GDPR 2018

With new General Data Protection Regulations (GDPR) coming into play in early 2018, it highlights the potential financial and reputational risk now associated with properly protecting valuable employee information.

Over 5000 Morrisons employees are suing the high street grocer over a data leak that saw sensitive payroll data information for 100,000 employees posted online.

The last thing any company wants is a front page tabloid scandal over any issue.

Smaller employers should be aware that if this can happen to a company with resources that Morrisons have, then they need to be extra vigilant to ensure it does not happen to them!

Protecting your reputation is important both internally and externally and you’d think that there is little bad publicity that could be generated by payroll. You’d be wrong.

Supermarket chain Morrisons were first hit with legal action from staff back in early 2016, and a good deal of negative national tabloid and television coverage, when sensitive personal payroll information relating to thousands of employees was stolen from the company.

The Morrisons payroll data theft should be a wake-up call for all organisations that employ and pay people to check their systems and procedures.

Furthermore it should also prompt a wider understanding of the impending GDPR rules to ensure that any sensitive data is handled, stored and used correctly.

Not only has Morrisons been hit with reputational damage to repair, but there is now a trust issue between management and the staff. Teams need to start by identifying who touches the payroll process, and who else has access to data.

Smaller hard pressed organisations are often at risk from the ‘shared password’ approach internally, where ‘one licence’ systems may be accessed by lots of different people and the audit chain breaks down.

Larger organisations with more transient staff and higher churn need to look at the surroundings where payroll is processed, procedures and back-up systems, physical security arrangements (including the disposal of IT hardware) and having strong encryption arrangements.

Here organisations need to go back and ensure staff are properly vetted and trained. Robust checks should start as part of the employment process.

If you decide to outsource your payroll, it is still your responsibility to ensure their systems are up to scratch and that they are taking GDPR seriously.

You could, and probably should, arrange a visit to the provider’s office which will give you a good idea and feel for how they treat sensitive information.

If in doubt, don’t do it – it’s not worth the risk.