Guys, if you’re anything like me then you’ve been counting down the days, been kept awake with excitement thinking of what to wear and how hard you’ll party for what seems like forever. Yes, that’s right folks, on May 25th of this year our beloved GDPR turns 1 year old! *dries eyes* - they grow up so fast.
We all know that GDPR has been a resounding success but we also know that, like all 1 year olds, there's been some teething problems. So let’s take a look back through our photo album of the past year and see how our little trooper has fared over its first year.
Let’s start with the reason GDPR is in our lives - data breaches. How’s it been doing with those? Well, this is probably the most successful part of GDPR’s short life. Prior to GDPR, there was no single breach notification regulation for the EU. Instead, it was compiled of lots of different interpretations of the 1995 Data Protection Directive (which GDPR replaced) meaning it was a kind of Wild West of data and sensitive information. Then GDPR came sauntering in to bring law and order to a lawless wasteland and created a unified framework for all breach notifications.
A data breach is when personal data for which a company is responsible is accidentally or unlawfully disclosed. If this happens, under GDPR, companies are obliged to report the data breach to their national DPA within 72 hours. The number of these reported in the last year is a whopping 41,502. Crikey! Looks like GDPR is really whipping people into shape!
To add to that, there has been an eye-watering 95,180 complaints made since the introduction of GDPR - a complaint being from those who believe that their rights under GDPR had been violated. The most common types of complaints (no surprises) were concerning telemarketing and promotional emails.
So what’s been happening as a result of these complaints and breaches then? Well, this is where our golden child’s report card slips from an “A+” to a “B - could be better, gets distracted easily” because although the number of breaches reported has been incredible, the total penalties imposed under the statute added up to €55,955,871. Which sounds really impressive until you remember that a single €50 million fine levied against Google in January accounts for nearly 90% of that sum. The vast majority of companies are still not being penalised at all for data breaches or are being fined so insignificantly that frankly, my dear, they don't give a damn.
So as we dry our eyes and close the photo album of the first year of GDPR’s existence, we can let out a big sigh and know that GDPR is the little regulation that is doing its best and making us all proud as punch. Now let’s all join together in singing a big ol’ Happy Birthday - and don’t worry, I received consent from all present, purchased the rights to the song and accepted cookies on all our behalves so no chance of the feds swooping in mid-song.
I know you've all been dying for another one so here it is; a brand spanking new GDPR blog! Well… if you’re like me then you cannot get enough of GDPR. For my birthday, my pals over at BrightPay got me an extra special GDPR gift in the form of two new Bureau features called ‘Client Payroll Entry’ and ‘Client Payroll Approval’.
So we all know how much of a nightmare it is inputting timesheet data from your clients into your payroll software. The back and forth, and the mistakes. Because if you duplicate the data, the margin for error is in turn doubled. Not only this but the payroll data is sent to the bureau in the form of emails, word documents, spreadsheets, sometimes even a phone call. We’ve talked before about emails and GDPR but in case you missed it, it’s better to avoid.
Emails are not the most secure channel, especially for the vast amount of sensitive employee data being transmitted. If you do use email to send clients payslips, it is strongly advisable to ensure payslips are encrypted and deleted from email servers once sent. And of course, you would need to ensure passwords are used on all payslips.
So what this new Payroll Entry Feature does is put the onus on the client to input their own payroll data into the secure employer dashboard, thus reducing the back and forth and making sure all that important data is sent through a secure portal. Once the payroll data has been submitted to the bureau, hey presto - the bureau has all of the accurate payroll information, ready to download to the payroll software.
Before, this would have had to be approved via email and then sent to the client who would send back what needed to be rectified and then back and forth, back and forth again. It’s a mess! But with the second new feature from BrightPay Connect is the Payroll Approval feature - the bureau sends the client a preview of payroll summary statement to the secure BrightPay Connect portal, the client reviews it, approves it and then *ping* the bureau has confirmation that the payroll is correct and everyone lives happily ever after.
