Frequently Asked Questions

We’ve put together a list of some of the frequently asked questions we’ve been asked by our customers regarding the General Data Protection Regulations.

1. Will it still be permissible to email payslips under the GDPR?

There is nothing in the GDPR that states it is no longer permissible to email payslips, this practice is still very much acceptable. The thing to keep in mind in relation to emailing payslips is to ensure that all appropriate security measures are in place. Emailed payslips from Thesaurus Software are encrypted and deleted from our servers once sent, however we would also advise that passwords are used on all payslips. A common type of personal data disclosure occurs when an email is sent to an incorrect recipient. Data controllers (employers) will need to be vigilant that correct email addresses are inputted.

2. Will it still be permissible to post payslips under GDPR?

Similar to the above, there is nothing in the GDPR that states it is no longer permissible to post payslips. Those posting payslips will need to ensure that all appropriate security measures are in place. This may include using securely tightened envelopes, marking the envelop as “Private and Confidential” and ensuring that it is addressed to a specific person. In some cases, you may decide to use registered post.

3. If we, the payroll bureau, receive a data subject access request from a client's employee should we respond?

Firstly, let us clarify each party's role:

• Payroll bureau = data processor
• Client = data controller
• Client's employee = data subject

Our understanding is that in this situation, the data subject should submit their access request directly to the data controller. It will be the data controller's responsibility to contact any data processors from there.

4. Is there a log in the software that a backup has been transferred to Thesaurus for support?

If you send a support query with a snapshot to us via the software itself, then we keep a record of the query with an indicator that there was a snapshot on the query for a set amount of time, but the actual snapshot (backup of the data file) is automatically deleted from the remote server after one week. The system itself does not keep a record when a support request is sent.

5. If there was a data breach where employee information was accessed from Thesaurus Connect who would the penalty be aimed at; us as the Processor, or you as the provider of our software?

As we provide the Cloud service, it is our responsibility to ensure that the service is secure. We have adopted a "data by design" approach to our Connect product and are confident that we have the strongest security in place in relation to data stored through Connect. Data stored on Connect is backed up to Microsoft Azure servers which we believe to be immune to breaches. Please note that Thesaurus does not actually process any data stored on Connect, our support staff do not have access to any of the data stored. Of course, if a breach occurred because somebody on the user end had inappropriately accessed passwords to access the data, then the responsibility there lies with the end user.

6. Do you share my customer data with anybody else?

We undertake not to sell, trade, rent or share any personally identifiable information to others. This information and more is set out in our privacy policy. An updated version of which will be going live in the coming months.

7. Is operating a "clean desk" policy mandatory under GDPR? An accountancy office will always have accounts files and jobs in various stages of progress or ultimately ready for review by a Manager/Partner - so must all such files be physically put away each day?

No it is not a requirement under GDPR to implement a clean desk policy. That said, the GDPR requests organisations to put in technical and organisational measures to protect any personal data processed. When looking at data being processed, organisations will need to consider what measures would be best implemented in their workplace that will minimise the risk of data being lost or exposed to parties that should not have access to it. Implementing a Clean Desk Policy could be considered as one such organisational measure.

8. As a Payroll Bureau, when processing a new employee, is information from the employer sufficient, or would you need a signed document from the employee to confirm consent to add to the payroll?

If you are processing payroll on behalf of the employer then your contract is with the employer. It is extremely important that you have a written contract in place with your client that is GDPR compliant. In turn, the employer will/should have the relevant policies in place with their employees that clearly explain how their data is being used and who it is being shared with. There is no requirement on Payroll Bureaus to put in place a separate agreement with their client’s employees.

9. Is a small business actually expected to encrypt their own single computer?

The GDPR has not specified that full machines need to be encrypted, again it states the necessary technical measures should be put in place. It is up to businesses to review their risk and put in suitable controls from there. It is generally not common to encrypt a whole machine, although encryption software is available that could be applied to specific files, which may or may not be suitable for the small business. At a very minimum, small employers would be well advised to ensure that any software download is secure and provides proper security safeguards. Employers and their employees should also be cautious when opening links sent from unknown recipients.