First-Year Effects of GDPR on Payroll
Jun 4, 2019
The European Union’s enactment of the General Data Protection Regulation in May 2018 catapulted global adoption of some of the most progressive and wide-reaching data security regulations the world has known, with substantial and unprecedented consequences for multinational organizations. In the months leading up to its implementation, companies both within and well outside of Europe scrambled to get compliant. Yet, on the eve of enforcement, as many as 80% of affected companies still fell short of that goal.
One year on, companies continue working toward full compliance, as the public becomes more comfortable with their newfound rights under the legislation. Data processing and use complaints have more than doubled across most of Europe, while companies of all sizes refine policies and systems designed to protect them from violations — and the associated fines.
In the midst of all of it sit global payroll teams, adapting processes and systems to account for GDPR requirements and the world’s deepening focus on privacy. As we pass the one-year mark of the landmark legislation, we take a look at the changed landscape under GDPR and what it means for payroll teams around the world.
Putting Compliance to the Test
The practical impact of GDPR is still being defined, as companies within the legislation’s scope continue to bring data management procedures in line with regulations. One year in, an estimated 500,000 organizations have registered data protection officers, and more than 200,000 violation cases have been brought to the various data protection authorities across Europe. Additionally, DPAs have received around 95,000 individual complaints, with figures increasing by month, reflecting the public’s growing understanding of their rights as data subjects under GDPR.
While the ultimate fine (the larger of €20 million or 4% of annual global turnover) has yet to be levied, GDPR enforcement has seen global companies fined more than €56 million for varying levels of violations. The largest action to date was taken by the French protection agency CNIL, when it found Google in violation of transparency and consent regulations, and charged the internet giant €50 million. DPAs expect that this is just the beginning of larger, more costly enforcement actions to come.
The fines possible under the data protection directive have motivated companies of all sizes to prioritize data privacy regulations across regions and take real action towards compliance. In addition to typical risk metrics, company leaders now hold the figure of their potential fine under GDPR in their minds when considering business decisions.
While some organizations, particularly outside Europe, struggle to pinpoint precisely when their business falls within the scope of GDPR, others are adopting widespread protections in anticipation of growing global requirements. For most, payroll is one of their largest sources of personal data, meaning the data protection capabilities of their payroll service provider is of utmost importance.
Giving and Getting Consent
At the center of the hundreds of thousands of cases received by DPAs in the past year is the issue of individuals’ right to dictate when, how, and by whom their personal data is used. From the start of GDPR preparations, companies have been cautioned about consent: what it entails, when it’s required, how to obtain it, and how to keep it. Yet, consent remains a complicated challenge for many organizations.
The ubiquitous banners asking website visitors to set data preferences were the harbingers of the age of consent, continuing today as regular reminders that individuals are reasserting control over their personal data. Now companies are navigating the implications of that shift in control, learning how to adapt to user preferences and what to do when individuals say no.
The complaints filed in the past year deal with a range of topics, from unfair processing and unwanted marketing to access requests and the right to be forgotten — this last issue being one of the most challenging for companies to address and proving to be a test of GDPR’s reach. The upshot of the persistent uncertainty is that companies must prioritize the process of getting and maintaining people’s consent for every data use case.
Regardless of a company’s trade, GDPR effectively made every employer a data controller because they collect and maintain employee data and personal information for the purposes of payroll. Whether they process payroll themselves or outsource their international payroll, employers who fall under the scope of GDPR must not only be compliant with the regulations but be able to demonstrate that compliance. To do so, companies must keep employees informed of how their data is used and maintain consent for any use beyond the necessary fulfillment of a contract, like payroll, regardless of the terms of that use.
Understanding the Security Chain
Equally important is a company’s ability to document and explain how it uses employee data, whether they are the sole data processor or they use an outsourced provider for payroll, HR, or any other purpose. Whether overseen by a designated data protection officer or a company’s compliance or legal team, the lifecycle of employee (and customer) data while within the company’s possession must be thoroughly understood.
Particularly for organizations based outside the EU, the focus on international data movement can be challenging. Even if an employer is based in the US and their only international employees are in Asia and South America, there’s a chance that their data passes through the EU and comes under the scope of GDPR. In addition to examining the security chain of any third-party providers, or even licensed software, there are security measures in place to help companies stay compliant.
The EU-US Privacy Shield framework regulates exchanges of personal data between the EU and the US for commercial purposes, offering American companies a path to GDPR compliance. Additionally, specific countries other than EU member states have been approved for data transfers by demonstrating sufficient privacy regulations and obtaining an “adequacy decision” from the European Commission, which is what underpins the Privacy Shield. In January 2019, Japan became the first nation to become an approved “third country” since the enactment of GDPR, joining Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the US (via Privacy Shield) as the only countries outside of the EU to which the transfer of data is expressly permitted.
Security arrangements and privacy regulations are under continuous review, so it’s important for individual companies to stay abreast of changes. If there ever was an unofficial grace period for becoming GDPR-compliant, it’s coming to an end. Companies are re-evaluating the systems they use to manage employee and customer data — and traditional payroll solutions that aggregate data from multiple international processors are showing their shortcomings.
Making Positive Changes
If one thing is clear from the first year under GDPR, it’s that the changes to privacy and data protection law for global workers are far from complete. As various new region- and country-specific privacy laws loom large on the international horizon, employers would benefit from a thorough review and assessment of their data management policies, using GDPR as a guideline whether they are impacted by the European law or not.
Payroll teams must be aware of where, when, and how payroll data is managed, at each step of the process, because the employer is ultimately responsible for the security of that data. Ensure all data processing is certified compliant, whether in-house or outsourced, and keep up-to-date on your responsibilities under whichever privacy laws apply to your organization. As we all continue on this data protection journey, it pays to remember that while compliance can be costly, non-compliance can cost a company everything.