Frequently Asked Questions

We’ve put together a list of some of the frequently asked questions we’ve been asked by our customers regarding the General Data Protection Regulations.

1. Will it still be permissible to email payslips under the GDPR?

There is nothing in the GDPR that states it is no longer permissible to email payslips, this practice is still very much acceptable. The thing to keep in mind in relation to emailing payslips is to ensure that all appropriate security measures are in place. Emailed payslips from BrightPay are encrypted and deleted from our servers once sent, however we would also advise that passwords are used on all payslips. A common type of personal data disclosure occurs when an email is sent to an incorrect recipient. Data controllers (employers) will need to be vigilant that correct email addresses are inputted.

2. Will it still be permissible to post payslips under GDPR?

Similar to the above, there is nothing in the GDPR that states it is no longer permissible to post payslips. Those posting payslips will need to ensure that all appropriate security measures are in place. This may include using securely tightened envelopes, marking the envelop as “Private and Confidential” and ensuring that it is addressed to a specific person. In some cases, you may decide to use registered post.

3. If we, the payroll bureau, receive a data subject access request from a client's employee should we respond?

Firstly, let us clarify each party's role:

• Payroll bureau = data processor
  
  
• Client = data controller
  
  
• Client's employee = data subject
  
  

Our understanding is that in this situation, the data subject should submit their access request directly to the data controller. It will be the data controller's responsibility to contact any data processors from there.

4. We currently pay £35 per year to the Information Commissioner's Office (ICO) for data protection. What is the process with GDPR? Do we still need to register and pay fees?

Under the GDPR there will no longer be a requirement to notify the ICO in the same way. However, a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. 

5. How long do we need to keep payroll records for?

According to HMRC guidelines, they recommend that payroll records are kept for 3 years from end of Tax Year they relate to.

https://www.gov.uk/paye-for-employers/keeping-records

6. When using the desktop software, is there an option for login and password.

There is an option when you set up the company to password protect it. If this was not done at the initial setup you can go to the File menu and select Set/Change Password, you can then enter one for use each time you open the company.

7. Will GDPR affect my firm post Brexit?

Yes. The UK government has signalled its intention to incorporate GDPR into a UK Data Protection Bill, in a bid to harmonise the two regimes and minimise disruption to the UK's digital economy.

8. Do we have to get permission from employees to submit data to pension providers after automatically enrolling?

In order to process data lawfully, one of the following must apply:

• The data subject has given consent to the processing of his or her personal data
• Processing is necessary for the performance of a contract to which the data subject is party to or in order to take steps at the request of the data subject prior to entering into a contract
• Processing is necessary for compliance with a legal obligation to which the controller is subject;
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Employers, and payroll bureaus on their behalf, have a legal obligation to automatically enroll all eligible jobholders. Therefore, we can safely say that notifying a pension provider after automatically enrolling is acceptable as it is “necessary for compliance with a legal obligation”.

In this instance there would be no requirement to get permission from employees prior to submitting the data. However, it would be advisable in to have clearly communicated employee data protection policies clearly explaining how their data is used and who it is shared with.

9. You say BrightPay data files are encrypted, if someone gets a copy of your data they cannot read it. But it looks like they only have to download a demo of BrightPay to read the data?

Whilst we have security measures in place to protect your data, it remains your responsibility to keep your login details secret, to sign off from BrightPay when you are not using it and to ensure there is no unauthorised access to your computer. Should someone get a copy of your data file they would have to know how to open the file on BrightPay firstly and then if there is a password set on the company file, they would have to enter this to gain access to the data.

10. Is there a log in the software that a backup has been transferred to BrightPay for support?

If you send a support query with a snapshot to us via the software itself, then we keep a record of the query with an indicator that there was a snapshot on the query for a set amount of time, but the actual snapshot (backup of the data file) is automatically deleted from the remote server after one week. The system itself does not keep a record when a support request is sent.

11. If there was a data breach where employee information was accessed from BrightPay Connect who would the penalty be aimed at; us as the Processor, or you as the provider of our software

As we provide the Cloud service, it is our responsibility to ensure that the service is secure. We have adopted a "data by design" approach to our Connect product and are confident that we have the strongest security in place in relation to data stored through Connect. Data stored on Connect is backed up to Microsoft Azure servers which we believe to be immune to breaches. Please note that BrightPay does not actually process any data stored on Connect, our support staff do not have access to any of the data stored. Of course, if a breach occurred because somebody on the user end had inappropriately accessed passwords to access the data, then the responsibility there lies with the end user.

12. Is operating a "clean desk" policy mandatory under GDPR? An accountancy office will always have accounts files and jobs in various stages of progress or ultimately ready for review by a Manager/Partner - so must all such files be physically put away each day?

No, it is not a requirement under GDPR to implement a clean desk policy. That said, the GDPR requests organisations to put in technical and organisational measures to protect any personal data processed. When looking at data being processed, organisations will need to consider what measures would be best implemented in their workplace that will minimise the risk of data being lost or exposed to parties that should not have access to it. Implementing a Clean Desk Policy could be considered as one such organisational measure.

13. As a Payroll Bureau, when processing a new employee, is information from the employer sufficient, or would you need a signed document from the employee to confirm consent to add to the payroll?

If you are processing payroll on behalf of the employer then your contract is with the employer. It is extremely important that you have a written contract in place with your client that is GDPR compliant. In turn, the employer will/should have the relevant policies in place with their employees that clearly explain how their data is being used and who it is being shared with. There is no requirement on Payroll Bureaus to put in place a separate agreement with their client’s employees.

14. Is a small business actually expected to encrypt their own single computer?

The GDPR has not specified that full machines need to be encrypted, again it states the necessary technical measures should be put in place. It is up to businesses to review their risk and put in suitable controls from there. It is generally not common to encrypt a whole machine, although encryption software is available that could be applied to specific files, which may or may not be suitable for the small business. At a very minimum, small employers would be well advised to ensure that any software download is secure and provides proper security safeguards. Employers and their employees should also be cautious when opening links sent from unknown recipients.

The ICO has published a useful guide on IT security for small businesses. Click here.