The deadline is fast approaching for businesses to comply with GDPR, but the focus on data protection is mainly outwardly focused. What about in-house data for use, such as, for e-payslips?
The very nature of electronic communication means that it is always open to accidental sending of messages to incorrect recipients. Thankfully, data protection laws have helped to protect individuals to some extent if their emails fall into the wrong hands. But, GDPR has further highlighted this issue – and employers need to sit up and take notice.
What’s the problem?
Ask yourself – would you leave your payslip lying around? The answer is no, of course, but not taking care of data relating to e-payslips is essentially the same thing.
E-payslips are usually accessed via an email address, but this can be fraught with danger if there is no legislation in place to ensure email addresses are correctly maintained.
Article 32 of the General Data Protection Regulation, known as GDPR, states: “the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Therefore, it acts to ensure that those measures are put in place to protect the data associated with e-payslips.
Therefore, it is up to you, the employer, if you use e-payslips, to check that you hold up to date information for your employees. Again, there are things to consider here, such as the admin burden, and, whether or not there is still a risk of a data breach – for example, if a colleague asked for their e-payslip to be sent to a different email address. There is also the chance that an employee has no email address – what will you provide as a suitable alternative. These are all scenarios that may come about when you take a good look under the surface of what GDPR means to the e-payslip world.
What can you do?
You will also need to consider re-seeking permission from your employees for you to be able to use their email addresses for e-payslip purposes, as well as how you intend to store their data. It might also be worth considering email encryption to protect the content from being read by anyone other than the intended recipients. At the very least, you should also ensure that all e-payslips are set up with a password in case of delivery to a wrong email address.
If you have any further questions relating to how your e-payslips may be affected by GDPR, contact Wilkins Kennedy to see how we can help.