1. Home>
  2. Resources>
  3. Privacy & Security>

GDPR: Ensuring your HR and Payroll Business Partners are Compliant

With the implementation of the General Data Protection Regulation (GDPR) next month, if an organisation is working with HR and payroll vendors, it will be their responsibility to ensure that these business partners are GDPR compliant. Any external organisation that handles the data of employees or customers must be compliant, otherwise the organisation is also at risk of breaking GDPR regulations.


Although the risks and penalties are high, the good news about GDPR is that HR and payroll providers will become significantly more responsible when it comes to processing data. If partners that process data act outside of the authority that an organisation grants them, they are open to fines for non-compliance. Therefore, if organisations are working with responsible processors, they have more certainty that their partners are handling their data properly and compliantly.


However, as mentioned, organisations are liable to ensure that their partners are compliant. To do this, they should govern sub-contractors into binding contracts as, by law, organisations are obliged to have a good Data Processing Agreement (DPA) in place and that this is managed well. Even if organisations are joint controllers of data (for example, if they are working with an insurance company that provide group insurance for their employees), they must have an arrangement on the processing of this data. Although not specifically a contract, an agreement must be made, perhaps in the form of a joint privacy statement.


It is not presently clear how agreements such as these will be accepted or enforced as data protection authorities have not released binding information on the subject, but the more transparent the agreement, the better. GDPR introduces two new mechanisms to demonstrate compliance: Code of Conducts and Certification. After 25th May, organisations will be able to send these to data protection authorities to get approval. However, just because there currently aren’t any approved certifications, it doesn’t mean that they can’t provide you with some comfort when preparing for data processing compliance. There are some existing certifications, which if organisation adhere to, should provide reassurance for compliance.


Non-disclosure agreements or confidentiality clauses are no longer enough, under GDPR, Data Processing Agreements are paramount to compliance. So, what does a DPA involve, and what changes will need to be made?

  • Categories of personal data will need to be described and listed out for transparency.

  • Organisations will need to document the technical and organisational methods that they or their vendors employ when it comes to processing the data. As ever, the clearer and more extensive these are, the greater the guarantee that their operations will be GDPR compliant.

  • Conditions for sub-contractors: both organisations and their partners are responsible.

  • A clear guarantee that data is returned or deleted once the service has been provided.

  • Obligation that the organisation will assist with breach notifications and data protection assessments.


It is almost certain that existing contracts that have not been updated for GDPR will not be compliant. If an organisation is unsure whether their partners are compliant, then it is possible to send a self-assessment questionnaire to a vendor as a fall-back method if no certification is available.


SD Worx has developed its own Data Processing Agreements with proven terms reviewed by independent experts to guarantee compliance. It does not only follow the legal obligations involved with GDPR, but provides as much transparency as possible when it comes to the methods involved with processing data. Furthermore, the DPA has been agreed with all of SD Worx’s partners to ensure that, in the final countdown to GDPR, everyone is in agreement and is wholly compliant.