For more information visit https://www.thesaurus.ie or https://www.brightpay.ie
With the introduction of the GDPR, in May, came updates to the Data Protection legislation that had been in place since 1988, making the new regulations more coherent in dealing with the levels of online use we see today in comparison to 30 years ago. It has also brought with it new and more stringent rules around the security of personal data and how it is processed.
All organisations, regardless of size, will have had to introduce or update existing policies regarding personal data in order to comply with the new regulations. This webinar looks at what is new in GDPR and how it may effect your business, what have we learned from the GDPR 3 months on and how Thesaurus can help your organisation utilise the new regulations for the benefit of you, your customers, suppliers and employees.
Speakers include:
Laura Murphy - HR Manager, Thesaurus Software / Bright Contracts
Jennie Hussey - Payroll Advisor and Employment Law Expert, Thesaurus Software / Bright Contracts
Guest Speaker: Graham Doyle - Head of Communications, Data Protection Commissioners
2. -
CPD Accredited
Fill out survey at the end of the webinar
Q&A Session
Questions Tab or #BPWebinars
Q&A
CPD
On Demand
This session is being recorded
REC
3. The Presenters…
Laura Murphy
HR Manager
Thesaurus Software /
Bright Contracts
Jennifer Hussey
Payroll Specialist &
Employment Law Advisor
Thesaurus Software /
Bright Contracts
Graham Doyle
Head of Communications
Data Protection
Commissioner
4. Webinar Agenda
•Demystifying the General Data Protection Regulation
•Processing Employee Data under GDPR
•GDPR and Payroll Processing
•How Thesaurus Software Can Help
•How Thesaurus Software Has Prepared
•Conclusion
Questions & Answers
7. Focus of the GDPR
• Gives Data Subjects more control
• Makes Data Controllers/Processors more
accountable
• Makes personal data processing more
transparent
• Reduces personal data security
vulnerabilities
• Co-operation between Supervisory
Authorities on cross-border processing
8. What’s largely unchanged in GDPR
Concept of Personal Data
Acts of Processing
Data Protection Principles
Definitions of Data Controller/Processor
9. GDPR Definition of Personal
Data (Article 4.1)
any information
relating to
an identified or identifiable
natural person
11. The 8 Principles of Data Protection
Obtain and
process
information
fairly
Keep it only
for one or
more
specified,
explicit and
lawful
purposes
Use and
disclose it
only in ways
compatible
with these
purposes
Keep it safe
and secure
Keep it
accurate,
complete and
up-to-date
Ensure that it
is adequate,
relevant and
not excessive
Retain it for
no longer
than is
necessary for
the purpose
or purposes
Give a copy of
his/her
personal data
to that
individual on
request
12. Definition of Data Controller (Article 4.7)
“the natural or legal person, public
authority, agency or other body which,
alone or jointly with others, determines
the purposes and means of the
processing of personal data”
13. Definition of Data Processor (Article 4.8)
“a natural or legal person, public
authority, agency or other body which
processes personal data on behalf of the
controller”
14. What’s new in GDPR
Accountability – demonstrating compliance
Transparency – providing information pre-processing
Risk-based mandatory data breach reporting (72 hours)
Strengthened ‘Consent’ obligations
New and enhanced Data Subject rights
Administrative Fines
Data Protection Officer (DPO) for certain organisations
15. Accountability
Article 24.1
“….the controller shall implement appropriate
technical and organizational measures to ensure and
to be able to demonstrate that processing is
performed in accordance with this Regulation”
Article 24.3
“Adherence to approved codes of conduct as referred
to in Article 40 or approved certification mechanisms
as referred to in Article 42 may be used as an
element by which to demonstrate compliance with
the obligations of the controller”
16. Demonstrating Accountability Practically
Maintaining up-to-date inventories
of processing (Article 30)
Completing data protection impact
assessments (Article 35)
Ensuring the security of
processing (Article 32)
Adhering to the principles of data
protection by design and by default
(Article 25)
Appointing and empowering a
Data Protection Officer (Article 37
and 38)
17. • Monitoring data processors is an
ongoing task, for example:
• Undertaking external and internal audits
• Inspections
• Follow-up actions
• Spot checks
• Regular reviews
Accountability – The controller-processor
relationship
18. Transparency
Article 12
“The controller shall take
appropriate measures to
provide any
information……..relating to
processing to the data subject in
a concise, transparent,
intelligible and easily accessible
form, using clear and plain
language, in particular for any
information addressed
specifically to a child”
19. Transparency Requirements
• Identity of controller and DPO
• Purpose of processing and legal basis
• Recipients of the data
• Data transfer arrangements
• Retention period
• Right of access
• Right to withdraw consent
• Right to lodge complaint with SA
• Details of the contractual or statutory
basis
• Details of automated decision-making
At the time
when
personal
data is
obtained
provide the
data subject
with
information
on:
20. Transparency in Action
o Privacy policy
o Avoiding ambivalent terms
o Presentation and signposting
o Visualisation tools (icons, seals etc.)
