Apr 2018
24
How long you should retain employee data under GDPR
The General Data Protection Regulation (GDPR) will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data. Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc.
The GDPR requires that when retaining and processing personal data there must be lawful reasoning for doing so. In terms of processing employee data employers are likely to rely on a number of lawful reasons, mainly: to fulfill contractual obligations, legal obligations or other legitimate interests. Under data protection legislation employee data should be kept for no longer than is necessary, for the purpose that it was retained. However, when deciding how long to retain personal data employers should be guided by employment legislation.
So how long should I retain employee data?
- Written Terms of Employment – 1 year
Employers must retain a copy of this employee statement throughout the employee’s employment and for one year after termination at a minimum. - Payroll details and Payslips – 6 years
Records, calculations and documents relating to the value of benefits for employees must be kept for 6 years in the event of an audit by Revenue. The WRC may also inspect these in an audit and seek evidence that employees are supplied with payslips. - Hours of Work – 3 years
Details of days and hours worked each week, annual leave and public holidays taken and payment received for same. Rest break records and/or records of notification of employees being fully informed about rest break entitlement and procedures if rest break is unable to be taken. - Maternity and Adoptive Leave Records – none
While there is no set period of the retention of data on maternity leave or adoptive leave records, claims can be made within 6 months of employers being informed of an issue giving rise to a dispute or extended to 12 months in exceptional circumstances. - Parental Leave – 8 years
Records of Parental Leave, including the period of employment of each employee and the dates and times of the leave taken, must be retained for 8 years.
A more detailed list of Employee Record Keeping Requirements can be viewed here.
Where legislation gives no guidance on record keeping requirements, employers should carefully predetermine, and include in any employee privacy notice, how long and the grounds they will use for retaining that data. For example; an employer may decide to retain all performance review records for the entire duration of an employee’s employment to monitor employee performance.
Whatever the reasoning behind retaining employee data – whether it be legal or other business reasons, employers need to ensure they have a clear policy outlining their reasoning, that this is easily accessible to employees and that the policy is consistently applied.
Free GDPR Webinars
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world. This webinar will explain everything payroll bureaus need to know about GDPR. This webinar is free to attend but places are limited.
Payroll Bureau Webinar | Employer Webinar
Related Articles:
Apr 2018
10
How will GDPR affect your employee processing?
The General Data Protection Regulation (GDPR) will come into force on 25th May 2018 changing the way we process data forever. The aim of the GDPR is to put greater protection on the way personal data is being processed for all EU citizens. Personal data can be anything from a name, an email address, PPS number, bank details etc so as you can imagine employers process a huge amount of personal data on a daily basis. So how will the GDPR affect employers in terms of processing employee data?
Consent
Data in the employment context, will include information obtained from an employee during the recruitment process (regardless of whether or not they eventually got the job), it will also include the information you hold on current employees and previous employees. All this information may be saved in hard copy personnel files, held on HR systems or it could be information contained in emails or information obtained through employee monitoring.
Under GDPR your employee’s will have increased rights around their data. These rights will include:
- The Right to Access. It’s not a new concept that employees will be able to request access to the data you hold on them. However, there is a new recommendation that where possible employers should provide their employees with access to a secure self-service login where they can view data stored on them. This backs-up the whole concept of transparency and ease of access to data, which underpins the new Regulations.
- The Right to Rectification. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. This is an existing right and the onus is on the employer to ensure that your employee records are kept up-to-date. To help ensure you maintain up-to-date records, employers should make it easier for employees to update their data.
- The Right to be informed. Employers must be very transparent with employees about what data you hold, why and how long it is held for. Up until now it has been the common practice for many employers to include a standard clause in the employment contract regarding the processing of HR Data, under GDPR that will no longer be sufficient. Employers need to be reviewing their Employee Data Protection Policies and possibly writing new Employee Privacy Policies that go into detail on the processing of employee data.
Employee Self Service
Under the GDPR legislation, where possible employers should be able to provide self-service remote access to a secure system which would allow employees view and manage their personal data online 24/7. Furthermore, the cloud functionality will improve your payroll processing with simple email distribution, safe document upload, easy leave management and improved communication with your employees. By introducing a self-service option, you will be taking steps to be GDPR ready.
Thesaurus Payroll Software | BrightPay Payroll Software
Related articles:
Mar 2018
23
Template Data Processor Agreement Now Available
Those of you who were on any of our recent GDPR webinars will be aware that data controllers (e.g. a payroll bureau client) need to be amending their contracts with any data processors (e.g. the payroll bureau) to accommodate the new requirements under the GDPR.
