Today, more and more businesses are confidently outsourcing business functions, or parts thereof to service providers whom they trust to do the job faster, more affordably, and more effectively than they can themselves.
Payroll and HR is no exception to the trend, and a whopping 47% of US and Canadian companies already partner with such service providers, with South African businesses not far behind.
At the same time, concerns over data privacy (thrown into sharp contrast by the slew of recent data breaches and massive hacks both in South Africa and abroad over recent years) have encouraged legislators to introduce tight legal guidelines to ensure that the data stored by payroll providers is kept secure and within the control of those it belongs to.
Here are a few questions I would advise any client of such service providers to ask themselves.
What do payroll providers do with the data that you are granting them access to?
Account details, salaries and other sensitive data contained in payslips are, understandably, a primary concern when it comes to data privacy.
All payroll providers feel comfortable guaranteeing your right to privacy, but it is not unheard of for even the largest and best-known of these to sell their clients’ employee data on to third parties for their own profit.
This means that businesses are essentially betraying the confidence of their employees and exposing them to risk, and yet it is the service provider who is the only entity to profit.
Is that legal? Is it in compliance with current regulations?
Well, it is if you agree to it. My advice? Always read the fine print. Data protection regulations like South Africa’s Protection of Personal Information Act (POPIA) and the EU’s General Data Protection Regulation (GDPR) place much emphasis on consent – in short, an individual’s right to decide what is done with their personal data, and by whom.
Today, it is natural for contractual agreements to contain more and more fine-print that in ever-more complex legalese, and this can have clients granting access and permissions they didn’t really mean to.
We always stress the importance of a rock-solid reputation (look for things like ISO certification that give you a hint of the company’s compliance track-record), and never sign on the dotted line until they’ve explained everything in detail.
You might like to have a compliance officer or legal entity look at the documents beforehand, as well.
How is consent gained from unwitting clients?
Look out for overly complicated wording and lengthy service level agreements, and ensure you read them in detail.
It is not unheard-of to hear of businesses that present payroll personnel with a long list of very standard-looking check-boxes at the month-end period, with one vaguely worded box granting permission to use the client data in a certain way.
These transactions often occur without board knowledge or approval on the side of the client and present a major breach of privacy. Naturally the business relationship between the payroll provider and the client is at risk of being compromised beyond repair.
How common is the practice?
It’s difficult to say, because it’s a sure bet that many of the victims of this practice still have no idea it is going on.
However, as the monetary value and sheer amount of data increases year over year, you can bet that practices like this are bound to become more common with time.
The bottom line
This is why we stress that data privacy and compliance need to be a top priority for all businesses – not only for legislative and compliance reasons, but because we believe that long-lasting, mutually beneficial business relationships are built on trust and transparency.
Another lesson in this story is for the clients themselves. Don’t simply take a supplier’s products at face-value.
Do your research, interrogate their intentions, and always read the fine print. Simply going with the biggest or best-known payroll providers based on their reputations might leave you in the dark – as in this case – regarding their practices.