With these new BrightPay Connect features the exchange of information is super secure; no one is getting in! The online portal is also protected by username and password with role and permission based access for each user. This is the stuff that GDPR dreams are made of as it places the responsibility of security into the hands of you, the people, who GDPR was made for.
If you want to get technical *puts on glasses and lab coat* - “The BrightPay Connect service is a web based application hosted on the Microsoft Azure platform. All data transmitted to and from the cloud service is secured using SSL over HTTPS. This includes data sent via web browsers and data sent from payroll applications”. - BrightPay Connect
Book your demo today at https://www.brightpay.co.uk/connect/
BrightPay Connect is an online payroll and HR tool that offers significant benefits to help your business comply with the GDPR legislation. BrightPay Connect is an add-on product to the payroll software. The main objective of BrightPay Connect is to increase the efficiency and effectiveness of payroll work within the remit of the GDPR guidelines.
Automatic Cloud Backup
Are you keeping your payroll files safe and protected? It is important to keep them protected in case of the event of fire, theft, cyber-attacks and damaged computers. BrightPay Connect is the solution. It is hosted on Microsoft Azure for ultimate performance and reliability. BrightPay Connect keeps a chronological history of all backups which can be restored at anytime.
Employee Self-Service Portal
Are you trying to find ways to improve your time-management skills? You can invite employees to their own self-service online portal which can be accessed using a smartphone app or any web browser. Employees will be able to securely access and download payslips, P60s, P45s, submit annual leave requests and view leave taken and leave remaining.
Bureau / Employer Dashboard
Are you looking for an easy and secure way to share documents? BrightPay Connect provides a self-service dashboard to both accountants and employers so they can access payslips, payroll reports, amounts due to HMRC, annual leave requests and employee contact details. You can also securely share resources, upload HR documents and get payroll data approval from the client electronically.
24/7 Online Access
Do you want to be in control at anytime and anywhere? BrightPay Connect allows mobile and online access at anytime of the day. This fulfils the GDPR best practice recommendation to provide remote access to a secure system where individuals have direct access to their personal payroll data.
Data Input (coming soon)
For bureaus, clients can upload or manually input their employees’ hours and payment details. This is offering an additional layer of GDPR protection. Once the hours are added/imported, information can be automatically synchronised to the employer file on the bureau’s PC, ready for processing. Bureaus can then securely send a payroll summary back to the client for approval through BrightPay Connect. This will eliminate the need to exchange emails, reduce the double entry requirement and minimise errors from manual data input.
HR & Annual Leave Management
BrightPay Connect also includes an employee calendar, which can keep record of all employees past and future leave including annual leave, unpaid leave, absence leave, sick leave and parenting leave. Employers can upload sensitive HR documents such as contracts of employment. Access can be restricted for certain users.
There is a considerable business opportunity for payroll bureaus to increase revenue while complying with the GDPR. There are significant discounts for bulk purchases.
If you are interested in BrightPay Connect, why not attend one of our free online demos!
Are you missing out on our newsletter? We will not be able to email you without you subscribing to our mailing list. You will be able to unsubscribe at any time. Don’t miss out - subscribe today!
Nearly 5 months since the General data Protection Regulation (GDPR) was introduced across all of the European Union, complaints around Data Protection have nearly doubled in the UK according to the Information Commissioner’s Office (ICO)
GDPR was designed to give Data Subjects more control over their personal data, with more transparency and the threat of larger fines to those in breach of the new rules. The GDPR requires any company that suffers a data breach to notify its users/data subjects within 72 hours of the breach being discovered.
• Data protection complaints to the UK’s ICO rose to 4214 in July compared to just 2310 complaints received in May before the GDPR came into force. A spokes person for the ICO said the increase was expected, as more users became aware of data protection because of publicity around the new rules and following a series of high-profile data scandals involving some well-known household names, like Morrison’s and Dixons Carphone.
