We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

Community-made content which you can improve Case study from our community

How to protect your charity’s payroll data

With GDPR now in effect, the National Cyber Security Centre’s assessment of the risk in the charity sector suggests sensitive, valuable data may be at risk in many smaller charities.

Breaches of procedures through carelessness, ignorance, or multiple (usually unauthorised) sharing of passwords has exposed organisations to malicious attacks. These can also be insider attacks, motivated by grievance, greed or external pressure, meaning organisations need to be secure both internally and externally.

For charities dealing with employees’ sensitive personal information for payroll purposes, whether internally or through a third party, it’s s essential to ensure the right processes and procedures are in place to safeguard data. Here are four steps to ensure that systems and providers make the grade.


Ensure staff are properly checked and trained

While many recent high-profile breaches have been sophisticated external attacks, most organisations actually fear inside threats. Employers should ensure that staff employed to handle payroll are adequately checked and assessed.

Some useful things to consider are:

  • What reference checking is involved. For example, does the organisation use the additional rigour offered by Disclosure Scotland, which includes criminal records disclosure?
  • If the provider is-abroad , do local employment laws and cultures support robust reference checking?
  • How easy is it to verify experience, qualifications and criminal records of third party providers?

In any employment environment strong HR joiner and leaver procedures are essential to ensure it is not possible for former employees to log in to systems and access sensitive data. It’s also essential that payroll staff are well trained and recognise the importance of information security to avoid releasing sensitive information by mistake. For example:

  • Systems should be in place so that internal or outsourced payroll teams follow processes for verifying an individual calling or emailing about payroll information.
  • Procedures should be in place to ensure requests are referred to the right person and avoid inadvertent data breach. 

Secure the physical environment

Physical security procedures are essential to safeguard every aspect of the payroll process, whether being done internally or outsourced. When considering outsourcing your payroll, pay a visit to the offices where your payroll will be processed and ask the following questions:

  • What security devices and tokens are required to gain access - both to the main building and then to the bureau section?
  • What processes are employed to ensure these tokens are reclaimed when an individual leaves the company?
  • How often are passcodes changed?
  • How easy is it to potentially see sensitive employee information on computer screens – is the bureau separate from other parts of a business?
  • What are the processes for safe disposal of end of life hardware? Is the equipment wiped clean to ensure no personal data is left on the drive once it has been discarded?
  • While most information is retained and transferred electronically, in some cases paper documents will be produced. What processes are in place to safely dispose of confidential waste?

Ensure that security processes are robust

The General Data Protection Regulations (GDPR) covers the handling of payroll processes and payroll data. Securing the data itself – both within the payroll bureau and during transit – is a critical requirement. There are a number of issues to consider:

  • Authorisation and authentication – to ensure only authorised employees have access. Are there safeguards against fraud by adopting the policy such as segregation of duties or two/three tier authorisation hierarchies before payments being made?
  • Back-up systems – loss of data is just as bad as poor security. Strong back-up processes are essential to minimise problems in the event of data loss.
  • Passwords – poorly managed password processes cause significant security problems. How is the payroll provider ensuring access is restricted to those that need access? Data security is often compromised when staff share passwords, or only pay for one licence rather than multiple licences for the software they use. Without a good audit trail, the company cannot identify the source of a breach if it occurs.
  • Strong encryption – to safeguard data, especially in transit over the internet.
  • Penetration testing – is annual testing undertaken by a third-party security provider to discover security vulnerabilities.

Whether handling payroll internally or outsourcing externally you should be continually improving data security against evolving threats.


Check your provider’s ability to protect your payroll data

If you use an external payroll provider, ask about their approach to GDPR and be satisfied that your data can be securely transmitted between you, your provider and your employees (when issuing payslips). There are a number of accreditations that they should have achieved in order to demonstrate a commitment to strong, secure data processes:

  • ISO 27001 information security management certification sets out how an organisation should approach its information security management project and specifies the essential components. Recognised internationally, achieving certification provides credibility for those claiming their client’s information is secure.
  • BACS approved bureau scheme (BABS)’s security support guidelines contain a series of recommendations covering controls and procedures about confidentiality, integrity and availability. These security recommendations collectively define an industry baseline of good security practice and form part of the accreditation process.
  • CIPP’s Payroll Assurance Scheme has been developed to provide payroll departments with assurance that: Payroll and associated processes are fit for purpose and comply with government legislation; The right payroll activities are in place; Suitable processes are in place for picking up and preparing for legislative changes.

Further information

Cyber Threat Assessment: UK Charity Sector for more information on current trends

Insider Threat Spotlight report for more information on the risks. 

Case study about the benefits of outsourcing payroll

The information in this how-to guide has been provided by FMP Global’s Payroll Services an NCVO Trusted Supplier.

NCVO helps voluntary organisations cut costs and become more effective by negotiating discounts and preferential arrangements for its members on a wide range of products and servicesFind out more about NCVO membership.

FMP Global’s team offers a range of payroll solutions to support your organisation through outsourced payroll and HR services both in the UK and Internationally.


Page last edited Jun 14, 2018 History

Help us to improve this page – give us feedback.