How data privacy laws shook up HR and payroll

In 2021, an Italian company was fined €8,000 ($8,465) because the primary hard drive containing employee data was located in a room that was accessible by anyone. In 2022, a Spanish company was fined €2,000 because it accidently added extra recipients to an email that contained personal employee data.

Over the last decade, data privacy and protection laws have irrevocably changed the way HR and payroll departments handle employee data.

The centerpiece of this has been the European Union’s 2016 General Data Protection Regulation (GDPR), which at 99 articles with a global reach is some of the most complex legislation ever to come out of the E.U.

The GDPR has inspired comparable laws around the world. Some are similar in spirit, such as legislation passed in China and California, while others, such as in South Korea and Brazil, directly adopted parts of the GDPR framework.

Despite their differences, all of these data privacy laws have two things in common: All aim to govern how data is processed and transferred, and all vastly increase a company’s obligation to handle data more carefully.

Companies around the world are chasing compliance, and data protection regulators have collectively issued millions of dollars in fines.

“In the last five years, there has been a lot more awareness around data protection generally. A lot of that comes from the work done prior to 2018, when GDPR came into effect,” says Sara Gee, Data Protection Lawyer, PwC U.K.

The stakes can be especially high for payroll professionals, who process large troves of data, says her colleague Chris Cartmell, Co-Lead Data Protection Strategy for PwC U.K. That means payroll service providers are stepping up their game when it comes to vendor management and cybersecurity.

In-house and outsourced

Most data privacy rules around the world have similar requirements: Any data about employees must be used for specific purposes, and the information must be kept confidential and secure.

For companies that handle payroll or HR as an in-house function, this has meant getting basic security hygiene correct. Companies have been ordered to pay hundreds of thousands of euros for what experts say are pretty obvious mistakes. For example, in 2019, a Slovakian company was fined after its HR department disposed of personal data documents in a garbage dump.

In 2020, while the Germany privacy watchdog was investigating a data breach at a clothing retail company’s service center, it found the company had kept “excessive” records of its employees’ illnesses, religion and families. The company was issued a €35.3 million fine for violating employees’ privacy.

Outsourcing payroll and other HR functions to vendors means entrusting your data security with them. It removes some headaches of ensuring data privacy compliance, but it can also create greater obligations surrounding due diligence.

Companies must ensure vendors have “sufficient guarantees” to comply with data protection laws, Gee says. This includes validating whether a payroll service provider has the right security tools and protocols in place.

They must also draft contracts that account for a wide range of issues, especially with the rise of cloud-based HR and payroll solutions.

For example, most data protection laws — including those of China, Brazil, South Korea and the E.U. — require the company (known as the “data controller”) to ensure that its vendor (referred to as the “processor” since the vendor processes the data) adheres to a certain standard of security. This requirement is usually baked into the contract between controller and processor.

But things get more complicated if subcontracting or further outsourcing takes place.

“Suppose payroll processing is outsourced to a third party, but if that processor then outsources some components like backups or IT… this is why you need to ensure data protection measures reflect across the supply chain,” Gee says. “The best way to deal with this is to carry out a privacy impact or data transfer impact assessment, which is what many companies are doing.”

ADP, for example, has established processes for clients that request third-party impact assessments. Companies often choose data processing vendors based on lowest cost, but when it comes to data protection, you get what you pay for.

The elephant in the room

Prior to 2018, for large companies with in-house legal teams with data privacy expertise, laws like the GDPR mostly presented an opportunity to formalize compliance processes that already existed in some form. When it comes to payroll, data privacy laws have “defined more precisely the relationship between the employer and payroll provider,” says Jason Albert, ADP’s Global Chief Privacy Officer.

But questions often arise about cross-border data transfers. Standard contract clauses that allow companies to transfer data from regulation-heavy regions such as the E.U. to countries with lower data privacy requirements have faced a great amount of judicial scrutiny.

And then there are newer regulations, like China’s Personal Information Protection Law (PIPL), which privacy experts consider to be even more strict than the GDPR.

To transfer the data of a resident of China across the border, companies have to satisfy numerous conditions, including: obtaining consent, entering into standard contract terms with the recipient or completing a government security assessment, and tracking onward transfer to other entities.

This has become an ongoing concern for many companies with global operations. Many multinationals are dealing with the regulations by separating their global data flows into multiple systems, keeping Chinese data just in China.

India also has a new law slated to go into effect, as do 12 U.S. states, and countries such as Canada are continuously updating their laws, says ADP’s Albert.

“The process of compliance is a continuous one.”
Sara Gee, Data Protection Lawyer, PwC U.K.

ADP has handled the patchwork of global regulations by implementing a global privacy program modeled on the GDPR’s requirements, which is then tailored to local laws so that ADP meets its obligations as a data processor and clients can meet their obligations with regards to access and deletion requests.

“In all cases we have a three-step process: assess, implement, demonstrate,” Albert says. “We understand the new requirements of the law, analyze the existing processes, and identify and define action plans.” Then, the company works closely to enact the action plan by figuring out how to access or delete data, giving access to sub-contractors when needed, and testing the plan. Finally, “We demonstrate compliance: checking in with the compliance team and maintaining evidence of compliance. The process requires ongoing monitoring.”

Solving employee issues

Data privacy laws have also had a profound impact on employee dispute resolution.

In April 2023, a Chinese employee of a foreign environmental technology company was terminated for falsifying sick leave and for alleged embezzlement. The employee sued the company in a Beijing court, arguing that it was wrongful termination. In its defense, the company submitted records of WeChat messages obtained from the employee’s company-owned device.

To the company’s surprise, the Beijing court said it could only recover deleted WeChat records if the employee provided “voluntary and explicit” consent — even if the device was owned by the company — because to do otherwise would violate the core principle of personal data protection. The messages were considered inadmissible and the employee won the wrongful termination suit.

“The recent decisions and opinions of the Beijing court suggest a heightened risk for collecting personal information without obtaining employees’ express consent, even from company devices,” wrote K. Lesli Ligorner, a partner at the law firm Morgan Lewis. “It is therefore prudent for companies to review their policies and employee practices and put in place mechanisms to ensure compliance with data protection and recordkeeping laws in China and other relevant jurisdictions as soon as practicable.”

“I would say that the process of compliance is a continuous one. And it’s a constant journey that evolves over time,” Gee says. “Operations and processes change, the way they are delivered change as well. Whether it’s through new emerging technologies or something else. For that organization, they will have to think about what it means for them and to continue to build their level of compliance over time.”

How to carry out a third-party privacy impact assessment

Establish clear expectations about high standards for data privacy with all vendors and partners.
Focus on the third party’s inherent risk, or the risk faced when the business does nothing. Understand the third party’s business and the ways it will touch your organization’s data and infrastructure, including its business resiliency, ability to combat bribery and corruption, whether its data privacy programs comply with relevant organizations.
Assign the third party to a risk tier, with Tier 1 being the riskiest and requiring the most oversight. Make sure the third party has a business continuity plan for the most likely risk scenarios.
Draft contracts that set the bar in line with industry standards, if not higher. Include clauses that allow for checks outside of the annual assessment to monitor the third party and make sure it fixes any problems identified.
To reduce the risks created by remote work, make sure the third party only allows employees to do work on dedicated work devices.
Maintain open lines of communication. In case of unexpected disruptions, confirm whether the business continuity plan will in fact allow operations to continue.

The information contained in this piece is intended to be purely educational in nature and should not be taken as legal advice.

Anuj Srivas

Anuj Srivas is an independent journalist who covers issues at the intersection of technology, business and society. Until recently, he was the political economy editor for The Wire, an award-winning Indian news website.