Running a payroll process involves accessing and storing an individual’s personal information.
Information on starters and leavers, changes of address and status. As well as the normal cyclical information such as receiving timesheets, notification of pay rises, bonuses and other increases in pay.
The bookkeeper who runs payroll must keep all this personal data up to date and must ensure that it is secure. The bookkeeper must also start preparing for the new General Data Protection Regulation that will become law May 2018. So how to cope with all this change on top of the usual tasks that a bookkeeper has to perform?
The first step would be to identify what information is held, why it is held, and how is it held? A good place for the bookkeeper to start is by asking the following questions:
- Where is the information stored?
- Why is the information needed?
- Is the information secure?
- Can the information be held differently?
- How is the information moved?
Running a payroll (and automatic enrolment) means that data such as name, date of birth, NI number, address, salary and the like are needed. But other data such as emergency contact numbers may not be necessary, and it is this excess data that should be removed. The bookkeeper should go through each item of data held on an individual and ask the question ‘Is this needed for the payroll/AE process?’ Be strict, and if the answer is ‘no’ then delete the data.
The data identified as not needed for payroll may still be vital information that needs to be held. But who will hold it?
- If the bookkeeper is an employee and performs HR duties as well as payroll then information on next of kin, emergency contact details and similar information would no doubt fall within the bookkeeper’s control.
- If the bookkeeper acts in an agent role, perhaps looking after more than one payroll there may not be the scope, or need, to keep that level of data, and instead the information is held by the employer.
The bookkeeper should identify their role and store or delete the information as necessary. And remember the data needs to be checked and updated regularly so a process needs to be in place to make this happen.
The Information Commissioner’s Office (ICO) has a lot of information on the website, some of which is specifically for the small organisation. The information covers basic steps to take such as keeping passwords secure, individuals logging off computers when away from their desks, shredding confidential papers as well as updating software programmes and anti-virus programmes.
The ICO also suggests using a procedure called pseudonymisation to disguise an individual’s identify and protect their personal data. Pseudonymisation is a process by which the most identifying fields within a data record are replaced by one or more artificial identifiers with the sender and designated receiver of the information having the key to unlock the information.
The ICO also suggest the pseudonymisation key is kept totally separate from the information it disguises. A separate server perhaps? For the bookkeeper this may be difficult. However, a stand-alone computer could be kept for personal data, with the payroll software protected by the latest payroll provider updates, and the network itself protected by anti-virus and malware protection programmes.
Under the current Data Protection Act manual records filed in a way that is not referenced to the individual’s personal data are exempt. This is not the case with GDPR and any information held this way must be reviewed and brought in line with the new regulation or deleted.
Currently the most common forms of information transfer are emails, memory sticks or notes written on paper and posted or handed to the recipient. These forms of data transfer are no longer suitable as emails can easily be sent to the wrong recipient, memory sticks easily misplaced and pieces of paper inexplicably go missing. Storing information in the cloud is also problematic as there must be trust in the cloud provider’s data security.
So, what can the bookkeeper do to secure individual data and comply with GDPR? The ICO have written a document on these matters, and it is specifically aimed at the small organisation. The document is called ‘A practical guide to IT security’. It outlines 10 practical ways to keep your IT systems secure and covers the following areas:
- Threats and risks to the data held by the business
- Different types of IT security available
- Moving, securing and backing up of data
- Staff training and awareness
- Identifying that an attack has taken place
- Minimising data and data breaches
- Checking third party compliance
By following these suggestions, the personal data held by the bookkeeper will be much more secure and GDPR compliant.
It will never be possible to ensure total data security. Somewhere, at some time, data will be leaked by someone or something. All the bookkeeper can do is minimise the chance of a leak by understanding the GDPR and taking the necessary safeguards to meet the requirements.
Julie Hodgskin is a fellow member of AAT, runs a licensed accounting practice and is a technical materials author for CIPP.