Sample Data Mapping Record (GDPR Impact Asses

Provided to clients and prospects by Voyager Software Ltd, part of Dillistone Group Plc.
Overview
Process Overview Volume of data Type of data processed

Payroll - Core 114 per month Hardcopy data for new

EXAMPLE

starters (P45/46 etc.),

Hardcopy data for
commissions. Electronic
data for core tasks,
emailed payslips.

Payroll - Pension
Payroll - SAYE
Payroll - Banking
Retail Mortgages 250 per month Online forms
Hardcopy forms

Term Loans
DPR Impact Assessment)

Description of processing New/Existing data? Security Who can access?

Monthly processing of Both (if new starters) Core Sage payroll data files Operations Director, MD
payroll information for encrypted. Payslips only through core Sage
staff including password protected. Data application. MD, OD &
commissions, SSP, SMP, directory restricted access. head of tech ops for
leaver and holiday pay. Finance only given network file location.
New starters/leavers sufficient data to do
processed as required. Management accounts.

Processing of Mortgage Both (if new Data directory restricted Mortgage Assessors
applications applicants) access
Password protected
application
Only Mortgage Assessors
have permission
 Data flow
Information Owner Observati Actions Compliant? Who are data How do you get it?
ons subjects?

Operations Director Linking Investig Compliant Staff Data provided by staff on

Sage ate joining via internal HR
payroll to Payroll- platform and P45/P46
NAV NAV link
would
reduce
finance
need to
see data
to do
manage
ment
accounts.

Retail Director
Where does it go through your organisation? How is it stored?

Manually keyed from subject provided data into Manual data held in locked
Sage Payroll, stored on Group drive (encrypted and HR cabinet.
restricted). Payslips sent as password protected
emails. Reports stored on network, relevant data Electronic data in
keyed into online banking for payment. Relevant restricted/encrypted
data keyed into Pension online portal for payment. network location.
Relevant data passed to finance team for
management accounting. Relevant data passed via Restrictions persisted into
Sage to HMRC for FPS submissions. Selected data on and offsite backups.
given to HM Gov for annual earnings survey
Does it leave your Does it leave Observations Actions
organisation? borders?

Partial data is sent to HMRC for No
reporting purposes (FPS/year
end etc.).
Partial data is sent to Pension
provider (name, address, NINO,
contribution).
It is assumed that staff
have "joined the dots" in
some cases where data is
sent to other processors
(e.g. via SAYE) this should
perhaps be more clear
Improve visibility of the
data flow to the data
subjects but documenting
where it may be sent and
what data is sent.

Partial data is sent to SAYE

provider (Name, address, NINO,
Contribution).

Sample data observed by

auditors but in-house
 Data Subjects Rights
Compliant? Right to be informed Observations

Investigate Staff are aware of the As mentioned, data flow

nature of the processing could be better described.
that will undertaken and LOW RISK
are made aware of
applicable rights. Details of
our DP policies, legalities
for processing are
documented in the staff
handbook.
Actions Compliant?
Improve visibility of the Compliant
data flow to the data
subjects but documenting
where it may be sent and
what data is sent.
Right of Access Observations
Staff know they can Actually most staff not
request access to their aware what this means.
data via the section in the LOW RISK
handbook
Actions Compliant? Right to rectification Observations

Education of staff needed No Staff can self rectify via the Requires picking up and
here HR system. processing of the
automated email to payroll
team from the HR system
to action LOW RISK
Actions Compliant? Right to erasure Observations

Compliant Payroll data protected Staff not aware at source

under HRMC retention that this is likely to be
declined.

Has never been requested

though.

Care to be taken not to

dismiss out of hand
however as any specific
data may fall outside
scope of HRMC retention
and so would need to be
reviewed as per policy.
LOW RISK
Actions Compliant? Right to restrict Observations
processing

Compliant Staff are aware of right via Staff are unlikely to restrict
hand book and hence prevent their
payroll being run! LOW
RISK
Actions Compliant? Right to data portability Observations

Compliant Staff can request P45 etc. LOW RISK

and selected data on
leaving the company. Any
requests for payroll
information to be provided
to third parties such as
letting agents for
references checked with
subject. HM Courts for jury
service reimbursement are
provided in the requested
format.
Actions Compliant? Right to object Observations

Compliant Staff are aware of right via LOW RISK

hand book
Actions Compliant? Rights regarding Observations
automated decision-
making and profiling

Compliant Payroll software will LOW RISK

automate elements such
as calculating SSP etc.
None considered sufficient
to trigger rights under this
 Principles of GDPR
Actions Compliant? Fair, lawful and
transparent processing

Compliant Staff aware that data is

necessary for legal
obligations and for the
purposes of administration
of their salary and benefits
of GDPR
Observations Actions Compliant? Specified, explicit and
legitimate purposes

Handbook, Corporate Reminders of the Compliant Payroll processing is

policy and fair processing existence of these policies legitimate and contractual.
statement on the company and their purpose should Consent is requested for
intranet are shown to all be on a semi regular basis certain payroll related
new staff process such as Group
wide salary reviews.
Observations Actions Compliant? Adequate, relevant and
limited to what is
necessary

Random sample contracts Compliant Only the minimum data

are checked annually by required to process payroll
auditors as are policies is collected for this
and process. purpose.
Observations
Data minimisation has led
to some difficulties with
accounts audits where
specific requested data
has to be constructed from
various sources. LOW RISK
Actions Compliant? Accurate and kept up to
date
Compliant Staff can amend their own
data indirectly via the HR
system.
Payroll process means
payslips are distributed
several hours in advance
of cut-off for mistakes to
be rectified.
Staff changing bank details
are asked to verify visually
the accuracy of their new
bank details.
Observations Actions Compliant? Retained for only as long
as necessary

Manual input of pay No secondary verification Investigate Historical payroll

elements could process in place for pay information is generally
foreseeably lead to subject elements. deleted inline with policy.
distress if the wrong The exception to this is
information is keyed. LOW electronic data within the
RISK sage system which exceeds
this. Other data retained in
line with retention policy
Observations Actions Compliant?

Backups taken, encrypted Data exceeding retention NO

and verified. policy in the Sage
database needs to be
investigated to see if it can
be selectively purged -
MEDIUM RISK
Processed in a way to ensure Observations Actions
security

Data encrypted at rest and in transit. Staff are trained on cyber

security aspects annually
Access is restricted to minimum and take a test to verify
required staff. understanding. Internal
infrastructure is
Passwords on all payslips at strong penetration tested
strength. annually. As part of this
phishing attacks are aimed
Processing staff are seated in a non at staff.
overlooked position.

Printed documentation is passcode

locked so no danger of information
being picked up from the printer
Compliant?

Compliant
Overview

Data flow

Data Subjects Rights

Principles of GDPR
Process Overview
Volume of data
Type of data processed
Description of processing
New/Existing data?
Security
Who can access?
Information Owner
Observations
Actions
Compliant?

Who are data subjects?

How do you get it?
Where does it go through your organisation?
How is it stored?
Does it leave your organisation?
Does it leave borders?
Observations
Actions
Compliant?

Right to be informed
Right of Access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights regarding automated decision-making and profiling

Fair, lawful and transparent processing

Specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate and kept up to date
Retained for only as long as necessary
Processed in a way to ensure security Observations
Actions
Compliant?