o Testing intelligibility
21. Exceptions to the obligation to provide
information (Articles 13.4 and 14.5)
o “Where and insofar as the data subject already
has the information” (Article 13.4)
o “the provision of such information proves
impossible or would involve a disproportionate
effort…..or seriously impair the objectives of that
processing”(Article 14.5)
o “obtaining or disclosure is expressly laid down by
Union or Member State law” (Article 14.5)
22. Breach Notification to Supervising
Authority
Notification to
Supervising
Authority
within 72
hours
Unless “unlikely to
result in a risk to
the rights and
freedoms of
natural persons”
‘Risk’ might include,
for example, a risk of
identity theft or
anything likely to lead
to a financial loss for
the data subject
23. Breach Communication to Data Subject
“when the personal data breach is likely
to result in a high risk to the rights and
freedoms of natural persons”
“the data controller shall communicate
the personal data breach to the data
subject without undue delay”
‘High Risk’ – higher threshold than report
to SA
25. New and Enhanced Data Subject Rights
Right to Data Portability
Right to be Informed
Right to Rectification
Right of Access – 30 days, no fee
Right of Erasure – Right to be Forgotten
Right to Restrict Processing
Right to Object to Processing
27. Data Protection Officer
(Articles 37, 38 & 39)
Public Authority or Body
Core activities consist of
processing operations which
require regular and
systematic monitoring of data
subjects on a large scale
Processing on a large scale of
special categories of data
(Articles 9 and 10)
30. Who?
• Job Applicants
• Existing Employees
• Leaver
What?
• Name and address
• Payroll information
• Next of kin
• Performance review
• Health or sickness information
HR and Payroll under GDPR
31. Data Management
Payroll and personal data must be processed lawfully, fairly and
in a transparent manner.
- A lawful reason for processing data must exist
- All data must be kept up-to-date and only be used for purposes that
have been communicated
- Only hold information required for as long as it is needed.
- Data needs to be protected and stored in a secure manner.
32. The data subject has given consent
Necessary for the performance of contract
Necessary for the compliance with legal obligation
In order to protect vital interests of a person
Necessary for public interest or official authority
For the legitimate interests of data controller or yourself the
employer in this case.
Lawful Processing
33. • Under GDPR consent must be "freely given, specific, informed and
unambiguous".
