Payroll companies with access to your staff data must commit to confidentiality ©Ermetico/123RF
Payroll companies with access to your staff data must commit to confidentiality ©Ermetico/123RF

Take control of your data risk

29 March 2018

How to ensure GDPR compliance

Contractual compliance in General Data Protection Regulation (GDPR) could take time to be ready by 25 May, when it involves third parties that you engage, such as a payroll provider, which can access personal data. 

As data “controller”, you cannot appoint a “processor” until you have carried out due diligence to show it has adequate technical and organisational measures in place to protect data. The good news is that adhering to an approved code of conduct can give sufficient evidence.

GDPR additions to the technical and organisational security measures needed in a written contract include:

• processing details about the subject matter, duration, nature, type of personal data, and categories of the data subjects;

• the processor must help the controller with security measures, data breach notification and impact assessments; and ensure staff authorised to process personal data have committed to confidentiality;

• the right for the controller to audit the processor and processing activities; and

• the processor must allow the controller access to information to demonstrate compliance; and to inform the controller if an instruction breaches GDPR.

Failure to have compliant contracts could result in a fine of up to €10m, or 2% of a group’s worldwide turnover.

Instead of standard clauses, many businesses see a need for an independent practical contractual framework to ensure GDPR processes are in place and demonstrable.

By Sam De Silva, partner at CMS Cameron McKenna Nabarro Olswang LLP

London (Central), London (Greater)
£44,759 - £48,540 inc London Allowance
Christian Aid
Nottingham, Nottinghamshire
£38,833 to £47,722 per annum, depending on skills and experience.
University of Nottingham
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates