GDPR - Payroll providers could be subject to fines up to €20 million or four percent of their annual global turnover.

Image source:

This article is about the update to the Data Protection Act (1998), called the General Data Protection Regulation (GDPR). Yes, it sounds incredibly dull, but it’s hugely important to know of as it’s affecting all industries and there are large fines in place for non-compliance.

So who has heard of GDPR? Do you know what it is, how it impacts you? You may think “it’s someone else’s problem, the business will be ready”….well….not if we are not talking about it and acting on it.

The GDPR is essentially an update of the 1998 UK Data Protection Act (DPA) and “It is for those who have day-to-day responsibility for data protection.” - Say the Information Commissioners Office (ICO).

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the

The DPA was written for a time when people’s data was less easily accessible than it is today. The new regulations are strict and are in keeping with people’s fears for their own personal information, putting large emphasis on companies who hold people’s personal data.

We are less than 1 year away from legislation that affects EVERY industry in the European Union, from the humble gardening business to the large accounting firms.

Who is Affected by GDPR?

From the ICO website:

What does this mean for Payroll?

It means that a gathering your customers personal data, via email, is a big NO.

One of the only truly technical elements of the GDPR is that the data must always be encrypted; in transit (as it moves from place to place, person to person) and at rest - i.e. on hard drives, in storage, etc.

Emails may or may not be encrypted in transit. Even when the email is encrypted, as it travels a sender often has no control of it when it is not in transit, i.e. when it is “at rest”, on any possible number of servers between the sender and recipient.

Some of the new GDPR requirements:

  • The pseudonymisation and encryption of personal data
  • Measures to ensure resilience of systems and services processing data
  • Measures that allow businesses to restore the availability and access to the data in the event of a breach
  • Frequent testing of the effectiveness of the security measures

Under the new legislation, a company providing a payroll service now has a responsibility to ensure that the providers of software that hold/manage/control/process a customer’s data are also GDPR compliant, as otherwise the company can be fined (this was NOT in the old DPA). In short, you are not only responsible for how you hold and manage your customer’s data but also how the external companies, software and systems you use to deliver your service also hold and manage your customer’s data.

You are not only responsible for how you hold and manage your customer’s data but also how the external companies, software and systems you use, to deliver your service, also hold and manage your customer’s data.


  • Where a a business fails to comply with data security obligations under the GDPR, it may get a fine of up to 10,000,000 EUR or 2 % of its total worldwide annual turnover, whichever is higher.
  • If a business is found to be in breach of other obligations under the GDPR, the fine may be as large as 4% of its total worldwide annual turnover.


Although developed by the European Union, it will apply to any organisation that holds or processes any EU personal data – regardless of where the organisation is located around the globe.

The UK’s Brexit vote does not mean that UK-based companies are off the hook. The UK Government announced in December 2016 that, despite the uncertainty surrounding Brexit and regardless of the UK leaving the EU, all UK organisations will need to comply with the GDPR requirements. Moore Stephens

They are watching…

Following the 25th May 2018 any organisation in the UK can be subjected to an audit by the ICO, whether a breach is suspected, or not. The GDPR applies to any business unit/service processing personal data within an organisation and policies have to be in place for each business area.

Cloud software is the (easy) way forward:

Cloud hosted software will be the way to cover off large elements of GDPR compliance for companies.

Data access is a key element of GDPR. Cloud service providers, like Microsoft Azure, will negate the need for the audit log for the key to the back-office cupboard where the data is stored. Encryption at rest (a GDPR requirement) is simply a switch in Microsoft Azure, this is not easily achieved with on premise servers. Azure’s data centres are already GDPR compliant, Google and Amazon’s cloud platforms are both saying they “will be” compliant by the deadline.


Payflow was born in the Microsoft Azure Cloud by NewOrbit Limited, a Microsoft Gold Azure Partner.

Payflow has an extremely secure customer portal that allows communication and data transfer with your customers and covers off large parts of GDPR compliance with ease.

Have a chat with us (0203 757 9022) about GDPR compliance and Payflow for your Payroll service.

Get in touch to find out more: | | 020 3757 9022