• Consent can no longer be relied upon as a lawful reason for
processing employee personal data
Lawful Processing & Consent
34. Enhanced Rights for Employees
The right to be informed
The right of access
The right to rectification
37. Email Payslips
• Yes you can email payslips
• Security measures should be
taken, like password protecting
the payslips
Postal Payslips
• Yes you can post payslips
• Security measures should be
taken, like security sealed
envelopes
Distributing Payslips
• It is recommended (but not mandatory) to offer a secure
self-service portal to securely send and store payslips
38. Recommended Self-Service Option
• Password protected for each employee
• Provides flexibility and full transparency for employees to retrieve
and update their information at any time
• Employers can login and view payslips, payroll reports and
amounts due to Revenue
• Distribution of payslips and reports are automated and
automatically available to employees
39. Securely Storing Employee Payroll Data
• Password protect computers that hold
personal data
• Password protect software applications
that hold personal data
• Password protect or encrypt payslips
and other documents that may be
emailed to employees
41. Who Processes Payroll?
In-house Payroll Outsourced Payroll
Data Processor Employer Payroll Bureau
Data
Controller
Employer Employer
Data Subject Employees Employees
A written contract must
be in place!
Employees must be
informed, consent is
not required.
42. Data Processor Agreement
• Whenever a data controller uses a data processor there needs to be
a written contract in place
• Controllers are liable for their compliance with the GDPR and must
only appoint processors who can provide ‘sufficient guarantees’ that
the requirements of the GDPR will be met
• Data processors will have some direct responsibilities and may be
subject to fines or other sanctions if they don’t comply
43. What does this contract look like?
• Compliance:
• Draft new Terms of Service / EULAs / Engagement Letters
• Issue an Addendum to any existing contract
• Contract Content
• Mandatory content has expanded
• Template Data Processor Agreement (DPA)
Good morning and welcome to today’s webinar – GDPR - 3 Months On! where we will discuss what’s new in GDPR and how it may effect your business, what have we learned from the GDPR 3 months on and how Thesaurus can help your organisation utilise the new regulations for the benefit of you, your customers, suppliers and employees.
We have already completed a sound check with people who logged on early, so I’m just going to go straight into the webinar…
Today’s webinar is CPD accredited and you can benefit from 1.5 CPD points. If you would like a CPD certificate, please fill in the survey at the end of today’s webinar and we will email out the CPD certificates within the next few weeks.
At the end of the webinar we will have a Q&A session – if you have any questions feel free to type them into the questions box on your control panel and we will try to get through as many questions as possible.
Today’s webinar is being recorded. We will automatically send you a copy of the recording along with the slides in a follow up email.
A short survey will also appear after you close down the webinar and we’d ask that you take one minute to fill it out in order for us to improve our webinars going forward.
Just to introduce ourselves before we get started - My name is Laura Murphy and I’m the HR Manager here at Thesaurus Software / Bright Contracts.
We are delighted to welcome our guest speaker for today’s webinar, Graham Doyle who is the Head of Communications at the Data Protection Commissioners Office. Graham was appointed Head of Communications with the DPC in October 2017. Graham has responsibility for the operationalising and management of the DPC’s Communications Strategy, which includes extensive national and international media engagement, attending and speaking at events domestically and abroad and delivering a comprehensive internal communications programme for the DPC. Welcome Graham.
Also joining us on today’s webinar are Jennifer Hussy, one of our most experienced support personnel and Rachel Hynes.
Here is the agenda for today’s webinar – and as you can see we have a lot to get to.
I’d first like to pass you over to Graham Doyle for Demystifying the General Data Protection Regulation. Thank you Graham.
Laura:
The information that employers will hold on employees is vast,
It will include:
information obtained from an individual during the recruitment process (regardless of whether or not they eventually got the job),
it will also include the information you hold on current employees (name and address, payroll information, next of kin, performance reviews and health or sickness information.
And than much of the above information on previous employees also.
This information may be held in hardcopy personnel files or in softcopy such as HR systems, payroll system, clock-in technology or even email.
What is important to remember is that regardless of how you store your employee personally and payroll data, all the same concepts that Graham has already discussed will apply.
The most significant development with GDPR for employers is the emphasis on transparency and accountability, as Graham has already emphasised.
Employers should be able to demonstrate compliance with the GDPR or risk enforcement action from Graham’s colleagues at the DPC.
