Don't overlook data privacy in global payroll: Avoid risk

Don't overlook data privacy in global payroll: Avoid risk

December 27, 2019

No alt text

Ensuring employee data privacy as a fundamental right protects you from violations

Companies all around the world collect highly sensitive information abouttheir workforce in order to process payroll. The personal data collected fromemployees is essential for timely, accurate and legal payroll processing.

But for multinationals, the global context means that regulations around datacollection and processing present many risks, which are often misunderstood oroverlooked.

Privacy risks are among the most concerning for you and your employees,because they are easily missed, and violations can be costly. For you and theorganization you represent, data privacy is a legal obligation with violationsthat could lead to significant penalties and fines. Employers who violate theGeneral Data Protection Regulation (GDPR) could face fines of up to 20 millioneuros or 4% of annual revenue, whichever is higher.

For your employees under GDPR, data privacy is a fundamental right that servesto protect their identity from potential fraud or identity theft. There aremany reasons why data privacy has become a pressing concern and risk, and thechallenge for global companies is to identify and protect the payrollactivities that are more susceptible to security risks.

With so much complexity surrounding payroll-specific data privacy, more andmore companies, regardless of where they are located, are assimilating to EUstandards on employee privacy freedoms and rights in order to standardizetheir data management processes and ensure global compliance. The GDPR isgenerally accepted as a stringent set of privacy regulations, so adhering toits laws can offer you a comprehensive data privacy framework that will ensurethe security of your employees’ data.

When global payroll data becomes a privacy risk

Identifying privacy risks starts by asking foundational questions aroundintent, including:

  • Why employers collect data
  • What they use it for
  • How long they keep it
  • Whether there’s a legal basis for using the data

In order to discover hidden vulnerabilities in your current payroll systems,you are tasked with understanding these questions while also navigating localemployment laws.

By first identifying the activities in global payroll that are moresusceptible to data privacy risks, you can address potential vulnerabilitiesin your data management systems. As the GDPR mandates increased datavisibility and accountability, companies with an awareness of these morevulnerable activities will have an advantage while working toward acomprehensive and sustainable data protection framework.

Categorizing data

Payroll-specific data is generally categorized as personal information or anyinformation relating to an identified or identifiable person. However, someemployee information that is collected for payroll could also be regarded assensitive data, including political opinions, racial or ethnic origin,religious or philosophical beliefs, or trade union membership.

These sensitive types of personal information have more strict regulations,and data processing is prohibited with few exceptions. Therefore, if youimproperly categorize or process sensitive data, your company might facesignificant penalties for privacy violation. You should revise the types ofpersonal data collected, and delete, encrypt or redact data based on its levelof sensitivity.

Collecting personal information

Requesting data to process payroll payments is considered valid and with legalground, but you can run the risk of collecting too much confidentialinformation that is not legally necessary for payroll. Companies need“legitimate grounds” to collect and process personal information, meaning datamust be clearly necessary for an employment contract or related to it.

Any personal data collected, processed and stored beyond what is contractuallynecessary presents risks for privacy violation. You should review and revisethe amount of personal data you collect and ensure that you are collecting theminimal amount necessary.

Handling employee data requests

Locating and accessing personal employee data quickly is especially importantin order to comply with employee data requests. Data privacy rights foremployees demand that payroll managers and processors are clear about wherepersonal data is stored and how it can be accessed quickly, so that employeesare able to exercise their fundamental data rights when needed.

Employees have the right to request access to their data, the right torestrict processing of personal data, the right to correct and delete theirpersonal data, and the right to data portability. However, not all employeerights apply within the context of processing payroll data, because ofobligations inherently found in employment law, so you will have to navigatesome legal complexity.

For the more straightforward data rights, like requesting information orcorrecting inaccurate data, a payroll system that enables employees to accesstheir data on demand can provide employees with a clear procedure to exercisetheir rights. As a rule, global payroll data should be held securely in acentral location, so that sensitive information is kept confidential but isstill readily available to retain and report in order to comply with the locallaw.

Retaining data

In a global operating environment, companies are tasked with navigating manydifferent regional restrictions on how long they can store employee HR data.These local regulations create risks for companies that store payrollinformation longer than legally allowed without employee consent. Legal dataretention periods may also vary based on the type of personal data beingcollected, adding more legislative nuance for you to navigate. Reviewing andrevising data retention policies can ensure that personal information is notheld longer than the minimal amount necessary.

Contracting with a decentralized payroll system

Many multinationals have established decentralized payroll systems byoutsourcing all or some processing functions to regional providers. Payrollvendors who are thoroughly vetted can offer local expertise and greater datacontrols, but decentralized reporting often makes it difficult to monitorpayroll data processes with a comprehensive global view.

