Six months to go: Why GDPR is important in payroll

13 November 2017 - Reading time: 5 Minutes


With just six months to go until the General Data Protection Regulation (GDPR) takes force, payroll departments need to ensure they know what’s coming, or risk paying for it later. The stakes are high, as businesses that fail to comply with GDPR could face fines of up to 4% of their total annual revenue.

In this blog post, we’ll explore what exactly the regulation entails and why it is important to payroll departments.

Defining GDPR
GDPR is a new legislation that affects how businesses deal with data protection. Replacing the 1998 Data Protection Act, the regulation will take effect from 25th May next year. Following this date, individuals will have a higher level of control over how their data is handled, and businesses will face stricter penalties for data misuse. For example, if businesses do not report a breach to the relevant authorities, and any potentially affected customers, within 72 hours of the incident they will face a penalty.
GDPR is not exclusive to organisations in the European Union (EU): it will also affect any business that holds the personal data of EU individuals, wherever they are based in the world.

What does it mean for payroll departments?
Payroll departments hold a lot of data, including sensitive financial information. Therefore, they are certainly not exempt from preparing for GDPR compliance. With GDPR, employees have extensive rights on the personal data that payroll departments hold, for example, right of access and right of erasure (right to be forgotten).
The GDPR legislation states that organisations need to keep a record of all activities surrounding data processing activities, including what personal data they process, who is responsible for it and how it is processed, or risk non-compliance.
In addition, with GDPR in play, payroll teams will need to become explicit on data retention. According to existing privacy laws, businesses can only retain personal data for a period that is necessary for processing purposes: GDPR builds on this. For example, non-compliance will meet stricter consequences, and the right to erasure is introduced.
Businesses (including payroll departments) are responsible for ensuring their own data is in check – and protected. Third-party relationships also need to be considered: GDPR makes you liable as a data controller if you cannot sufficiently state that all third parties are compliant.

A Note on Security
Although GDPR does not enforce specific measures in terms of security, it does introduce more risk management principles in terms of privacy. Therefore, payroll teams will need to assess their risks and adopt the relevant approach in response.
It’s crucial to note that organisations need to build privacy and security not just into their payroll departments, but across their entire workforces, and set an example from a top level in terms of ensure total data compliance and ongoing data protection, in line with GDPR.
By doing so, organisations can ensure all departments are GDPR ready, preventing a harsh blow to revenue in the form of large fines, or damage to their business reputation.
SD Worx aims to give guidance and provide news on this historic legislation from an HR and Payroll stand point which will impact businesses across the globe. For more information please visit our GDPR Page or, please email

Related articles

refresh More articles