GDPR - A Message to our Customers

Following the previous article I wrote on GDPR for Payroll (here), which received a record number of hits, likes and shares, we followed it up with a specific email to our client-base giving them more information on Payflow’s GDPR compliant Engage Portal.

With the advent of GDPR, Payroll service providers will need to turn to a secure method of file transfer and communication and we shared the following email with our customers:

Letter to Customers

Dear Payflow customer

GDPR: How Payflow can help you achieve compliance

We are writing to inform you that the Payflow system you use is compliant with the General Data Protection Regulations (GDPR) that come into effect on the 25th May 2018 and that Payflow’s Engage Portal can assist you to becoming GDPR compliant in all relevant communications and workflow with your customers.

GDPR Background

The GDPR are industry disruptive regulations that every payroll company in the UK must comply with, by law, by the above deadline. The penalties for not doing are far stricter than they ever have been:

Fines of up to 20 Million Euro or 4% of global annual turnover within a given year, whichever is higher.

The GDPR is a reworked General Data Protection Act (DPA) 1998 but for the current technology age. There is a greater emphasis on the companies that are entrusted, process and control an individual’s data to have a larger responsibility to protect it. A company can be fined if the systems, companies and external services they use are also not compliant with GDPR.

GDPR & Payroll

There are many ways an individual’s data could reach an unintended audience (either internally within a company, or externally) the GDPR are there to enforce companies to minimise the risk to personal data breeches and that the individuals have the ability and control over their own data. Some simple principles are applied, such as:

  • don’t collect data you do not require (data minimisation)

  • do not keep data longer than necessary (going on the old proviso of “you can’t lose what you do not have”)

  • data encryption

  • data access control (know who has access to what and keep the access to the data to the minimum needed to do the job).

As personal data is seen to be the property of the individual, there are regulations around an individual being able to request what data a company holds on them and further regulations around the right to deletion of your own personal data. Your processes internally must comply with this by the deadline date. There is one element that will cause companies to change their modus operandi substantially and we suspect this is where payroll will have its biggest issue; the only truly technical demand of the GDPR is that an individual’s data is encrypted.

An example:

In a fictitious payroll bureau if the client were to email their payroll data, with an excel file attachment to the bureau, the client and/or bureau could be penalised as the data is not necessarily encrypted along the way…

…here is why:

  1. The excel attachment may not be encrypted.

  2. Emails may or may not be encrypted in transit. Even when the email is encrypted as it travels a sender often has no control of it when it is not in transit, i.e. when it is “at rest”, on any possible number of servers between the sender and recipient.

  3. Any mobile phones who also have access to the email inbox are likely not encrypted.

  4. The email could be sent accidentally to an inbox of someone who doesn’t have the data access to see/view it (internally/externally to the bureau).

  5. The group inbox that the payroll bureau team use does not have the correct permissions to lock out those who should not have access to an individual’s data.

As NewOrbit is a provider of business systems, an analogy we use to train individuals and communicate the risks around email is:

if you wouldn’t send it on a postcard don’t send it in an email.

Engage Portal

Payflow’s Engage portal allows you to:

  1. Bring your client into the Payroll process in a structured way, allowing them to see tasks required of them, dates they need to deliver against and communication from you to them - and vice versa.

  2. Track and manage your client’s process compliance.

  3. Automate email prompts for client contacts to complete their tasks, reducing people time chasing.

  4. Communicate securely with your clients through a [GDPR compliant], secure portal.

  5. Audited transmission and receipt of files through a [GDPR compliant], secure portal.

  6. Granular access control to each payroll and all its associated data. [GDPR compliance].

  7. Have everything within the Payflow system encrypted ALWAYS, even when the data is “at rest” i.e. when the data is not in use. [GDPR compliance].

  8. Have your data backed up within the Microsoft Azure cloud, a [GDPR compliant data centre].

Becoming GDPR compliant is a complex, multi-faceted challenge that affects your whole organisation.

Using Payflow with Engage, hosted on Microsoft Azure, will help you be compliant in the way you share employee information to and from your clients. Similarly, by offering Engage to your clients, you will help them in turn be GDPR compliant in the way they interact with you Frans Lytzen, CIO, NewOrbit Ltd a Microsoft Azure Gold Partner

To discuss the Payflow Engage portal further, please call: 020 3757 9022

Get in touch to find out more: | | 020 3757 9022