the sorts of personal data held must also be included within the contract as must the obligations and rights of the data controller, or payroll client.
Furthermore, some contractual terms are mandated by GDPR. For example, a clause stating that the data processor must only act on the written instruction of the controller ought to be included. In addition, something stating that the data processor will ensure that any person’s processing payroll data will be subject to a duty of confidence should appear. Among other elements, a contract between a payroll client and their data processor must include end-of-contract clauses. This is especially important to ensure the continued security of any personal records that might have passed between the two parties even if their contract comes to an end for whatever reason. Under such circumstances, the payroll office concerned should be obliged by the terms of their contract to delete or return all the personal data they have been given by the data controller when requested to do so. Importantly, GDPR allows for an exemption to this general principle. This applies when the data processor is required to retain data by law for a certain period as is often the case with taxation records, for example.
Other areas that contracts between clients and payroll offices should cover include the engagement of sub-contractors in data processing, a term that under GDPR terminology is called sub-processing. In short, data processors can only sub-contract payroll work with the prior consent of their client. In addition, data processors are obliged to inform their client if there are any data breaches or security issues that arise while payroll functions are being carried out. Importantly, GDPR-compliant contracts should make it clear that the data processor has taken ‘appropriate measures’ to make sure that security is maintained while processing data. It is in this area that Quantum Payroll Software is so beneficial, of course, because it has all of the built-in security and encryption measures that are needed, far exceeding what would be considered ‘appropriate’ in most cases and providing best-in-class payroll security.
According to the regulations laid down under GDPR, data processors’ contracts with their clients should also make it clear that they will submit to audits and other types of inspections, as required. Furthermore, payroll offices must provide the clients with whatever information they ask for with respect to data protection law. Although not strictly necessary, it is considered good professional practice to have a contractual clause that states nothing within the contract relieves either party of their legal obligations and liabilities under the GDPR.
Statutory Responsibilities Placed on Data Processors
All individuals and organisations that are designated as data processors under GDPR have statutory responsibilities. Although who or what constitutes a data processor can be open to interpretation in some business settings, the flow of sensitive personal and commercial information, such as that regarding the pay of individuals within a business, means that there is no interpretive wriggle room for payroll offices. Therefore, in addition to their contractual requirements, as outlined above, payroll offices must have a clear understanding of what their statutory obligations are. As data processors, GDPR places them under several legal restrictions.
To begin with, payroll offices must not engage a sub-contractor without prior written consent of their client even if a contractual clause in their agreement expressly permits this. Furthermore, if a sub-processor is appointed with the permission of the client, then such a sub-contractor would be under the same data protection obligations as the lead processor regardless of their jurisdiction. There again, GDPR states that payroll offices may only process data with the written instructions of their client, hence the need for a contract in the first place.
The respective role of a payroll office as a data processor can also change. Under statute law, if a payroll office were to make any of its own determinations about the processing of a given set of data, then – if these were to be made without the instructions of the client – the payroll office itself would be considered to be a data controller with all the additional responsibilities such a status would bring. Perhaps more straightforwardly, payroll offices, as data processors, must cooperate with any supervisory authority or state official with authority to inspect data. To this end, there is a statutory duty placed on them to maintain records of their data processing activities.
Finally, the law states that payroll offices must implement appropriate security measures, tell their clients of a data breach without any undue delay and comply with the restrictions of personal data transfers outside of the EU under GDPR. This final aspect of statutory responsibilities includes even the temporary storage of personal data on a server that is based somewhere other than within the EU.
To Sum Up : All payroll offices need to review their current client contracts to make sure they are truly GDPR compliant and contain the clauses that are mandated. Where old contracts exist, new ones should be drawn up or a data protection addendum should be added. Note that whether a compliant contract is in place or not, data protection is at the core of GDPR making using a secure platform more important than ever before.