XXXXXXXX
Laura
In terms of being able to demonstrate compliance, A core consideration when processing payroll and personal data is that it must be processed lawfully, fairly and in a transparent manner.
Lawful processing: one of the six criteria must be met – I’ll come back to this point
All of your employee’s data must be kept up-to-date and only be used for the purposes which have been communicated to the employee
Only hold information for as long as it is needed.
You must ensure that all data is stored and processed in a secure manner.
Jennie
Lawful processing
Processing of personal data can only be deemed as lawful if it meets one or more of the 6 legal reasons as set out by GDPR.
The data subject has given consent (and we’ll come back to this issue of consent shortly)
Necessary for the performance of contract or to take steps prior to entering into a contract – provide your service – retain their hotel booking
Necessary for the compliance with legal obligation to which the controller is subject (e.g tax)
In order to protect vital interests of a person (health records)
Necessary for public interest or official authority (this is likely to refer to public sector bodies.
For the legitimate interests of data controller or yourself the employer in this case. And this really where you can have a little more flexibility in classifying your processing (performance management records of an employee)
Employee Consent is no longer permissible under GDPR so Employers should, therefore, look to the other grounds for lawful processing in order to justify the processing of HR & payroll data. This could be:
Necessary for performance of a contract i.e. the employment contract
or to comply with a legal obligation: i.e. you process payroll information because legally you have to pay an employee and deduct and pay forward taxes ect.
It is a legitimate interests of the business to do so: i.e. it could be in the business interests to hold performance records.
Employers will need to give thought to each separate piece of employee data they process and record the grounds for lawful processing upon which they rely in each case.
Laura
Jennie has just said that consent is no longer permissible when it comes to processing employee data.
Up until May, one of the commonly relied upon grounds for lawful processing of HR personal data was that it was done with employee consent. However as Graham has already said, consent must be freely given, specific, informed and unambiguous. given the imbalance of power between employees and employers, (the power being with the employer) it will be difficult for consent to be freely given by the employee which means it is unlikely to provide a valid basis for processing HR data.
– historically there might have been a data protection clause in the contract of employment that said employees gave their employer consent to process their data.
A term in a standard employment contract will certainly be insufficient and will no longer provide a 'fall back' justification for processing HR data.
Laura:
As Data Subjects, your employees or your clients employees do have increased rights under GDPR and it is important that you have prepared for these.
Some of the rights that may play a role in relation to payroll processing include:
The right to be informed: this emphasises the need for transparency in how you use personal data – you must be very clear with the data subjects about how their data is used. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. This is called a Privacy Notice or Privacy Policy
We have created a Privacy Policy with all these requirements in our HR software, Bright Contracts. We will take a brief look at the Bright Contracts, and the employee privacy policy a little later on.
Jennie:
The right of access The right of access, commonly referred to as ‘data subject access request’, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. A self-service option is a recommendation under GDPR
Rachel will show you our Self service option, Connect in more detail shortly
The right to rectification: Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed.
existing right)
Laura:
Under this very important concept of transparency and data subjects having easy access to the data being held on them, the GDPR legislation includes a best practice recommendation for businesses to provide individuals with a secure self-service platform offering remote access to information held on them.
An employee self-service system is usually an online service that provides employees with access to their personal records (e.g. contracts of employment or staff handbook) and payroll details held and processed by their employer. Different systems will have different features but often employees will also be able to submit leave requests through the service also.
So for employers looking to implement best practice measures with regard to GDPR, I think it would be prudent to least consider the possibility of having an employee self service.
Ok – so moving on to a few specific payroll points.
Laura:
This is an area where we’ve had a lot of questions come to us.
There is nothing in the GDPR legislation that states it is no longer permissible to email payslips but again you should take steps to securely protect each employee’s payslip. When emailing payslips, we recommend password protecting all payslips with a password that is uniquely chosen by the employee. The payslip should also be sent directly to the employee’s chosen email address.