There are many privacy risks for global companies who haven’t updated theirvendor contracts to reflect new GDPR data requirements. Outside North America, 50% of payroll outsourcing contracts have been in place for more than fouryears, so it’s possible some of these older contracts don’t address new requirements.

Drafting a template or checklist of provisions can ensure accuracy andconsistency across all your payroll service agreements. To ensure ongoingcompliance, create a process to flag new vendor contracts that will involveprocessing personal data.

Security leaks and data breaches

Improper employee training and outdated procedures for handling payroll dataand data security are common causes of network security leaks and breaches.For example, an employee can unknowingly transfer sensitive payroll datathrough an insecure method, like email, and that data could be leaked tosomeone with unauthorized access.

In fact, according to the International Association of Privacy Professionals,84% of all data breaches result from inadvertent actions, such as accidental emails, misdirected faxes, or unintentional posting or mailing of statements. Without strict guidelines for how to responsibly handle personal information, human error and carelessnessare likely to result in a privacy risk.

You should establish a data breach policy and make sure employees are properlytrained and prepared to comply with this data breach notification rule if yoususpect a data privacy risk or breach. Under GDPR, if personal data isaccidentally or unlawfully disclosed, companies are obliged to report the databreach to their national data protection authorities within 72 hours afterdiscovering the breach.

The privacy risks related to human error and network security can be mitigatedwith ongoing employee training, including regular updates on data protectionpolicies and procedures. To ensure network security, you can set up aninformation protection program, outlining proper procedures and controlguidelines for employees who handle sensitive data.

Here is an example of some information security guidelines:

What it takes to uphold employee data privacy

Whether you are processing your payroll in house, through contractors andoutside vendors, or both, understanding data flows is critical for upholding adata privacy policy. The onus is on employers and processors to keep up-to-date records of all processing activities, and to identify and document howand how often global payroll data is collected, held, used and shared.

Translating data across many different languages and currencies, however, canmake record-keeping activities even more daunting. A centralized payrollmanagement system, with standardized data reporting and validation, can helpyou uphold data privacy through unified processes and a comprehensive view ofdata flows.

Upholding data privacy also requires you to perform ongoing employee training,because global data security is only effective when the people responsible forsafeguarding information are knowledgeable about GDPR compliance. By training,testing and retraining employees with access to sensitive information, you canwork more efficiently toward sustaining a data protection control framework.

Conducting regular privacy impact assessments and annual policy reviews canhelp to maintain company-wide accountability. Under GDPR, companies must hireor nominate a Data Protection Officer regardless of company size, so theseindividuals can conduct an annual internal audit of payroll processes andsystems, review existing privacy policies and procedures, and plan for anynecessary changes.

The challenge for multinationals

Maintaining data protection that balances both security and availability is achallenge. Data visibility is often the greatest hurdle to reaching acomprehensive and effective data protection framework—especially when globalpayroll is managed via a decentralized system. A centralized global payrollmodel can help make data more visible, secure and accessible by unifying processesand managing information through a single vendor.

Regardless of which payroll model you use while working toward a sustainabledata protection framework, you need to be prepared to address why data iscollected, what it is used for, how long it is kept, and whether there is alegal basis to do so—no matter where in the world your company operates. Thesesolutions work together to uphold a protection plan with “data privacy bydesign and default,” but their effectiveness hinges on your ability to enforcethem. Therefore, ongoing training on how to properly handle personal data,especially when collecting and using employee information, is paramount tosustaining a data protection control framework.

To maintain data security, companies need to reevaluate their legalobligations, especially when planning change management initiatives, likeexpanding payroll into new countries. As global regulations around datacollection and processing continue to increase, keeping an eye on the privacyof all data as it flows through the payroll process protects companies fromfalling out of compliance with GDPR and other privacy regulations—and protectsemployees as well.

Companies who leverage the GDPR’s data privacy regulations are able toidentify the payroll activities that put employee data at risk, as well aslearn what steps to take to build a comprehensive protection framework andensure compliance on a global scale.

For more information about how Global Managed Payroll can save you time oncompliance and protect you from unnecessary penalties. Contact us now.

Explore by Topic

Loading...

Let us help youget started

pointercircle

Take the quiz!

Tell us about your business challenges and we'll provide you with our recommended solutions.
Let's get started
cards

Resources to guide you

We have several articles and guides to help you on your global payroll journey.
Read now
We're here to help you get started
Our global community of Guardians is ready to assist your team with your payroll transformation.
woman-with-glasses