For those of you who did not get to attend our webinars here is a brief overview.
The Legislation
Whenever a data controller uses a data processor there needs to be a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out certain information which needs to be included in the contract.
Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects (an individual who is the subject of personal data) protected.
Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
What does this contract look like?
To comply with the new requirements under GDPR you could either:
- Draft new Terms of Service / EULAs / Engagement Letters for each client to include the new GDPR requirements.
- Where you have an existing contract in place you could issue an Addendum to this contract covering the new GDPR requirements, this is commonly known as a Data Protection Agreement (DPA).
Our Advice to Payroll Bureaus
Our advice to payroll bureaus is that when it comes to GDPR you should aim to take an active role in educating your clients about GDPR.
Although the onus is on data controllers to ensure contracts are in place, payroll bureaus looking to get ahead of the GDPR would be well advised to approach their clients and instigate putting the appropriate contracts in place.
Template Data Protection Agreement (DPA)
To assist our customers we have created a template Data Protection Agreement which can be used as an addendum to any existing agreements.
Mar 2018
22
How Thesaurus Connect can help with GDPR
Under the GDPR legislation, where possible the controller should be able to provide self-service remote access to a secure system which would allow the data subject with direct access to his or her personal data. Thesaurus Connect is a self-service option which will give you and your employees online remote access to view and manage your payroll data 24/7.
Thesaurus Connect is tailored to help you overcome the challenge that GDPR presents. Furthermore, the cloud functionality will improve your payroll processing with simple email distribution, safe document upload, easy leave management and improved communication with your employees.
Online synchronisation and backup of payroll data will maintain accuracy and improve efficiency. By introducing a self service option, employers can begin a new way of remotely accessing information and start taking steps to be GDPR ready. Additionally a self-service facility will automate payslip distribution, simplify and integrate leave requests and keep a secure and chronological backup of your payroll records.
Simplify your GDPR compliance with Thesaurus Connect
The option of Thesaurus Connect will keep your employee payroll data secure and offers your employees the added reassurance that you are taking action to become GDPR ready. The advantages of a cloud backup and self-service software are numerous, but mainly it significantly increases the efficiency and effectiveness of payroll work.
Workflow is increased since employers are no longer wasting time on manual data processing and therefore are working quicker and more securely within the remit of the GDPR guidelines. Thesaurus Connect is an online payroll and HR software solution that has been developed to help our customers become GDPR ready. It removes the manual data entry requirement for annual leave management, updating employees details, re-sending payslips, backing up your data and HR processing.
Here are the biggest GDPR advantages of Thesaurus Connect:
Accountant / Employer Dashboard
Payroll bureaus and accountants have instant access to an online self-service to view clients payroll information. Employers can invite their accountant to access their payroll information. Through the accountant / employer online dashboard, you can have remote and secure access to employee payslips, payroll reports, amounts due to HMRC, annual leave requests and employee contact details.
Employee Self Service Portal
Invite employees to their own self-service online portal. This secure system would provide employees with direct access to his or her personal data. Employees can securely view and download payslips, P60s and P45s and easily submit holiday requests, view leave taken and leave remaining.
Integration with payroll
Thesaurus Connect is fully integrated with Thesaurus’s payroll software ensuring the payroll data is correct at all time. Any annual leave or other leave, changes to employee contact details and payroll reports are updated and synchronised with the payroll software and Thesaurus Connect.
Cloud Backup
Under GDPR, it is important to keep a copy of payroll files safe in case of fire, theft, damaged computers or cyber attacks. Thesaurus Connect is powered using the latest web technologies and hosted on Microsoft Azure for ultimate performance, reliability and scalability. Thesaurus Connect maintains a chronological history of your backups which you can restore or download any time keeping your records protected.
24/7 Online Access
Thesaurus Connect allows password protected mobile and online access to your payroll data anytime and anywhere. This fulfils the GDPR recommendation to provide remote access to a secure system where your employees would have direct access to their personal data.
HR & Annual Leave Management
Employers can view all upcoming leave in the Thesaurus Connect company wide calendar where they can easily authorise leave requests with changes automatically flowing back to the payroll. You can upload sensitive HR documents such as employee contracts keeping confidential information restricted to each individual employee.
Reduce HR Queries
Thesaurus Connect makes it possible to drastically reduce the number of HR queries you deal with such as access to view personal data, payslip requests, annual leave requests, managing employee contact information and employee payroll records.