• In July the ICO reported that since May 25th, it had seen a four-fold increase in the number of breaches that organizations were self-reporting.
Experts note, however that the increase’s do not mean that the number of data breaches has suddenly gone up, but rather reflects the full scale of the data breach problem becoming better known.
Organisations that fail to comply with GDPR can face fines of up to 4% of annual global revenue or €20 million, whichever is greater. So far none of the EU’s Data Protection Agency’s have levied any fines. Multiple DPA’s told the International Association of Privacy Professionals Advisor Newsletter that it is simply too soon.
We will be hosting a free online webinar on ‘GDPR 5 Months On’ on Tuesday October 16th at 11am, where we will look at the implications of GDPR on payroll processing and how employer’s can be demonstrate compliance by following a few, simple steps.
To register for this webinar please click here.
BrightPay Connect is tailored to help you overcome some of the key challenges GDPR presents when processing payroll. The payroll itself is still processed on BrightPay’s desktop application, however the payroll information is stored online on a secure cloud server. As the payroll information is stored online, it has allowed us to bring you even more benefits to help you with GDPR compliance.
With the GDPR, it is important to keep a copy of payroll files safe in case of fire, theft, damaged computers or cyber attacks. Essentially BrightPay Connect is an automated cloud backup, keeping employee’s payroll data safe and secure. BrightPay Connect will automatically backup payroll data every 15 minutes when the payroll is open, and again when you close down the employer file. A chronological history of all backups will be maintained which can be downloaded and restored at any time.
GDPR includes a recommendation to provide remote access to a secure system, which would provide employees with direct access to their personal data. With BrightPay Connect, employees can be invited to their own password protected self-service portal. Employees can login to the portal 24/7 on any device, including PC’s, Macs, tablets and smartphones (essentially anywhere that they have access to an internet browser) or there is also an employee smartphone app where employees can login and get notifications directly to their device.
With BrightPay Connect, employees can access a payslip library where they can view and download all historic and current payslips. Employees can also access payroll documents such as P60s and P45s, HR documents (e.g. their contract of employment), personal data held by their employer and past and scheduled leave.
The right to rectification of personal data held is an important employee right under the GDPR. With the employee self-service portal, employees can update their basic personal details such as their phone number and postal address.
Data controllers and data processors must ensure that the personal data held is relevant and up-to-date. As employees can update their basic personal details on BrightPay Connect, this ensures that employers and payroll bureaus have the most accurate and current details on file for employees.
With the GDPR, data controllers must ensure that, by default, only personal data which is necessary for each specific purpose of the processing can be accessed. Therefore, payroll processors should only have access to the personal data that is strictly required for processing the payroll. This is referred to as data minimisation, or privacy by default. With BrightPay Connect, users can be set up so that they only have access to the information needed to complete their specific responsibilities. For example, there may be a HR manager who should not have access to employee’s payroll data, or a payroll processor who should not have access to employee documents or employees marked as confidential.
BrightPay Connect acts as an all in one central location to store all things employee related, including payroll, HR and other employment related documents. Employers have the ability to upload documents that apply to all employees (e.g. company handbook), documents that are unique to individual employees (e.g contract of employment), or even documents that are relevant to a particular department.
If you are a payroll bureau, you can invite your payroll clients to BrightPay Connect to their own online employer dashboard. This is a secure portal for client communications, eliminating the need to send documents with sensitive personal information by email. Clients can view employee payslips as soon as they have been finalised, they can run their own payroll reports and view amounts due to HMRC. Clients will also be able to upload employee timesheets and payments and approve the payroll through their employer portal (coming soon). This offers an additional layer of GDPR protection for client’s payroll data.
Essentially, by introducing BrightPay Connect in your business, you will be taking steps to be GDPR compliant. Book a demo today to have a look at BrightPay Connect.
