Payroll outsourcing: the solution to PoPI problems?

The promulgation of the Protection of Personal Information (PoPI) Act later this year will have a dramatic effect on compliance requirements around personal information, most notably the requirements and systems needed to protect confidential data contained in your company’s payroll system. If you are a small to medium-sized business, one way to reduce the increased compliance risk is to outsource your business’ payroll function to an off-site specialist, who has the scale and expertise to safely manage your payroll functions.
“Even though PoPI hasn’t been promulgated yet, our experience is that it takes several months to ensure that IT and payroll systems are fully compliant with the Act, depending on the size of the firm,” says Megan Veldman, HR Manager at Moore Stephens Johannesburg. “As a result, a number of our clients have already migrated their payroll functions over to Moore Stephens’ specialists in anticipation of the rollout of PoPI,” she says.
Payroll data is especially sensitive because it contains a wide range of personal information. She says that as a result, there is a growing trend for organisations in South Africa and Southern Africa to move their in-house payroll services to a trusted service provider.
The introduction of PoPI will come hot on the heels of the European Union’s General Data Protection Regulation (GDPR) requirements that came into effect in South Africa on 25 May 2018. Both regulations require companies to introduce significantly more stringent measures to the way they store, use, and share personal information. Once the PoPI comes into effect, companies will have a year to ensure that they are fully compliant with the Act.
Aside from reducing the security risks posed by an in-house payroll operation, Veldman says that an efficient payroll system can also positively impact staff morale and improve the company’s bottom line. “There is a trend globally for companies to outsource their payrolls. By outsourcing this role, senior executives can concentrate on running and growing the business rather than being absorbed with time-consuming payroll administration and legislative issues."
The PoPI Act aims to protect an individual’s right to privacy regarding his/her personal information and requires businesses to store this information in a way that a breach is not possible. Janine Bamber, Divisional Director for Tax, Estates, and Payroll, Moore Stephens, Durban, says that Moore Stephens provides a feasible alternative payroll solution to clients, who can be secure in the knowledge that their employee information will be protected in a secure environment that will comply with the requirements PoPI.
“Emailing payroll spreadsheets is extremely risky as they may be forwarded or sent to the incorrect recipient, and passwords can be forgotten or leaked. In-house servers are also often not secure enough to house this type of information as the IT department needs to have full access to a server, for maintenance requirements. This makes offsite, secure storage a safer option,” explains Bamber. “By outsourcing this function, the risk of the payroll being sent to the wrong recipient or a breach of the network is no longer a concern.”
Safer, better, and more cost-effective
Bamber says that in today’s digital world, ensuring data privacy and security is critical for all businesses. “Any company that is in possession of personal information needs to ensure that there are rigorous processes in place to protect it, but the introduction of PoPI means that there is now also a substantial compliance risk attached to being in possession of personal information.”
Outsourcing payroll can also reduce costs as a result of a lower headcount and no expensive systems being required. “Unless you are a very large business, the systems and technology required to fulfil the requirements of PoPI can be very costly. The service provider will also ensure that all third-party payments, such as UIF and PAYE, are paid by the due date, avoiding cost implications and penalties for late payments.”
One of the biggest payroll risks is the payment of ghost employees. Veldman says that this type of fraud often occurs through the payroll or accounting department. If the same employee and authoriser undertake the accounting and payroll service, the risk of fraud is even higher. “If the payroll function is outsourced, the service provider will perform a search of the data. Check for duplicate bank accounts, names, ID numbers, etc. and flag any potential ghost employees,” says Veldman.
Veldman warns that even if payroll is outsourced, companies must still ensure that internal procedures and controls are regularly monitored to ensure compliance with the Act. This includes updating employment contracts to include the PoPI Act clause and providing current employees with an Annexure to this effect. This may also require introducing relevant clauses in new and existing contracts explaining employee consent, and why personal information is needed.

Contact Janine Bamber or Megan Veldman for more information.