New Payroll Data Protection Regulation Coming to Europe
Average rating: 3.5 (from 22 votes)
By Dave Foxall
European Union Seeks to Keep Employee Payroll Data Safe
Europe already has uniform and fairly stringent data protection measures in place courtesy of the European Union (EU) Data Protection Directive—an initiative that all of the major European payroll service providers have willingly embraced and complied with. As of early 2012 though, there is a new proposed data protection regulation on the table which could instantly tighten up the data compliance requirements for organizations operating in any of the 27 member countries.
It may be fair to say that up until now, data protection legislation has tended to play catch-up with the possibilities of the latest technology and usage trends; and plug the gaps in the wake of public and private sector embarrassments (e.g. the hacked Sony PlayStation Network). But according to the June 2012 issue of IT in Europe magazine, “the European Commission’s newly proposed data protection regulations are designed to get ahead of what is fast becoming one of the defining challenges of the Internet age.”
Although the focus when talking data protection is usually on personal information gathered for commercial purposes (i.e. customer data) it also carries implications for payroll systems. After all, your payroll database contains highly sensitive employee information including banking details for direct deposit and social security numbers and the management of that data must comply with data protection legislation. So whether your payroll data is on-premises, in the cloud or kept in a service provider’s data center, it’s as well to know what compliance mandates are coming down the line.
European Payroll Data Protection Issue #1: A National Authority
Most European nations have established a national data protection agency with the responsibility of overseeing the implementation of the legislation, its enforcement and applying penalties for non-compliance where necessary. Three of the most prominent examples are as follows:
EU Payroll Data Protection: The Current Situation
In a nutshell, the current mandates form part of EU privacy and human rights legislation and can be summarized as follows:
Each EU country must have a national data protection agency with the remit of overseeing the implementation of the legislation;
The appointment of a data controller, a person or organization responsible for ensuring the safety of personal data;
Financial or even custodial penalties for data breaches.
EU Payroll Date Protection Drivers
As the IT in Europe editorial says, this new regulation is an attempt to keep pace with and even overtake current IT trends – namely, the consumerization of IT, cloud data storage and the increase in mobile working. In fact, it’s the use of mobile technology in the workplace and the BYOD (bring your own device) explosion that poses the greatest risk to data; with exponentially more complex security issues and the ever-present possibility of an employee simply losing their smartphone/tablet/netbook and the stored data falling into the wrong hands.
Exactly What EU Payroll Data Protection Changes are on the Horizon?
The proposed regulation (and although it is only “proposed” there is little doubt that it will become law) seeks to pull together the current scattered rules and provide a single overarching data privacy law for the whole of Europe; the key features of which are:
Organizations with more than 250 employees are required to appoint a data protection officer
A requirement for users to explicitly give permission (opt in)before a company can collect any information
The inclusion of a “right to be forgotten” that gives EU citizens the right to request any company in the world delete (without delay) and not disseminate their personal information
Data breaches should be reported to the relevant supervisory body within 24 hours and if it’s not reported companies must provide an explanation for the delay
Maximum fines of up to 2% of a company’s annual revenue
From a payroll data point of view, the second provision will probably entail some minor changes to the paperwork when onboarding new hires; while the third provision is likely only to be relevant to ex-employee records. Although it’s not yet clear exactly when this proposal will pass into law, the expectation is that it will be in force sometime between 2013 and 2015 which gives organizations some time to prepare.
As to that preparation, the primary short-term focus should be on good information governance – knowing what data you have, its source, where and how it’s stored and how it is used – which should be fairly straightforward (and already in place) for the contents of the average payroll database. That said, IT in Europe magazine suggests that a number of long-term projects may be necessary depending on individual corporate circumstances, including obtaining employee consent, managing third party relationships (such as outsourced payroll providers), controlling mobile security, having a single identifier for each employee (again, likely to already be in place), and adopting more powerful encryption tools.
Upcoming EU Data Protection Regulation – Final Thoughts
One key advantage of this new legislation is the implementation of a single data privacy law across all 27 member countries. Currently the EU-wide provisions stem from a directive which each country has then been required to adopt as part of their own data protection law; thus leading to variations of detail between the differing nations. This new regulation would create a borderless data protection landscape, making compliance simpler and merely requiring multinational organizations to elect a “home country” to establish to which supervisory authority they would report. While obviously too soon to tell what the greater global ramifications of this legislation would be, it is clear that if passed, the EMEA payroll regulatory landscape will be changing; and changing significantly.