We are sometimes asked “is emailing payslips OK?” and we politely explain that with regard to GDPR, email of payslips is a really bad idea!
Pay documents such as payslips, P60s and P45s contain personal data. This means that the employer has a responsibility to take appropriate measures to protect this data under GDPR. So, what does the GDPR say:
GDPR email payslips
” Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures…”GDPR Article 32
The key phrases here are: Technical measures and State of the art. State of the art is a fancy term which means the most modern and recent development. Since GDPR does not specify exactly what can or cannot be used, let’s review what technical measures are available:
- Plain email is used by most of us everyday. Emails are transmitted across the web in unencrypted form and that means it’s the easiest to intercept and read. Copies exist on multiple email servers including the senders and the recipients. Throw in a few backups and it means that multiple copies of a single payslip exist across the internet. The oldest technology and the worst idea for GDPR email payslips.
- Secure email is better but isn’t generally available and difficult for employees to access.
- Password protected email attachments improve the situation, but the issue of how to securely transmit passwords, and a password reset cause issues – particularly if they are sent by plain email.
- Secure online access with https is a method for secure communication on the web. You see it every time there is a padlock 🔒 in the browser address. This represents the state of the art.
If your bank were payroll, would it email payslips?
Here is a simpler way of thinking about the issue. Consider the financial personal data you receive today, for example bank statements, building society statements, credit card statements etc. Every financial institution faces the same GDPR issue and all of them have all arrived at one conclusion: No financial instruction would ever send a statement by email. They will send you a notification email about a new statement, but the only way to access the document is via secure online https.
No financial institution would ever email a statement
In summary, secure online access 🔒
- means there is only ever one copy of the payslip, P60 or P45
- is secure
- is accessed by an employee using a web browser
- is the state of the art
It’s pretty clear for any employer who wants to adhere to the legislation and be in no doubt of compliance – that the state of the art technical measure is secure online access with HTTPS displaying the padlock symbol 🔒.
That’ s why you should never email payslips, P60s or P45s.