Julie Hodgskin: Payroll and the General Data Protection Regulation

Julie CIPP

Part of the process of preparing for the new General Data Protection Regulation (GDPR) will be to perform a payroll information data cleanse. This needs to be planned and methodically carried out by 25 May 2018.

The Information Commissioner’s Office has given us a tool to use in the form of the Privacy Impact Assessment (PIA). By following the six steps below it will be possible to manage the process.

First, identifying the need for a PIA. Why, what, and who owns the process?

Second, describing the information flows. Review and update existing procedures. Review what information is collected, used, where it is held, for how long, and how it is destroyed. GDPR requires more stringent controls.

Third, identifying the privacy and related risks. What are the reputational, financial and legal risks to the organisation? What is the risk to the individual of financial or identity theft?

Fourth, identifying and evaluating privacy solutions. Name each risk and identify solutions. For example, to mitigate against the risk of identity theft by a third party, use pseudonymisation of the individual’s data. However, if this approach is taken, do keep the two sets of data completely separate or the point of using pseudonymisation would be lost.

Fifth, signing off and recording the PIA outcomes. Summarise the process, document the steps taken, and outline how risks were reduced. This is useful for future data cleanse projects, and also as evidence to show compliance in the event of a data breach.

Sixth, integrating the PIA outcome in to the project plan. Repeat the process on a regular basis to ensure that compliance is maintained. The PIA may lead to other actions being taken and possibly a re-think of what, where, and for how long the data is held.

Julie Hodgskin is technical material author at the Chartered Institute of Payroll Professionals (CIPP)