Sending personal data in the GDPR era - 3 ways to keep compliant
The introduction of GDPR has led to some major changes in the way businesses deal with personal data - notably requiring you to prove permission or ‘just cause’ for processing the data in the first place.
But what about your obligations when it comes to sharing documents containing that personal data?
Payslips are the most obvious example, required by law to contain your employee’s detailed earnings. Bank statements are another, regularly sent out by your financial provider and featuring a raft of identifying information.
If you’re a small business and want to make sure your client communications and payslip processes are compliant with GDPR, here’s how you can send things more securely…
Email best practice
With hacking and cyber security threats on the rise, many businesses fear the risks of sending documents over email.
You’ll be pleased to know that there is nothing in the GDPR that specifically prohibits you sending personal data by email, yet it is highly recommended you take steps to protect the data you’re sending in order to avoid a costly breach.
Password protecting attached files (a payslip, for example) is essential. This password should be unique to the recipient, and the email should be sent directly to the recipient’s chosen email address - not to a generic inbox shared by multiple users.
Using a single generic password for all clients/employees negates the point of password protection in the first place, and could indeed be viewed as a GDPR breach - as you are not taking sufficient steps to provide the most secure data environment possible.
Again, there is nothing in the GDPR legislation that prevents you posting documents containing personal data. Insurance companies and banks do it all the time, so you’ve no need to fear popping personal details in the post.
That said, you should be doing everything possible to ensure the data reaches the right recipient and only the right recipient.
Communications should be addressed clearly to a specific person rather than simply to an address, and envelopes should be marked ‘private and confidential’.
In the case of payslips, you can also invest in specialist security envelopes, which feature a security pattern and a tamper-proof seal to keep the contents strictly confidential.
Or, you might be better off ditching the paper payslip altogether…
Cloud payroll and self-service
As we’ve highlighted, payroll is one of the areas of business most affected by GDPR - and it may see the end of the payslip as we know it.
Indeed, the new data laws come with a recommendation that firms offer a self-service platform for employees, whereby they can access their payslip data and other documents safely and securely in the cloud.
Here at Inform, we’ve been fully fledged cloud accountants for some time, and having brought you the flexibility and security benefits of cloud accounting, we’re now doing the same with payroll.
With our fully outsourced cloud payroll service, we’ll take the payroll processing burden off your shoulders, while providing your employees with secure and remote access to payroll information including payslips, contact details and employee documents such as employee contracts and handbooks.
With your staff able to access (and edit) their personal details anytime, anywhere, you help to streamline the employee experience, cut the admin pressure on HR and reduce payroll errors - all while ensuring private payslip data is viewed only by those with permission.
There’s a lot more to GDPR than the points we’ve covered here - and simply following these three steps by no means indicates your business is fully GDPR compliant.
If you need more information on the GDPR, visit the ICO website (the ICO is the regulatory body for data protection in the UK).
Read more of Inform's tax blogs: