Bookkeeping and GDPR; Payroll - Caind and Beer

The General Data Protection Regulation (GDPR) starts from May 25th, 2018. This means complying with new regulations. The regulation gives more rights to individuals, about the way their personal information is used and increases obligations of businesses, to ensure that any personal data they collect has been obtained with agreement from the individual.

In accordance with GDPR, bookkeepers who run payroll must keep all personal data up to date and must ensure that it is secure. As a bookkeeping organisation, we are here to help and here is our advice on helping you with GDPR:

Firstly, start by understanding what information is stored, why it is stored, and how is it stored:

  • What information is stored?
  • Why is the information stored?
  • Is the information stored securely?
  • Can the information be stored differently?
  • Do multiple members of staff have access to information?

Organisations outsourcing payroll to a bookkeeper means that information such as names, date of births, national insurance numbers, addresses and salaries are needed. Go through each item of data stored on an individual and ask the question ‘Is this needed for the payroll process?’ Any information that is not needed and confirmed with the client as not needed, delete it. Every item of personal data being processed or stored needs to be logged with a clear reason stating why it is being stored or processed, and for how long the information will be kept.

However, the information identified as not needed for payroll may still be needed to be stored by the client for their records. The client should fully understand your role as a bookkeeper and the need to store or delete the information as necessary. The information needs to be checked and updated regularly, so a process needs to be in place to make this happen, between a bookkeeper and their client. With GDPR, any information held must be reviewed and brought in line with the new regulation or deleted.

As a bookkeeper, your organisation or yourself as an individual, understanding GDPR for your client’s sake is essential. A number of your clients may be smaller businesses, sole traders or self-employed individuals; who are unsure of the implications of GDPR to them as a business owner. Ensure you understand the basics of GDPR:

  • Fines for non-compliance are significant, based on a percentage of turnover; up to £20 million pounds or 4% of annual turnover.
  • Individuals can request copies of their personal data electronically and this must be complied with, for free, within one month.
  • Organisations can no longer assume implied or negative consent with pictures. In the past, organisations have been able to assume consent unless people advise otherwise. This is not the case with GDPR; these cannot be used unless specific consent has been obtained. It is not enough to have a sign or statement asking people to opt out.
  • Organisations are required to formally document what data is processed, why it is processed and make this clear within Privacy Statements.


The Information Commissioner’s Office (ICO) is a useful website to visit, which provides helpful guidance on complying with GDPR, as well as easy to understand blogs to read that cover IT security, the myths of GDPR and how your organisation needs to adhere to GDPR. You can visit their website here.