Where a generic and identical password is used for all employees, this could be considered a breach of GDPR. This action could be seen as not taking sufficient steps to offer the most secure environment to protect employee’s personal pay information.
Furthermore, your payroll provider should provide secure encryption on all payslips and automatically delete payslips that are being sent from their server. Check with your provider to be certain that they are offering this level of protection. If not, you should look for another payroll provider who does. For maximum security, it is recommended (but not mandatory) to offer a secure self-service portal to securely send and store payslips and other sensitive payroll documents.
Jennie:
There is nothing in the GDPR legislation that states it is no longer permissible post payslips.
What to be conscious of is that that all appropriate security measures are in place to protect the payslip.
using security payslip envelopes, marking the envelope as ‘Private and Confidential’ and ensuring that it is addressed to the employee. In some cases, you may decide to use registered post.
Of course another alternative would be to offer a secure self-service portal to securely send and store payslips – as is recommended in the GDPR.
Laura:
The employee self-service portal should be password protected for every employee. Again, identical or a generic password must not be used for all employees. Each employee’s password should be unique, chosen by the employee and confidential, offering maximum protection. Accessing payslips and personal contact details through a remote access secure system will provide flexibility and full transparency for employees to retrieve and update their information at any time.
A self-service portal offers significant benefits for data controllers and data processors to comply with the GDPR legislation. Remote access will provide you and employees with direct access to their payroll information anywhere, anytime. You can login 24/7 to view all employees’ payslips, leave requests, HR documents, amounts due to Revenue and other payroll reports. Employers also benefit as they can now automate the distribution of payslips.
A self-service portal that is directly integrated with the payroll will allow for payslips to be automatically available as soon as the payroll is finalised. This offers additional security against cyber attacks and eliminates email hacks that could occur when sending and receiving payslips or payroll reports by email. Additionally, a self-service option allows businesses to keep their data updated and accurate as employees can edit their contact information.
Jennie:
When it comes to payroll data, businesses should be looking at password protection on computers and other devices that hold personal payroll data, for example the PC that they access the payroll software on. The payroll software application itself should also be password protected should anyone else ever access your computer. Payslips, as we discussed already, password protection or security envelopes if posting. A simple measure like having in place a clean desk policy - making sure any timesheets, payroll documents are stored in a secure/lockable cabinet or even having a shredding box beside the printers and a plan to shred any documents in the box at the end of each day/week.
Laura:
GDPR places increased responsibilities on all parties that process personal data.
In this section I want to look at the responsibilities of those who process employee payroll data.
Laura:
Data Processing: Where a business processes their payroll in-house, they are both data controllers and data processors.
Where a business outsources their payroll to an accountant or payroll bureau, the bureau is the data processor and the employer is the data controller. The payroll data processor can lawfully process data on behalf of a client as long as there is a written contract between the payroll bureau and the client.
Data processors must only process data as per the written instruction of their client, hence it is of the utmost importance that a comprehensive contract is in place. I want to come back to the contract between the payroll bureau and the client in a moment, there’s just a couple of other quick points I’d like to make first.
.
Jennie
The final point that I want to touch on here is Employees in the outsourced payroll situation. We get asked a lot whether payroll bureaus need written consent from their client’s, i.e. the employer’s employees in order to process the payroll. The answer here is no. However, what is important here is that the employees should be clearly informed that payroll is being processed. For the reasons we outlined previously, written consent is not required.
Laura:
The contract is important so that both parties understand their responsibilities and liabilities.
Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. – so the onus is on the employer to ensure the correct contract is in place with their payroll bureau.
Although the onus is on data controllers to ensure that contracts are in place with third parties, if you are a payroll bureau, our advice is that when it comes to GDPR you should aim to take an active role in educating your clients about the new regulations.
Our advice to payroll bureaus would be that if your client’s haven’t contacted you, you might consider approaching them with regard to putting a DPA in place.
