The 3 Key Compliance Issues for European Payroll Data
Average rating: 3 (from 52 votes)
By Dave Foxall
An Overview Guide to European Payroll Data Legislation
Regardless of location, size, or industry, one payroll requirement that every organization has in common is the need to keep employee data secure. By its very nature, the payroll database, whether physically on the premises or in the cloud, contains highly sensitive personal information (including data such as bank details, social security numbers, etc.)—issues that ideally should be addressed through pre-selection compliance questions with prospective payroll software vendors. However, the concern of information security goes beyond simply ensuring that the payroll software of choice is ISO 27001 compliant, or that the vendor’s software-as-a-service (SaaS) deployment has a current SAS 70 (now SSAE 16) audit certificate. The other side of the security issue is compliance with the relevant data protection legislation for a given organization’s country (or countries) of operation—an issue that can be as confusing as it is troubling. For instance, to date there is no single federal statute for data protection within the United States; and information is instead protected through a combination of regulatory avenues. In Europe however, data protection laws are generally stricter and broadly similar across the member states. This is due to the overarching European Union (EU) Data Protection Directive; a part of EU privacy and human rights legislation that has 3 key issues that must be understood further.
European Payroll Data Protection Issue #1: A National Authority
Most European nations have established a national data protection agency with the responsibility of overseeing the implementation of the legislation, its enforcement and applying penalties for non-compliance where necessary. Three of the most prominent examples are as follows:
National Authority: Commission National de l’Information et des Libertés
Legislation: Law Nr. 2004-801
National Authority: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Legislation: Bundesdatenschutzgesetz (BDSG)
National Authority: The Information Commissioner’s Office (ICO)
Legislation: Data Protection Act 1998
European Payroll Data Protection Issue #2: The “Data Controller”
The EU’s Data Protection Directive legislation also mandates the appointment of a data controller; a person within an organization responsible for ensuring the safety of personal data. In reality, any employee handling employee payroll data has a responsibility to guard against unauthorized access or data loss or damage; however, the data controller is the individual registered with the country’s data protection authority—a designation that means he/she and must keep the authority updated on the data protection strategy or measures the organization has decided to adopt following an appropriate risk assessment. The data controller must also take into account the actions and systems of any third parties (e.g. outsourced payroll service providers) who handle the organization’s data, as well as any contracts and/or service level agreements (SLAs) that require the need for legislative compliance.
European Payroll Data Protection Issue #3: Non-Compliance
Aside from the obvious impact on an organization’s reputation in the event of payroll data breach (and the potential consequences for the employee or employees directly concerned), additional legal consequences exist within the EU regulatory landscape. In the first instance, the liability may fall to the data controller if he or she has failed to take appropriate data protection measures. Depending on the circumstances, the data protection authority may conduct an investigation, drawing on various sources in order to establish if the law has been broken. The result may be as simple as a report or order that details the actions required to bring the organization back into compliance. If, however, action is not taken, both the data controller and the organization could be guilty of a criminal offense. While deliberate breaches (including those solely made for financial gain) may result in custodial sentences, often a more common and straightforward financial penalty will be assessed. That said, if the situation or offense goes unresolved, a prohibition on data processing is the next step per legislative requirements—a major problem for any business that needs to pay its employees via a payroll system. On top of these consequences for non-compliance, employees may also have legal action rights for loss or distress caused by the payroll data breach.
European Payroll Data Protection – The Bottom Line
Given that the 2011 Global Information Security Survey carried out by Ernst & Young found that, “Only 52% of respondents stated that they have a documented information security strategy,” it might be fair to question the degree to which organizations are concerned about employee payroll data. Add to that the complexities that can arise when regional and local laws are part of the mix, and many companies faced with global payroll regulations would appear to be skating on thin ice. Indeed, particularly for those organizations with European employees, the risk for failing to investigate the differing national requirements could well be a recipe for disaster.
The issue of information security goes beyond simply ensuring that the payroll software of choice is ISO 27001 compliant, or that the vendor’s software-as-a-service (SaaS) deployment has a current SAS 70 (now SSAE 16) audit certificate.”