With the implementation of the General Data Protection Regulation (GDPR) next month, if an organisation is working with HR and payroll vendors, it will be their responsibility to ensure that these business partners are GDPR compliant. Any external organisation that handles the data of employees or customers must be compliant, otherwise the organisation is also at risk of breaking GDPR regulations.
Although the risks and penalties are high, the good news about GDPR is that HR and payroll providers will become significantly more responsible when it comes to processing data. If partners that process data act outside of the authority that an organisation grants them, they are open to fines for non-compliance. Therefore, if organisations are working with responsible processors, they have more certainty that their partners are handling their data properly and compliantly.
However, as mentioned, organisations are liable to ensure that their partners are compliant. To do this, they should govern sub-contractors into binding contracts as, by law, organisations are obliged to have a good Data Processing Agreement (DPA) in place and that this is managed well. Even if organisations are joint controllers of data (for example, if they are working with an insurance company that provide group insurance for their employees), they must have an arrangement on the processing of this data. Although not specifically a contract, an agreement must be made, perhaps in the form of a joint privacy statement.
It is not presently clear how agreements such as these will be accepted or enforced as data protection authorities have not released binding information on the subject, but the more transparent the agreement, the better. GDPR introduces two new mechanisms to demonstrate compliance: Code of Conducts and Certification. After 25th May, organisations will be able to send these to data protection authorities to get approval. However, just because there currently aren’t any approved certifications, it doesn’t mean that they can’t provide you with some comfort when preparing for data processing compliance. There are some existing certifications, which if organisation adhere to, should provide reassurance for compliance.
Non-disclosure agreements or confidentiality clauses are no longer enough, under GDPR, Data Processing Agreements are paramount to compliance. So, what does a DPA involve, and what changes will need to be made?
Categories of personal data will need to be described and listed out for transparency.
Organisations will need to document the technical and organisational methods that they or their vendors employ when it comes to processing the data. As ever, the clearer and more extensive these are, the greater the guarantee that their operations will be GDPR compliant.
Conditions for sub-contractors: both organisations and their partners are responsible.
A clear guarantee that data is returned or deleted once the service has been provided.
Obligation that the organisation will assist with breach notifications and data protection assessments.
It is almost certain that existing contracts that have not been updated for GDPR will not be compliant. If an organisation is unsure whether their partners are compliant, then it is possible to send a self-assessment questionnaire to a vendor as a fall-back method if no certification is available.
SD Worx has developed its own Data Processing Agreements with proven terms reviewed by independent experts to guarantee compliance. It does not only follow the legal obligations involved with GDPR, but provides as much transparency as possible when it comes to the methods involved with processing data. Furthermore, the DPA has been agreed with all of SD Worx’s partners to ensure that, in the final countdown to GDPR, everyone is in agreement and is wholly compliant.
To listen to the full webinar on ‘Ensuring your HR and Payroll Business Partners are Compliant’, click here
The HR and payroll industry is in constant change, with digitalisation, GDPR, and the gig economy effecting the HR and payroll department in organisations around the world. So, how can you ensure that both your HR department and employees are able to keep up with the pace of change? It’s time to unleash the flexibility of your HR.
26 April 2018
Payroll is a vital part of any organisation, whether it’s a local business or a multinational corporation. A simple payroll error can cause a large amount of damage, so getting it right is essential.
30 March 2018
With more and more employees relying on technology and flexible working than ever before, the world is becoming increasingly connected and globalised. However, with this new reliance on global working, what do HR and payroll teams need to consider when implementing payroll for multinational companies?
7 March 2018
The end of the payroll year is typically a very stressful time for payroll teams. With an extensive amount of tasks to be completed within tight deadlines, any mistakes can be costly.
However, the end of year process can be drastically simplified by engaging with tailored payroll software. This technology can be utilised to assist payroll professionals throughout the year, but how can it help payroll teams in April each year?
27 February 2018
12 January 2018
13 November 2017
8 November 2017
19 October 2017
10 October 2017
4 September 2017
6 August 2017
24 January 2017
30 October 2016