Data processors will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
Laura:
To comply with the new requirements under GDPR, payroll bureaus have two options
They could draft new Terms of Service, EULAs, or Engagement Letters for each of their clients to include the new GDPR requirements.
or, where you have an existing contract in place you could issue an Addendum to this contract covering the new GDPR requirements. This is commonly known as a Data Processor Agreement.
Under the GDPR the mandatory content that must be included in the contract has been expanded to include much greater detail around data protection responsibilities and liabilities of both parties. These include, but are not limited to, confirmation of security, confidentiality and details of any sub-processor used.
To assist our customers we have created a template Data Processor Agreement which can be used as an addendum to any existing contracts. This can be downloaded in the handout section at the right of your screen, or it will also be included in the webinar follow up email which will be sent out later today.
Laura:
Thesaurus Software offers a suit of products that have been updated to assist you with your GDPR compliance.
Laura:
For those of you who use BrightPay Payroll Software, the products connect in a similar manner, with a BrightPay Connect cloud add-on.
Jennie will now take you on a quick tour of the Employee Privacy Policy in our HR software – Bright Contracts and then Rachel will show you our Self-service facility - Connect
Jennie:
Bright Contracts software allows the user to create and manage legally compliant Employment Contracts and customizable Staff Handbooks with all the required and recommended policies from an employment law perspective. Having your employee contracts and other personal data like the privacy policies in a program which has built-in encryption and security measures means the employer is demonstrating compliance with GDPR regulations around the security of that data.
Jennie:
As Graham as already mentioned in the Transparency Requirements, GDPR stipulates that anywhere personal data is being collected, either directly or indirectly, Privacy Notices should be in place, these policies are critical to complying with the transparency obligations in the GDPR.
So we have taken the headache away with the introduction of an Employee Privacy Policy on our HR software - Bright Contracts. The policy will cover the required elements and ensure demonstratable compliance in regard to the employers obligations that are required under GDPR. We will take a brief look at the Bright Contracts, and the employee privacy policy now….
Jennie:
One of the main principles of GDPR is that Data shall be processed lawfully, fairly and in a transparent manner, these three elements overlap and all three must be satisfied in order to demonstrate compliance.
Employers, as both Data Controllers and Processors, must be able to show how they comply with the new data protection principles and be clear and open with their employees about the processing of data and their rights.
We have upgraded our Bright Contracts software to include a new Employee Privacy Policy feature, so now employers can facilitate the main GDPR principle of lawful, fair and transparent processing of the employee data.
Easy and simple to use, the employer needs to select 2 compulsory sections relating to whether any Automated decision making occurs in relation to the data - i.e. maybe a system to automatically select possible job applicants from a database. And whether or not any of the data held is transferred outside the EU, for specific or storage purposes. We use Microsoft Azzure Servers which are based here in Europe.
Jennie:
Once the compulsory sections and any specific sections are selected, the system will generate a compliant employee privacy policy indicating, what data is processed, how it was collected, with whom it may be shared – any third parties like pension providers accountants, how long it is kept for, the rights of the individual – ie right to access, right to rectification, erasure, etc.,
The employee privacy policy is critical to complying with the transparency obligations in the GDPR so it is vital they have the correct and appropriate information included and be presented in a clear and understandable format. Bright Contracts does all that for you and in mere moments and with a couple of clicks of the mouse will generate the employee privacy policy for you, enabling the employer to tick off another box regarding GDPR compliance.
Laura:
The Privacy Policy is a requirement for the employer to provide employees with detail like what, where and how in relation to their personal data, however the employees should also make themselves aware of the Data Protection Policy within the Handbook, which we have also updated in accordance with the GDPR reg’s., as this will guide the employee in matters like breach reporting (that Graham mentioned in his presentation earlier) and who they should go to within the organisation to report a complaint or a breach to.