Under Article 16 of the GDPR, individuals have the right to rectify data that is inaccurate about them. An individual may also be able to have incomplete personal data completed. Although you may have already taken steps to ensure that the personal data was accurate when you first obtained it, this right imposes a specific obligation to reconsider the accuracy upon request.
What do we need to do?
If you receive a request from an individual to rectify their personal data, you should take reasonable steps to ensure that the data is accurate and rectified if necessary. The reasonable steps taken will depend on the nature of the personal data and what it will be used for. The more important the personal data is to be accurate, the greater the effort you should put into ensuring it’s accurate and if not, taking steps to rectify it.
When is data inaccurate?
The GDPR does not give a definition of the term accuracy. However, it states that personal data is inaccurate if it is incorrect or misleading in any way. It is the data controller's responsibility to ensure the personal data they manage is accurate and up-to-date.
Can we refuse to comply with the request for rectification for other reasons?
You can refuse to comply with a request for rectification if the request is excessive or manifestly unfounded, taking into account whether the request is repetitive in nature. There are two things you can do if you consider that a request is excessive or manifestly unfounded:
1. Request a “reasonable fee” to deal with the request
2. Refuse to deal with the request
You will need to justify your decision in either case. The reasonable fee should be based on the administrative costs of complying with the request. If you decide to charge a fee, it is advised that you contact the individual within one month. You do not need to comply with the request until you have received the fee.
In most cases, you cannot charge a fee to comply with a request for rectification. However, as noted above, if the request has been excessive or manifestly unfounded you may charge a reasonable fee to cover the administrative costs.
Are you missing out on our newsletter? We will not be able to email you without you subscribing to our mailing list. You will be able to unsubscribe at any time. Don’t miss out - subscribe today!
Businesses must provide their employees with information on what happens to their data, for example sharing employee’s personal data with a payroll bureau who processes the payroll. Employee personal data can be stored and managed by a payroll bureau, bookkeeper or accountant for the sole benefit of correctly paying their wages, paying the correct tax and providing a payslip. All of this legitimately falls under the remit of the GDPR legislation.
Many bureaus have expressed concern and confusion in relation to getting consent from client’s employees and securely distributing payslips. Payroll bureaus do not need to seek consent from individual employees that the payroll is processed for. However, the employer will need to inform their employees that they are sharing their personal information with a third party.
An employee cannot withdraw their consent for their personal data to be used as part of the payroll processing. It should be noted that bureaus should keep only the personal data that is strictly required for the purpose of the payroll. This is referred to as data minimisation or privacy by default.
BrightPay is running a free webinar to help you with what you need to know about GDPR. The webinar takes place on 3rd July at 11.00 am and is free to attend for payroll bureaus and employers.
This webinar will look at the biggest areas of concern including emailing payslips, employee consent and your legal obligation. We will also look at some important steps to achieve GDPR compliance.
Click here to book your place now.
Employers must take steps to protect and securely manage employees’ personal data to comply with GDPR. Equally, where a business outsources their payroll to a third party (payroll bureau), they are legally obliged to provide assurances to safeguard the payroll information they manage on behalf of their clients. Places are limited.
If an employer fails to comply with auto enrolment, the Pensions Regulator will take enforcement action. Although the rollout of auto enrolment began in 2012, it is now that the true consequences of non-compliance are coming to light.
Data Protection has always been a concern for BrightPay and we have always aimed to act with complete integrity in this regard. In preparation for GDPR, we have had to complete a total review on how we gather, maintain and use data. We have taken steps to securely protect our customers information including increased encryption, securely deleting files from our servers and updating our privacy policies in line with GDPR.
Whenever a data controller uses a data processor there needs to be a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out certain information which needs to be included in the contract.
BrightPay’s employee self-service smartphone and tablet app is available with our cloud add-on BrightPay Connect. The advancement of employee mobile apps offers many different advantages for employers, employees, and the business as a whole. For employers and HR Managers, the user-friendly portal will streamline payroll processing while reducing the number of payroll queries from employees.
