We’ve put together a list of some of the frequently asked questions we’ve been asked by our customers regarding the General Data Protection Regulations.
1. Will it still be permissible to email payslips under the GDPR?
There is nothing in the GDPR that states it is no longer permissible to email payslips, this practice is still very much acceptable. The thing to keep in mind in relation to emailing payslips is to ensure that all appropriate security measures are in place. Emailed payslips from Thesaurus Software are encrypted and deleted from our servers once sent, however we would also advise that passwords are used on all payslips. A common type of personal data disclosure occurs when an email is sent to an incorrect recipient. Data controllers (employers) will need to be vigilant that correct email addresses are inputted.
2. Will it still be permissible to post payslips under GDPR?
Similar to the above, there is nothing in the GDPR that states it is no longer permissible to post payslips. Those posting payslips will need to ensure that all appropriate security measures are in place. This may include using securely tightened envelopes, marking the envelop as “Private and Confidential” and ensuring that it is addressed to a specific person. In some cases, you may decide to use registered post.
3. If we, the payroll bureau, receive a data subject access request from a client's employee should we respond?
Firstly, let us clarify each party's role:
Our understanding is that in this situation, the data subject should submit their access request directly to the data controller. It will be the data controller's responsibility to contact any data processors from there.
4. Is there a log in the software that a backup has been transferred to Thesaurus for support?
If you send a support query with a snapshot to us via the software itself, then we keep a record of the query with an indicator that there was a snapshot on the query for a set amount of time, but the actual snapshot (backup of the data file) is automatically deleted from the remote server after one week. The system itself does not keep a record when a support request is sent.
5. If there was a data breach where employee information was accessed from Thesaurus Connect who would the penalty be aimed at; us as the Processor, or you as the provider of our software
As we provide the Cloud service, it is our responsibility to ensure that the service is secure. We have adopted a "data by design" approach to our Connect product and are confident that we have the strongest security in place in relation to data stored through Connect. Data stored on Connect is backed up to Microsoft Azure servers which we believe to be immune to breaches. Please note that Thesaurus does not actually process any data stored on Connect, our support staff do not have access to any of the data stored. Of course, if a breach occurred because somebody on the user end had inappropriately accessed passwords to access the data, then the responsibility there lies with the end user.
6. Do you share my customer data with anybody else?
Need help? Support is available at 01 8352074 or firstname.lastname@example.org.