During a recent conversation with a global payroll leader, I was astonished to hear them say that although they had left the company six years ago, they still access to payroll solutions in certain countries. Hearing this made me wonder- was this an isolated case or are there other organizations that aren’t implementing strict controls over who has access to highly sensitive employee data?
To safeguard employee data, including highly sensitive banking and financial information, and ensure that that the above scenario will never happen in your company, there are proactive steps you can take.
Following are key questions to ask that identify areas of risk:
How many systems manage your payroll globally?
If the answer is multiple, then the next question to ask is how are you ensuring that when a user leaves, they are removed from the system? And if that individual is an administrator, then they must be removed from all the various systems. It’s important to make sure you know who is overseeing user access across multiple systems.
Do you have to send a request to your payroll vendor to change and update access rights?
Some payroll solutions do not allow you to centrally control who can access your data. To make any changes, you must manually request it; a process that lacks visibility and poses a potential security risk when the request is made. Increased turnaround time is also inefficient. Your solution should allow your organization to control who accesses the data without having to send manual requests to vendors to change access rights.
Do you have real-time visibility into who can access your payroll systems and data globally?
Can you view a report on users who have access to your global payroll? Do you have audit logs on historic access rights? You should always be able to view and track these access rights.
Do you manually transfer employee data from your HCM to global payroll?
This is not only inefficient but increases the risk of unauthorized access and edits. Employee data should not be shared with your payroll vendor via email. If this is a typical process, it’s important to have a conversation with your payroll provider to remedy the situation.
Are payslips manually created or shared via email?
The manual creation, storing and sharing of payslips via email is a significant risk, as it increases access to employee information. Employees should access their payslip via a self-service portal. Any payslip shared via email should be encrypted and secured by a password.
Do you manually create general ledger entries? Are reports manually created and manipulated?
It’s important to control the access to employee data post payroll. Finance, compensation, and benefits teams frequently collate employee data into Excel to create reports. This manual sharing of and access to the Gross to Nets when preparing general ledger entries is another risk for unauthorized access to employee data.
Likewise, reports on compensation, commission and benefits are typically created in Excel spreadsheets which are then shared amongst various leaders. This passing and sharing of information increases the risk that personal employee information is accessed.
Transferring employee and payroll data outside of the EU requires extra caution and must meet the specific requirements set out by GDPR regulations, specifically Article 88.
Do you have logs on who accessed data and the actions taken?
To comply with regulations, global payroll leaders must maintain an audit log of all individuals with access to their organization’s payroll data. Failure to demonstrate this, even if you have extremely strict access controls, can be costly.
Demonstrating strict access controls and detailed logs can make a significant difference in what fine is handed out, or whether regulators will penalize you at all. Organizations must be able to quickly identify the cause of any data theft or tampering and report these incidents to authorities in a timely fashion.
Protect your employee data
Payroll data includes highly sensitive information, from employee addresses to bank details and more, so it is imperative that organizations take every precaution and follow every regulation to protect this data. Global payroll consolidation and integration enables payroll, HR and finance leaders to implement and maintain data protection best practices and securely meet GDPR compliance requirements.
With the Immedis Platform, payroll leaders can centrally control role-based access which allows for a granular level of data visibility and control. This empowers payroll leaders to easily manage who can view and edit specific information based on their account and data security access level. Full web-based integration with your HCM and General Ledger reduces the risk of unauthorized access.
When evaluating payroll vendors, be sure to get your IT and data security staff involved and select a vendor with the appropriate SOC compliance and certification.
This post was written by Breiffni O’Domhnaill, Commercial Manager, on the Immedis website here. They are an exhibitor on the HRTech247 Payroll, Time & Attendance floor. You can visit their HRTech247 exhibition stand here.