TimeSheet Upload (Coming Soon)
You will soon be able to upload employees’ hours and timesheets directly through the Thesaurus Connect portal. The upload facility offers an additional layer of protection for your payroll information. From there, you can process the payroll from the timesheet upload. This automated process will offer a more secure and accurate recording of the timesheets and hours.
Book a Thesaurus Demo
Cloud advancements enables an interactive collaborative experience for your accountants, employers and employees. Thesaurus Connect speeds up and transforms the accountant / employer relationship from a document exchange or transactional relationship to an instant access one. Book a demo today to see just how Thesaurus Connect can help towards GDPR compliance.
Free GDPR Webinars: What does GDPR mean for your business?
Payroll Bureaus and employers process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated. In this webinar, we will peel back the legislation to outline clearly:
Agenda
- What is GDPR and why is it being implemented?
- Why employers need to take it seriously
- How to prepare for GDPR
- How we are working to help you
Bureau CPD Webinar | Employer Webinar
Thesaurus Newsletter - Are you missing out?
GDPR is changing how we communicate with you. After May 2018, we will not be able to email you about webinar events, special offers, legislation changes, other group products and payroll related news without you subscribing to our newsletter. You will be able to unsubscribe at anytime. Don’t miss out - sign up to our newsletter today!
Mar 2018
5
Less than 3 months to go: Are you prepared for GDPR?
The EU’s General Data Protection Regulation (GDPR) will be implemented in Ireland in May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Unfortunately, many employers do not realise that 25th May 2018 is a deadline as opposed to a start date. It is important that all employers are ready and GDPR compliant by this date, with potential fines for breaches as high as €20 million or 4% of global turnover.
All employers process large amounts of personal data, especially when it comes to their customers and their employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
Organisations need to act now to prepare for the potential changes to their systems and procedures. The introduction of GDPR is just three months away, and by now all businesses should be taking action.
As part of our own preparation, we need your help. After 25th May 2018, we will not be able to email you about webinar events, special offers, legislation changes, payroll related news and other group products without you subscribing to our mailing list. You will be able to unsubscribe at anytime.
Don’t miss out - sign up to our newsletter today!
Free Webinar: GDPR for your Payroll Bureau
BrightPay by Thesaurus Software is hosting a free webinar on 8th March to help payroll bureaus prepare for GDPR. In this webinar, we will peel back the legislation to outline clearly:
- What is GDPR and why is it being implemented?
- Why employers need to take it seriously
- How it will impact payroll bureaus
- How to prepare for GDPR
- How we are working to help you
Places are limited - book your place now!
Jan 2018
8
GDPR unravelled! Find out what you need to know to comply
Get ready as more legislation hit Irish and European businesses. The objective of the recent EU General Data Protection Regulation (GDPR) is to bring data protection standards up-to-date and to ensure that individuals in the EU are appropriately protected from privacy and data breaches. It comes into effect on 25th May 2018, however this date is a deadline as opposed to a starting point.
Business owners who start looking at GDPR on or after the 25th May will be at serious risk of non-compliance. You will need to act now to understand and prepare for GDPR well in advance of the May deadline. Over the next few months, it would be advisable to set aside some time to focus on being fully compliant by the 25th May 2018.
BrightPay is committed to helping our customers and others understand the impact of GDPR. We have designed free webinars for accountants and employers to take you through the key steps to be GDPR compliant.
Register now for our free webinars which take place over the coming months.
Agenda
- What is GDPR and why is it being implemented?
- Why employers need to take it seriously
- How it will impact payroll bureaus
- How to prepare for GDPR
- How we are working to help you
Employer Webinar: 30th January - Register here
Bureau Webinar (CPD Accredited): 8th March - Register here
Other Free Events
How will PAYE Modernisation affect your business?
The existing PAYE (Pay As You Earn) system was introduced nearly sixty years ago ensuring that correct deductions are made relating to pay and tax. From 1st January 2019, this system for PAYE will undergo a long overdue update called PAYE Modernisation. Under the new legislation, whenever Irish employers pay their employees, a file must be electronically submitted to Revenue containing details of these payments.
- How will PAYE Modernisation affect your business?
- Guest Speaker: Sandra Clarke (BCC Accountants)
- Guest Speaker: Sinead Sweeney (Revenue)
Employer Webinar: 24th January - Register here
Bureau Webinar (CPD Accredited): 25th January - Register here
