Submit An Inquiry

Global Payroll Resources

First-Year Effects of GDPR on Payroll

Jun 4, 2019 

The European Union’s enactment of the General Data Protection Regulation in May 2018 catapulted global adoption of some of the most progressive and wide-reaching data security regulations the world has known, with substantial and unprecedented consequences for multinational organizations. In the months leading up to its implementation, companies both within and well outside of Europe scrambled to get compliant. Yet, on the eve of enforcement, as many as 80% of affected companies still fell short of that goal.

One year on, companies continue working toward full compliance, as the public becomes more comfortable with their newfound rights under the legislation. Data processing and use complaints have more than doubled across most of Europe, while companies of all sizes refine policies and systems designed to protect them from violations — and the associated fines. 

In the midst of all of it sit global payroll teams, adapting processes and systems to account for GDPR requirements and the world’s deepening focus on privacy. As we pass the one-year mark of the landmark legislation, we take a look at the changed landscape under GDPR and what it means for payroll teams around the world. 

Putting Compliance to the Test

The practical impact of GDPR is still being defined, as companies within the legislation’s scope continue to bring data management procedures in line with regulations. One year in, an estimated 500,000 organizations have registered data protection officers, and more than 200,000 violation cases have been brought to the various data protection authorities across Europe. Additionally, DPAs have received around 95,000 individual complaints, with figures increasing by month, reflecting the public’s growing understanding of their rights as data subjects under GDPR.

While the ultimate fine (the larger of €20 million or 4% of annual global turnover) has yet to be levied, GDPR enforcement has seen global companies fined more than €56 million for varying levels of violations. The largest action to date was taken by the French protection agency CNIL, when it found Google in violation of transparency and consent regulations, and charged the internet giant €50 million. DPAs expect that this is just the beginning of larger, more costly enforcement actions to come.

The fines possible under the data protection directive have motivated companies of all sizes to prioritize data privacy regulations across regions and take real action towards compliance. In addition to typical risk metrics, company leaders now hold the figure of their potential fine under GDPR in their minds when considering business decisions. 

While some organizations, particularly outside Europe, struggle to pinpoint precisely when their business falls within the scope of GDPR, others are adopting widespread protections in anticipation of growing global requirements. For most, payroll is one of their largest sources of personal data, meaning the data protection capabilities of their payroll service provider is of utmost importance. 




Giving and Getting Consent 

At the center of the hundreds of thousands of cases received by DPAs in the past year is the issue of individuals’ right to dictate when, how, and by whom their personal data is used. From the start of GDPR preparations, companies have been cautioned about consent: what it entails, when it’s required, how to obtain it, and how to keep it. Yet, consent remains a complicated challenge for many organizations.

The ubiquitous banners asking website visitors to set data preferences were the harbingers of the age of consent, continuing today as regular reminders that individuals are reasserting control over their personal data. Now companies are navigating the implications of that shift in control, learning how to adapt to user preferences and what to do when individuals say no. 

The complaints filed in the past year deal with a range of topics, from unfair processing and unwanted marketing to access requests and the right to be forgotten — this last issue being one of the most challenging for companies to address and proving to be a test of GDPR’s reach. The upshot of the persistent uncertainty is that companies must prioritize the process of getting and maintaining people’s consent for every data use case. 

Regardless of a company’s trade, GDPR effectively made every employer a data controller because they collect and maintain employee data and personal information for the purposes of payroll. Whether they process payroll themselves or outsource their international payroll, employers who fall under the scope of GDPR must not only be compliant with the regulations but be able to demonstrate that compliance. To do so, companies must keep employees informed of how their data is used and maintain consent for any use beyond the necessary fulfillment of a contract, like payroll, regardless of the terms of that use. 

Understanding the Security Chain

Equally important is a company’s ability to document and explain how it uses employee data, whether they are the sole data processor or they use an outsourced provider for payroll, HR, or any other purpose. Whether overseen by a designated data protection officer or a company’s compliance or legal team, the lifecycle of employee (and customer) data while within the company’s possession must be thoroughly understood.

Particularly for organizations based outside the EU, the focus on international data movement can be challenging. Even if an employer is based in the US and their only international employees are in Asia and South America, there’s a chance that their data passes through the EU and comes under the scope of GDPR. In addition to examining the security chain of any third-party providers, or even licensed software, there are security measures in place to help companies stay compliant.

The EU-US Privacy Shield framework regulates exchanges of personal data between the EU and the US for commercial purposes, offering American companies a path to GDPR compliance. Additionally, specific countries other than EU member states have been approved for data transfers by demonstrating sufficient privacy regulations and obtaining an “adequacy decision” from the European Commission, which is what underpins the Privacy Shield. In January 2019, Japan became the first nation to become an approved “third country” since the enactment of GDPR, joining Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the US (via Privacy Shield) as the only countries outside of the EU to which the transfer of data is expressly permitted. 

Security arrangements and privacy regulations are under continuous review, so it’s important for individual companies to stay abreast of changes. If there ever was an unofficial grace period for becoming GDPR-compliant, it’s coming to an end. Companies are re-evaluating the systems they use to manage employee and customer data — and traditional payroll solutions that aggregate data from multiple international processors are showing their shortcomings.

Making Positive Changes

If one thing is clear from the first year under GDPR, it’s that the changes to privacy and data protection law for global workers are far from complete. As various new region- and country-specific privacy laws loom large on the international horizon, employers would benefit from a thorough review and assessment of their data management policies, using GDPR as a guideline whether they are impacted by the European law or not. 

Payroll teams must be aware of where, when, and how payroll data is managed, at each step of the process, because the employer is ultimately responsible for the security of that data. Ensure all data processing is certified compliant, whether in-house or outsourced, and keep up-to-date on your responsibilities under whichever privacy laws apply to your organization. As we all continue on this data protection journey, it pays to remember that while compliance can be costly, non-compliance can cost a company everything.


Payroll Assessment Banner


Recent Articles

How Calendar Length Can Impact Payroll Efficiency

Earlier this year we launched the Payroll Efficiency Index, the industry-shaping report that has reimagined what we can

Making Sure Your Payroll Needs Survive the Procurement Process

Many global organizations hire suppliers and make strategic sourcing decisions based solely on capabilities and cost.

The Empowering Benefits of Single-Source Data and Employee Self-Service

Global payroll and HR leaders today understand the importance and impact of accurate, consistent, and secure data for

Five Ways Benchmarking Enables Better Decisions

In recent years, multinational companies have begun to give greater consideration to the value of global payroll data

New Podcasts: Measuring Payroll Performance, a Two-Part Panel Discussion

In the latest episode of Payday, the global payroll podcast, industry veterans and experts discuss the role of

About CloudPay

next generation payroll analytics

Next Generation Global Payroll Analytics: Your journey to building process transparency and making payroll a catalyst for improved business performance.

global payroll implementation

Global Payroll Implementation: A comprehensive guide to building a business case, selecting a solution and successfully deploying global payroll.

building a business case for global payroll

Building a Business Case for a Global Payroll Solution: Learn how to build a benefits-driven business case for a change in global payroll.

Unlock the
Possibility in
Your Payroll

Whether you manage payroll in five countries or 50, you need a global solution that ensures compliance beyond borders and insights that will move your company forward.

Contact Us Today