You can find more information on the Bright Contracts software from our website – brightcontracts.ie, also you can request a free online demo of the software in the questionnaire at the end of the webinar.
Rachel:
Looking now at our Connect add-on product, which is available to work alongside both BrightPay Payroll and Thesaurus Payroll Manager.
Thesaurus Connect and BrightPay Connect are tailored to help you overcome some of the key challenges GDPR presents when processing payroll.
Essentially, Thesaurus Connect & BrightPay Connect are automated cloud backups, keeping employee’s payroll and personal data safe and secure. The payroll ITSELF is still processed on your desktop application, however the payroll information is stored online, on a secure cloud server.
Because the payroll information is stored online, you can invite employees to their own password-protected self-service portals. Going back to what Laura said earlier… - with the GDPR, it is recommended to provide remote access to a secure system, which would provide employees with direct access to their personal data. With Connect, both employers and employees can login 24/7 on any device, including PC’s, macs, tablets and smartphones.
Secure document exchange - The self-service portal facilitates the secure transfer of payroll documents between employers and their employees. Rather than sending confidential documents through emails, employers can provide these, to employees, in a secure environment. *** If you are a payroll bureau, you can also invite your clients to their own employer dashboard, where the client can run their own payroll reports and view payroll information for each of their employees. This allows payroll bureaus to automatically and securely send sensitive documents to their client without the need to attach them to an email.
With the employee self-service portal, employees can update their own personal information, making sure details are accurate and up-to-date. This feature also helps with the right to rectification of personal data held, which is an employee right under the GDPR.
Users can be set up so that they only have access to the information needed to complete their duties, ensuring privacy by default. So here, you may have a manager, who should have permission to approve leave requests, but who has no reason to have access to the payroll information.
Last but not least then, Connect acts as an all in one central location to store all things employee related, including payroll, HR and other employment related documents – having individual employee documents visible to the employee promotes transparency across your people function.
Just to give you a very quick look at Connect then, here we have the employer dashboard, which is what both BrightPay Connect and Thesaurus Connect look like for employers processing their own payroll in-house, and it is also what it looks like for payroll bureaus and their clients.
Employers can access payslips and payroll documents for each of their employees.
They can view and run their own payroll reports.
Employers can view a company-wide employee calendar, showing past and scheduled leave for all of their employees.
Within the Revenue tab, employers can view amounts due to Revenue and a full breakdown of the P30.
Employers can also upload sensitive HR documents and confidential employee information, such as a contract of employment or privacy policy.
Moving on now to the individual employee, and as mentioned earlier, employees can login remotely to a self-service portal, as recommended by the GDPR.
Employees can login on any internet browser or there is also a smartphone app where employees can login and get notifications directly to their smart device.
The employee can view and download current and historic payslips and other payroll documents, such as P60s.
Going into the documents tab, employees can click into HR documents and resources.
Here employees can view employee documents that have been uploaded by their employer.
Next is calendar, and here employees can access an overview of all past and scheduled leave. They can also request annual leave instantly and view their annual leave entitlements and leave balance for the year.
And finally, there’s “my details” – where the employee can update basic personal details such as their phone number or their postal address.
Laura:
Data Protection has always been a concern for us and we’ve always aimed to act with complete integrity in this regard. Like all companies, in preparation for GDPR we have had to complete a total review on how we gather, maintain and use data.
In relation to our software products we 100% committed to data by design – security is at the centre of everything we do.
Firstly, both Thesaurus and BrightPay are desktop applications that sits on your computer – we do not have access to your data files, except where they have been submitted for support reasons. We have no control over the authority, the quality or safety of the data input. You and you alone are responsible for the accuracy and completeness of your records.
Whilst we have security measures in place to protect your data, it remains your responsibility to keep your sign-in details confidential, and to close down the software on your PC when it is not being used. To protect your information, you will need to ensure there is no unauthorised access to your computer and that your software is password protected.
