How to password-protect a payslip (UK guide 2026)

Why password-protect a payslip?

Because a payslip is personal data, and UK GDPR expects you to protect it. A payslip carries an employee's name, salary, National Insurance number and sometimes their home address — exactly the kind of data Article 32 of the UK GDPR says you must keep secure with measures 'appropriate to the risk'.

The law doesn't name a specific control, but the Information Commissioner's Office (ICO) treats a password-protected PDF as a reasonable baseline for emailing personal data to an individual. The practical reason is simple: email gets forwarded and mistyped. If a protected payslip lands in the wrong inbox, the contents stay locked. An unprotected one is readable by whoever receives it — and a misdirected payslip is a personal-data breach you may have to report to the ICO within 72 hours.

For most UK small businesses, a per-employee password-protected PDF is the least-effort way to clear that bar. The alternative controls — an authenticated employee portal or a fully encrypted managed-email channel — achieve the same outcome with more setup.

What password should you use?

The UK convention is the employee's date of birth in DDMMYYYY format: two digits for the day, two for the month, four for the year, no slashes or spaces. 15 March 1990 becomes 15031990; 5 January 1988 becomes 05011988 (keep the leading zeros).

It works well for three reasons: every employee already knows their own date of birth, you don't have to distribute or store a separate password list, and the password is unique to each person — so a single forwarded email never exposes more than one payslip.

What to avoid:

• One shared password for everyone. The ICO treats this as weak — one leak compromises every payslip you've ever sent.
• The employee's name, staff ID, or National Insurance number. These are too easy to find or guess.
• A password sent in the same email as the file. That defeats the point. Tell employees the convention once ('your payslips open with your date of birth, DDMMYYYY') rather than printing the password next to the attachment.

How to password-protect a payslip PDF — step by step

This is the manual method, which is fine for a handful of payslips. You'll need the payslip as a PDF from your payroll software (BrightPay, Sage, Xero, QuickBooks, Moneysoft, IRIS) or from your accountant. The last step covers doing a whole payroll at once.

1. Step 1: Decide the password rule before you start

   Pick one rule and use it for everyone. The UK norm is each employee's date of birth in DDMMYYYY format (so 15 March 1990 is 15031990). Writing the rule down once means you can tell every employee the same thing — 'your payslip opens with your date of birth' — instead of managing a separate password per person.

2. Step 2: Open the PDF in a tool that can encrypt it

   On Windows with Adobe Acrobat: open the PDF, then Tools, Protect, Encrypt, Encrypt with Password. On a Mac: open the PDF in Preview, then File, Export, tick 'Encrypt', and set the password. If your payslip is still a Word document, open it in Microsoft Word, go to File, Info, Protect Document, Encrypt with Password, then save or export it as a PDF. Free PDF tools can also do this, but stick to ones that run on your own machine — never upload an employee's payslip to an unknown web converter.

3. Step 3: Set the password to that employee's value

   Type the password from your rule — the employee's date of birth in DDMMYYYY — and confirm it. Double-check the digits, especially leading zeros: 5 January is 0501, not 501.

4. Step 4: Save a protected copy and test it

   Save the encrypted file as a new copy so you keep an unprotected original on your own machine. Then open the protected copy and confirm it asks for the password before it shows the payslip. If it opens without prompting, the encryption didn't apply — redo the previous step (a common cause is using 'Restrict Editing' instead of 'Encrypt with Password').

5. Step 5: Email it with a note on how to open it

   Send the protected PDF to the employee's personal email address on or before payday — Section 8 of the Employment Rights Act 1996 requires the statement to arrive when pay does. In the email body, tell them how to open it ('your payslip is password-protected with your date of birth, in DDMMYYYY format') without printing the actual password next to the file.

   See the full emailing guide →

6. Step 6: Repeat for everyone — or automate it

   For a few employees the manual route is fine. For a whole payroll it's slow and easy to slip up — protecting the wrong file, mistyping a date, or forgetting someone. A sending tool applies each employee's date-of-birth password to every PDF automatically and flags anyone missing a date of birth before the send goes out.

   How Ghugi does it →

How do employees open a password-protected payslip?

They type the password when the PDF prompts them. With the standard UK convention, that's their date of birth in DDMMYYYY format — 15 March 1990 is 15031990. On a phone or computer the PDF shows a padlock or a password box; the employee enters the digits and the payslip opens.

If it won't open, the usual causes are:

• Wrong format. It's DDMMYYYY with no slashes — 03071992, not 3/7/1992 or 1992-07-03.
• Missing leading zeros. 5 January 1988 is 05011988, not 511988.
• The employer used a different rule. If date of birth doesn't work, the employee should ask whoever sends their payslips — the employer sets the password rule.

It's worth telling new starters the convention when they join, so they're not locked out of their first payslip.

Password-protecting a whole payroll at once

The manual method above is per-file: open, encrypt, set password, save, repeat. That's fine for five payslips and painful for fifty. At any real headcount, two things go wrong — you mistype a date of birth, or you protect Alice's payslip with Bob's password and lock the wrong person out.

An automated payslip sender removes the per-file work. Ghugi does this in one step: switch on password protection in Settings, Email, and every payslip you send is locked with that employee's date of birth in DDMMYYYY format automatically. Employees who don't have a date of birth on file are flagged before you send, so nobody silently goes out unprotected — you decide whether to add the date or let that one through in the clear. The unprotected original stays in your account so re-sends and previews still work.

It works with the PDFs your payroll software or accountant already produces — you don't change how payroll is run, only how the payslips are delivered. See the best way to send payslips by headcount for where automation starts to pay off.

Common mistakes

• One shared password for all staff. Convenient, but the ICO treats it as insufficient — one leak exposes everyone. Use a per-employee password.
• Using the NI number, name, or staff ID as the password. Too discoverable. Date of birth is the accepted UK convention.
• Putting the password in the same email as the file. Anyone who sees the email sees the password. State the convention instead.
• 'Restrict Editing' instead of 'Encrypt with Password'. Editing restrictions don't encrypt the contents — the payslip still opens and is readable. Only encryption protects the data.
• Forgetting employees with no date of birth on record. Done by hand, they slip through unprotected with no warning. A tool that flags missing dates before sending closes that gap.
• Deleting your unprotected original. Keep the source PDF — you'll need it for re-sends, and an encrypted-only copy is one forgotten password away from being unrecoverable.

Frequently asked questions