activpayroll and The General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) has now replaced the existing European Data Protection Directive and its main aims are to harmonise data protection laws across the European Union and enhance data protection for EU citizens.

activpayroll has been preparing for GDPR for the past 18 months and is fully committed to complying with the Regulation. Over the years activpayroll has demonstrated its commitment to data protection by meeting the standards for SOC 1 Type 2, having a fully established Data Protection Officer in place to help ensure compliance with applicable data protection laws globally, fully complying with existing data protection legislation and operating a fully established information security management programme, which includes a robust risk management framework.

To meet the requirements of the GDPR activpayroll established a GDPR implementation team consisting of key stakeholders across the organisation including members of the Senior Management, Information Security, IT and Contracts & Commercial teams. A full review of the GDPR legislation was undertaken to identify gaps or potential areas of weakness. A remediation plan was established with regular governance in order to ensure activpayroll were fully compliant before the legislation go-live.

In order to comply with the Regulation some of activpayroll’s efforts included:

Reviewing Processing Activities

activpayroll conducted a full audit of its processing activities including reviewing all data that is collected, how it is collected, where it is stored, where it is sent, how it is sent, how long it is kept for and what security measures are in place to protect the data. activpayroll are fully committed to complying with all the principles of the GDPR including the data minimisation, storage limitation and integrity and confidentiality principles.

Contracts

activpayroll process payroll across the globe using a network of payroll partners. In order to ensure the same level of data protection is in place within our partner networks, activpayroll incorporated the EU standard contractual clauses within our data protection agreements and sought expert legal guidance to ensure these agreements were fully compliant with the Regulation. To further demonstrate our commitment, activpayroll’s US entity achieved certification with the EU-US Privacy Shield Framework in March 2018.

Risk Management

activpayroll information security risk management framework includes penetration testing on external facing systems and activ8 web application by accredited third parties on a regular basis, routine internal vulnerability scanning and maintaining a fully documented risk register and risk treatment plan. activpayroll have embedded Data Protection Impact Assessments into our core processes including project management and payroll implementation to ensure risks to personal data are identified and mitigated at the earliest possible stage.

Training and Awareness

activpayroll employees regularly undertake mandatory Information Security Awareness and Data Protection Training as part of the employee on-boarding process as well as regular refresher training which incorporates any significant changes in legislation.

Information Security

activpayroll have a fully established information security programme in place and these controls are reviewed as part of the annual SSAE18 audit. activpayroll are currently working towards ISO27001 accreditation and have a number of controls in place which align to the standard. activpayroll has a suite of fully documented information security policies which is core to the information security programme and are distributed and reviewed by all employees and contractors on a regular basis.

activpayroll is fully committed to meeting both its contractual and legal data protection obligations. Data privacy is fundamental in allowing activpayroll to fulfil its contractual obligations with its customers and partners and enabling it to operate successfully as a business.

If you have any questions relating to activpayroll compliance with the GDPR or its GDPR implementation project please contact privacy@activpayroll.com