Laura:
Some of the key changes that we’ve made that will affect our customers include;
From time-to-time when assisting with an employee query, we may request a backup of an employer file to fully resolve the customer query. Whilst we did have security protocols in place for this, we felt that we could make them even more secure. We've created an in-program support feature that allows users to automatically send a backup of their payroll to us through a secure channel. This enhanced feature means you don’t have to upload the backup to your email where you may forget to delete it. On our side, the backup never gets saved on the support assistant’s PC or email account. The customer backups received are all saved centrally on a secure server which are automatically deleted after 72 hours.
We have updated our privacy policy to accommodate our new data protection responsibilities. The new privacy policy explains how we use your data, who we share it with and how long we keep it for. We have worked hard so that this updated policy is detailed, yet simple and easy to understand.
Over the last year, we have completed internal IT audits on all our company PC’s, securely deleting any unnecessary files and data. Going forward, we will conduct regular audits to keep track of our GDPR compliance and ensure we are not retaining any unnecessary data.
We have looked at how information is sent to and retrieved from our secure servers, be it for the purposes of maintaining our websites or our CRM system. We have now changed all of our servers over to more secure Microsoft Azure servers. We have also introduced IP whitelisting, meaning that knowing the login credentials is not enough, the request must come from a trusted location.
We have introduced additional consent fields on different areas of our software and websites. These consent forms are explicitly asking for consent to sign up to our newsletter which contain information about webinar events, special offers, legislation changes, other group products and payroll related news. Users can also unsubscribe from our emails at any time. With the exception of essential software updates, customers will not be contacted unless they have specifically opted in to our mailing list. Of course we think that our newsletters and webinar invites are quite informative, so we would definitely recommend that you sign up. If you do wish to subscribe to our mailing list, you can do this on the survey after today’s webinar, in our follow up email or on the BrightPay and Thesaurus websites.
Internally, we have run a number of training sessions with our staff to ensure everyone understands the implications of the GDPR legislation. Going forward, we will continue to hold in-house training and update sessions to ensure our staff are fully aware of the new legislation and how it impacts their role.
So that brings us to the end of today’s webinar. If you do have any questions about the webinar or the software feel free to type them into the questions bar and we will try to get through as many questions as possible.
While we are waiting on a few questions to come through, just to let you know about our upcoming webinars, we have two scheduled for November, both of which look at the upcoming PAYE changes which take effect for all employers this January. Both webinars are CPD accredited, free to attend and will feature a Guest Speaker from Revenue Commissioners.
You can register for these webinars by clicking on the link in the follow up email, or you can also register on both the Thesaurus and BrightPay websites. You can also subscribe to our mailing list so that you don’t miss out on more upcoming webinars.
In the meantime, if you are interested in having an online demo of any of our products, BrightPay, BrightPay Connect, Thesaurus Connect or Bright Contracts, make sure to fill in the survey that will appear when this webinar has ended. Just to quickly mention the pricing…
The BrightPay Standard licence costs €149 + VAT per tax year, and this includes unlimited employees.
The bureau licence costs €299 + VAT per tax year, including unlimited clients and unlimited employees.
Both licences include free phone and email support and from January it will include full functionality for PAYE Modernisation.
The standard licence costs €149 + VAT per year, and this includes unlimited employees.
The bureau licence costs €299 + VAT per year, including unlimited clients and unlimited employees.
Both licences include free phone and email support. Customers can also benefit from online HR templates and HR guidance.
BrightPay Connect is an add-on to BrightPay on your desktop and costs €59 + VAT per employer per tax year. We also offer package deals and discounts for bureau users who process payroll for multiple clients – prices for this are available on our website.
If you are interested in all three products, we offer bundle deals to both employers and payroll bureaus. For example all three products together are valued at €357, but when buying all three, you can get them for just €289.
So that brings us to the end of today’s webinar. If you do have any questions about the webinar or the software feel free to type them into the questions bar and we will try to get through as many questions as possible.