Where possible, the data controller should offer self-service remote access to a secure system providing individuals with access to their personal data. BrightPay Connect is a self-service option which provides online access 24/7. Employees can view and download current and historic payslips, P45’s and P60’s. Annual leave can also be requested which flows through as a notification for the employer to approve. Employee contact information can be edited and updated, keeping records accurate at all times.For payroll bureaus, your clients can instantly access payslips, payroll reports, an employee leave calendar, and amounts due to HMRC.
If you are employing staff for the first time this year, it’s important to understand what to do and when, so you can meet your automatic enrolment duties on time. Your legal duties begin on the day your first member of staff starts work. This is known as your duties start date. Even if you think you won’t need to put staff into a scheme, you will still have duties.
Are you missing out on BrightPay's newsletter? We will not be able to email you without you subscribing to our mailing list. You will be able to unsubscribe at anytime. Don’t miss out - sign up to our newsletter today!
Is the emailing of payslips permissible under GDPR?
There is nothing in the GDPR that states it is no longer permissible to email payslips, this practice is still very much acceptable. The thing to keep in mind in relation to emailing payslips is to ensure that all appropriate security measures are in place. The payslips that are emailed from BrightPay are encrypted and deleted from our servers once sent, however it may also be prudent of a processor of the payroll to password protect the payslips also. It will be the responsibility of the Data controllers (employers) to be vigilant that correct email addresses are inputted.
Can I still use my hard-earned mailing lists after May 25th?
Not automatically - the GDPR states that to be able to ‘Lawfully Process’ personal data you must be able to fall into at least 1 of the 6 processing classifications, the first one being Consent. Consent must be:
• Specific, informed, unambiguous, and freely given – there must be evidence that clear affirmative action has been given.
• Must be for a specified purpose
• Where consent is obtained as part of a larger document covering other things, consent text must be clearly distinguished from everything else
• Evidence needs to be retained as to how the consent was obtained. For example; forms, brochures signage, website screenshots.
• Language must be accessible and easily understood.
• Have a clear and seamless opt-Out process in place.
If you have mailing lists that you’ve used pre GDPR you will not be able to continue using them if you haven’t got specific approval or consent from the individuals.
Do we need to ask for consent from our employees to process their data?
No, as the reliance for processing and retaining their data will be down to lawful processing because of the employer’s legal obligation to deduct taxes etc. and also down to the contractual agreement in place to pay them and pay forward the taxes owed on their behalf. And also to the nature of the relationship between the employer and the employee, the status quo is in the employer’s favour so consent would not be unambiguous or freely given.
More information can be found in the GDPR section of our online support documentation on our website - Bright Contracts UK - GDPR
Payroll Data & GDPR - What you need to know about consent, emailing payslips, and your legal obligation.
Employers must take steps to protect and securely manage employee’s personal data to comply with GDPR. Equally, where a business outsources their payroll to a third party, they are legally obliged to provide assurances to safeguard the payroll information they manage on behalf of their clients.
Given recent cyber-attacks, an updated security process is definitely required to protect the personal data that we manage. GDPR is not a new concept, it is simply a data protection process that is being upgraded to protect all individuals. Essentially, GDPR is an overhaul of the way we process, manage and store individual’s personal data.
This free webinar will uncover the ins and outs of the impact of GDPR on your payroll processing, highlighting the biggest areas of concern including emailing payslips, employee consent and your legal obligation. Places are limited, book early to avoid disappointment.
We will walk you through some important steps to achieve GDPR compliance by examining the following topics:
What does GDPR mean for your payroll processing?
Payslips & GDPR Compliance
BrightPay & GDPR
GDPR is changing how we communicate with you. After May 2018, we will not be able to email you about webinar events, special offers, legislation changes, other group products and payroll related news without you subscribing to our newsletter. You will be able to unsubscribe at any time. Don’t miss out - sign up to our newsletter today!