‘GDPR Day’ is coming, are you ready?
Unless you have been hibernating or simply avoiding both the payroll & national press you will know by now that on May 25th, 2018 The General Data Protection Regulation (GDPR) comes into effect.
For payroll service providers compliance with data protection ‘goes with the territory’ so there is no news there, but the fact that the new regulations have significantly sharper teeth than ever before with penalties for breach potentially as high as 4% of global turnover or €20 million euros means that complacency will come at a potentially very high price. Besides harmonising national data-protection laws across the European Union, GDPR will expand the reach of EU data-protection regulation and also introduce important new requirements concerning consent, breach notification, right to access, the right to be forgotten and data portability.
We know that many Star clients have been taking advice and assessing their readiness. So with under 7 months to go before ‘GDPR-day’ we want to explain what we have been doing here at Star and how this will support your own preparations:
- ISO 27001 certification: The GDPR encourages the use of certification schemes to demonstrate that an organisation is actively managing its data security in line with international best-practice.
- We are delighted that Star’s security policy achieved ISO 27001 certification this summer and so now our internal and external cloud-facing services (ePayslips) both have ISO 27001. This means that our clients have the assurance that Star has an information security management system that is supported by top leadership, incorporated in our culture and strategy and constantly monitored, updated and externally reviewed
- The Star ePayslips service, since its inception, is delivered and managed exclusively from UK data centres with ISO27001, AICPA-SOC and PCI-DSS accreditation. All data is sent securely to the ePayslips database which is encrypted using Transparent Data Encryption with Advanced Encryption Standard AES_128
- The Star ePayslips service is additionally independently audited weekly and annually for Security by Netcraft. We act immediately on any recommendations made
- Star Business process review: We have risk assessed all our external and internal business processes to determine our overall level of compliance ahead of the regulation. Our ISO 27001 certification this summer proves that there are no major issues but of course on-going reviews and vigilance are needed
- Star’s current product portfolio review: We have analysed any potential areas of weakness or vulnerability in our products in order to identify any areas for improvement prior to the GDPR deadline. We will make changes in the following areas prior to May 2018:
- Provide the ability to send payroll data files securely via encryption from within Payroll Professional to support
- Provide the ability to send employee auto enrolment letters directly to a secure web portal (rather than by email)
- Provide the ability to send employer reports and macros directly to a secure web portal (rather than by email)
- Allow Star to be used with MS SQL server encrypted databases ‘at rest’ and with secure connections where IT security policy demands this
- myePayWindow launch: In June this year we announced that our new payroll portal: ‘myePayWindow’ will launch at the start of 2018
- This is a new highly secure collaboration portal for the payroll bureau, it’s employer clients and their employees in turn
- myePayWindow will be a hosted offering running alongside our ePayslips service from our ISO27001 accredited UK data-centres
- With regard to EU-GDPR, the myePayWindow portal will allow the payroll bureau to receive information securely from their clients and will integrate Star’s existing ePayslip data. It will also uniquely allow AE letters and pay run reports to be delivered to the secure portal directly from Star Payroll Professional
- myePayWindow will be progressively updated with new features through the course of 2018 and beyond in line with our product roadmap
We will be providing more information on how you can prepare for the introduction of the myePayWindow portal so watch this space or contact your Account Manager. In the interim, we strongly advise that, if you haven’t already done so, that you:
- Audit your own processes, procedures and make plans to address any gaps to ensure that you won’t fall short of the EU-GDPR requirements.
- Don’t forget that GDPR is not just about client facing processes it’s about your internal processes and supply chain too.
- Significantly, data controllers and data Processors will be jointly and severally liable so it is important that you remind your clients of their obligations under the regulations too.
Don’t put your head in the sand – there is still time on your side but the clock is ticking….