Morrisons data leak highlights huge GDPR threat to payroll

10th October 2017

TescoOver 5000 Morrisons employees are suing the high street grocer over a data leak that saw sensitive payroll data information for 100,000 employees posted online.

And with new General Data Protection Regulations (GDPR) coming into play in early 2018 it highlights the potential financial and reputational risk now associated with properly protecting valuable employee information.

The last thing any company wants is a front page tabloid scandal over any issue.

Protecting your reputation is important both internally and externally and you’d think that there is little bad publicity that could be generated by payroll. You’d be wrong.

Supermarket chain Morrisons were first hit with legal action from staff back in early 2016 and a good deal of negative national tabloid and television comment when sensitive personal payroll information relating to thousands of employees was stolen from the company.

The Morrisons payroll data theft should be a wake-up call for all organisations that employ and pay people  to check systems and procedures. Furthermore it should also prompt a wider understanding of the impending GDPR rules to ensure that any sensitive data is handled, stored and used correctly.

Not only has Morrisons been hit with reputational damage to repair, but there is now a trust issue between management and the staff.

Teams need to start by identifying who touches the payroll process, and who else has access to data. Smaller hard pressed organisations are often at risk from the ‘shared password’ approach internally, where ‘one licence’ systems may be accessed by lots of different people and the audit chain breaks down. Larger organisations with more transient staff and higher churn need to look at the surroundings where payroll is processed, procedures and back-up systems, physical security arrangements (including the disposal of IT hardware) and having strong encryption arrangements. Here organisations need to go back and ensure staff are properly checked and trained. Robust checks should start as part of the employment process.

Check our GDPR Top Tips for Payroll managers

And don’t think you’re off the hook by employing an outsourced payroll provider. One of the key things you should be asking your provider is the searching questions around who they employ, who has access and where is data housed, how is it transported, and what systems, procedures and accreditations are in place to protect your valuable data. Your payroll outsourcer should be rock solid when it comes to talking GDPR. IRIS FMP has already taken further action (even though it is ISO 27001 accredited), to ensure systems are completely watertight

I always tell people to visit the offices of any outsourced payroll provider before they commit, as you’ll get a good feel as to whether they have robust data security arrangements. Check to ensure they have accreditations such as ISO 27001 – the information security management certification, BACs approved bureau status, and the CIPP Payroll Assurance Scheme certification. If they have all three you can be assured data protection is high on their list of priorities.

In a world where data theft is on the increase voluntary organisations should make a resolution in 2016 to ensure their payroll data is not at risk.