Are You Absolutely Sure Your Payroll Is GDPR Compliant?

The EU/UK GDPR (universally accepted worldwide as the gold standard for data protection and privacy) demands a lot more than many US companies realize.

It may sound like an exaggeration, but it’s a fact: no company can handle GDPR compliance without specialist assistance. The EU’s most significant legislation leaves no room for error. You’re either compliant, or you’re not. And noncompliance can be a business-ending event. 

In this third installment of our global payroll management series, we examine the gold standard for data protection and privacy. Any company that processes the personal information or “data” of EU residents must adhere to the General Data Protection Regulation (GDPR), whether or not the company maintains a physical presence in the EU.

(Note: In the UK, the GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. However, it is very likely that the UK GDPR will always be virtually identical to the EU GDPR. The comments in this blog about the EU GDPR have equal application to the UK GDPR and are collectively referred to here as the GDPR.) GDPR payroll compliance – what does it take?

Payroll management, by design, requires the collection of personal data. In other words, if the employee or data subject resides in the EU or UK, GDPR applies. This, of course, is hardly news to global organizations. However, US companies are often still surprised by the extent and complexity of the regulatory framework and the amount of work required to comply. Unfortunately, all too often, companies think they are compliant when they are not. 

A new focus on data protection

When the EU passed GDPR into law effective May 25, 2018, it set a new standard for data protection. Most EU members gave companies an informal grace period as they worked to achieve compliance. (Germany is the notable exception – a German regulator imposed the first EU-wide penalty for noncompliance with the GDPR within weeks of its introduction!) No excuse is good enough to escape the reach of the law. Nor can companies blame faraway headquarters; EU/UK regulatory authorities have the power to pursue any organization anywhere in the world for breaches of the GDPR.

For US companies expanding into Europe, GDPR compliance is an undeniable challenge. Aside from the California Consumer Privacy Protection Act, as amended by the California Privacy Rights Act effective 2023 (CCPA/CPRA), US data privacy protections are historically less stringent. Therefore, American companies tend to lack the background knowledge and organization to untangle GDPR requirements effectively. They need outside expertise to ensure they get every detail right. Going it alone is a risk no company should take. (Read more: Global Expansion Strategy: The Risks of Going it Alone)

GDPR compliance basics

GDPR ensures that organizations have sufficient technology, processes, and organization in place (often referred to as “TOMS”) to protect the personal data and privacy of EU/UK residents. The framework, spelled out in detail across 88 pages, requires organizations to prepare, implement, and comply with a litany of written external and internal data privacy policies and other requirements.

Key Documents:
  • External Privacy Statement: Drafted in full conformity with the requirements of the GDPR, this policy must be accessible to customers, suppliers, and the public on your company website.
  • Internal Data Privacy Policy(also known as the Data Protection Policy): Available at any time to an organization’s employees and other staff, it must identify how your organization protects personal data. The detailed requirements of an internal privacy policy need to be “proportionate to your processing activities.” But how would you know when your company crosses that threshold? The vague language demands careful assessment of the scope, context, and purpose of the data processing that is taking place.
  • Data Retention Policy: This important but highly complex policy sets out the principles for how personal data will be retained and how it will be disposed of when no longer in use. Recital 39 of GDPR establishes that data should not be retained longer than is strictly necessary. But what does that actually mean? In practice, there will be a plethora of other relevant laws and regulations that apply. For example, retaining data relating to salary and tax payments for many years will be necessary, whereas other data may have a more limited storage life. This is a complex area.
  • Fair Processing Notice (FPN): Each employee must be served a Fair Processing Notice. An FPN is a lengthy document that details the types of personal information the employer needs and for what purpose. The employer also needs to demonstrate that the data is protected from a technological and organizational standpoint. If the data will be sent out of the EU/UK, the employee must be informed where the processing will take place. This requirement alone is extremely involved.

Mistakes are easy to make

An email that is accidentally sent to the wrong address. An email chain with attachments that shouldn’t be there. Another email chain with a growing list of recipients that suddenly have access to sensitive data further down the thread. A missing policy document. An overlooked clause.  (Read more: Using Email to Manage Global Payroll? Don’t.)

There are an infinite number of ways to be noncompliant. The risks cannot be overstated considering the volumes of personal data involved in payroll processing. Although many incidents tend to be honest mistakes, the regulatory authorities will not see it that way. Violators of GDPR may be fined up to 4 percent of annual global revenue or up to 20 million euros, whichever is greater

In 2022, Facebook owner Meta Platforms paid 80% of the total fines Û830 million ($881 million) levied for GDPR breaches. But it’s not only corporate giants that have to pay up. According to an enforcement tracker, European authorities issue 25 to 60 fines each month. Since the GDPR was passed, companies have, to date, been fined nearly Û2.8 billion ($3 billion). Among them are smaller companies like a tax company that had to pay $245,000 for sending unsolicited marketing text messages. An interior design firm received a $196,000 fine for making unsolicited calls to people registered on the UK’s Do Not Call list. 

The risk of the disgruntled employee

Research shows employee mistakes are, by far, the leading cause of data breaches. But employees, especially disgruntled ones, also pose a risk to companies that unknowingly have GDPR compliance gaps. Employees initiate most of all complaints to data regulatory authorities in the EU/UK. Every complaint can automatically trigger an investigation. Whether the issue is major or seemingly insignificant, you can assume investigators will quickly discover whether you’re in violation or not. 

In one of the first cases in Germany, a well-known company that had devoted over a year to prepare thoroughly for the GDPR was fined for non-compliance. Authorities applauded the company’s effort, yet it wasn’t enough. Again, it serves as a reminder there’s no such thing as partial compliance. 

Although becoming GDPR compliant requires substantial work and resources – you simply cannot leave anything to chance – the good news is you will not need to repeat the most grueling part of the process for many years to come. GDPR is here to stay! Once you have the fundamentals in place, the upkeep requires far less investment. 

HSP Group Can Help

HSP Group specializes in helping companies just like yours expand with ease. Whether you need a GDPR checkup or our full suite of people and entity services, we tailor our engagement to your needs. We combine an unparalleled focus on the client experience with GateWay, our pioneering global expansion management platform that comes with GDPR compliance and built-in secure communication.


CONTACT US

About the author: Paul Sutton is an HSP General Counsel and one of the UK’s most experienced data privacy lawyers. He has advised on data protection requirements and compliance in around 140 countries. Contact Paul at psutton@hsp.com.

Read more:

The global payroll challenge no company should have to face

Why data privacy compliance is so crucial to international success?

Watch: Why every business should care about data privacy laws

Have Questions? Click Here to Get Them Answered!