Is it Safe to Keep Emailing Payslips?

Question: I’ve received some information stating that when the General Data Protection Regulation comes into force in May, this will affect whether we can email payslips. The information was at best ambiguous and potentially a marketing tool for some software. We currently email our payslips to our employees’ personal email addresses, and they’re not password protected. Am I OK to carry on this way?

Answer: I’m afraid that you’d have a problem if, instead of sending a payslip to the individual employee, you accidentally sent it to everyone on the mailing list – so everyone could see their colleague’s financial information and personal email address. Alternatively, a typo in a new employee’s email address could easily lead to a random member of the public receiving their payslip.

I would say you definitely need to use payroll software that offers password protection. This seems to be a common feature, so you might want to check whether you do, in fact, have that option available in your existing system without realising it. There’s nothing in the GDPR that specifically prevents you from emailing payslips. However, there is a new requirement to tell the Information Commissioner’s Office (ICO) and affected employees if you lose personal data, as
well as much heftier penalties for data breaches. Employees can also bring claims against you – even if they don’t suffer any financial loss, they can bring a claim for distress.

Having password protection in place will reduce the risk of employees’ personal information going astray in the first place. Also, if something still goes wrong, it will indicate to the ICO that you’ve taken steps to try and comply with your data protection duties. An even better option than password-protected emails is to use a secure online portal where employees can log in and pick up their payslips. This is likely to need deeper pockets but if you’re researching new software solutions anyway, it might be worth investigating.

