Nike, H&M and Uber Lost Millions to Payroll Compliance Failures. Don't Be Next.

Compliance rarely feels urgent. Not when there are deals to close, teams to build and quarterly targets to hit. Until one day a regulator comes knocking – then, suddenly, it’s the only thing that matters.

And when things do blow up, they tend to blow up loudly for all to see.

Nike is staring down £400 million in backdated taxes after allegedly misclassifying contractors. H&M was fined over £30 million for storing sensitive employee data without proper governance. And Uber fought its classification of drivers all the way to the UK Supreme Court… and lost.

These are huge organisations with armies of lawyers, not scrappy startups caught off guard. It raises an uncomfortable question: if they didn't see it coming, are you sure your business can? 

Compliance issues tend to hide in the cracks between HR, payroll and legal teams, especially when the systems behind these teams don't talk to each other. That lack of visibility feeds straight into the dangerous assumption that someone else must be handling it.

Most of these failures are preventable. What matters is whether you're looking in the right places.

Payroll is compliance in action (not just people getting paid)

When most people think about payroll, they ask two questions: did everyone get paid, and did the money land on time? Reasonable questions, but they don’t go far enough. 

Payroll is where core HR decisions become a financial reality. Worker status, contract types, tax classifications, benefit entitlements. It all converges at the point a pay run goes out. That means every pay cycle is effectively one big compliance event.

Think of it like the plumbing in your house. When it's working, nobody thinks about it. But one loose pipe, one wrong classification or one missed tax rate and that leak starts spreading quietly behind the walls. By the time you know you've got a problem, the damage is already done and the repair costs are enormous. 

Compliance leaks work the same way. Everything might look fine on the surface, but if something isn't aligned underneath, it's only a matter of time.

Uber’s worker status case makes this uncomfortably clear. Uber's drivers were paid. Payments went out on time, every time. There was no obvious payroll failure. The problem was how they were being paid – as self-employed contractors, when the UK Supreme Court ultimately decided they should have been classified as workers, entitled to minimum wage, holiday pay and rest breaks.

Their payroll was mathematically perfect. But, it was still legally wrong. And the same risk sits inside any organisation working with contractors, freelancers or international hires. You might have dozens of mismatched classifications across multiple countries right now, each one a potential violation, and nobody in your business would know. Not HR. Not legal. Not payroll. Because when those teams and their systems operate in silos, nobody has the full picture.

That’s much easier to handle when payroll and HR data lives inside one connected system. A change in worker status should automatically trigger the right tax treatment, the right benefits and the right deductions. Compliance stops being something you check after the fact. It becomes something that happens by default.

Your people data is a much bigger liability than you think

Here's the part that catches most HR teams off guard: your biggest compliance exposure often has nothing to do with finance. It lives hidden among your people data.

Many HR teams run on a patchwork of disconnected systems. Recruitment, payroll, performance, benefits, time and attendance, learning, to name a few. Each one holds its own version of employee data. Each one is a potential exposure point.

H&M found this out the hard way. The fashion retailer was fined £31 million (the second-largest GDPR penalty against a single company at the time) not for a data breach in the traditional sense, but for storing sensitive personal information about employees in their HR system. Notes from informal ‘welcome back’ conversations after sick leave. Details about health conditions. References to religion. All logged. All retained. None of it is appropriate under GDPR rules.

There was no malicious intent, just poor governance and a system that made it too easy to record things that should never have been written down in the first place. And the reach of GDPR makes this everyone's problem. Whether you're H&M the global retailer or a 20-person scale-up in Dublin or Johannesburg, the rules apply equally. As do the fines.

That’s because regulators grade on impact, not intent.

The uncomfortable truth is that GDPR gives your employees the right to request access to their personal data, or ask for it to be deleted. Can you actually trace every copy across every system? If the answer involves a moment of hesitation, that hesitation is worth paying attention to.

Consolidating people data into a single platform reduces the surface area for breaches and creates a full audit trail, so when a regulator comes knocking you have the answers ready. Every action is traceable, every access point is recorded.

Finance teams have faced this level of auditing pressure and capability for decades. Now it's HR's turn. The most secure departments will be the ones who treated data governance as infrastructure, rather than an admin box to tick.

The fine is just the beginning

There's a tendency to think about compliance penalties in purely financial terms. A number on a notice, a cheque to write, a bad quarter to explain. But the fine is rarely the most expensive part.

The reputational damage, the leadership time diverted to damage control, the employee trust quietly eroding, the growth conversations that got shelved – that's where the real cost accumulates.

When a penalty lands, it’s not just a matter of paying it off and moving on. You're left explaining to your board why the cracks weren't addressed sooner. You're reassuring your team that their data was handled responsibly. And depending on the scale, you might be doing some of that explaining to the press.

SurrealDB, a London-based tech company operating across eight countries, came close to learning this firsthand. Not through a fine, but through something worse. Their previous payroll provider Deel missed a critical local requirement: in the Netherlands, terminating an employee requires a government-issued licence. An oversight like that can end your ability to operate in that market entirely.

By spotting the issue early and consolidating their HR and payroll data into Rippling, SurrealDB avoided the fallout and found something unexpected on the other side. New market entry went from taking months to taking weeks, because the regulatory requirements were already built into the system. 

It turned out compliance was the infrastructure their growth had been waiting for.

So, where are your blind spots?

If organisations like Uber and H&M, with all their resources, couldn't see these risks coming, how confident are you that you’ve covered all your blind spots? 

Sit with that for a minute. Where are the cracks in your systems? Where is HR assuming payroll has it covered, while payroll assumes legal signed off? Because although the repercussions of poor compliance are loud, the actual failures happen quietly in the gaps nobody thought to look at, until a regulator does.

The true cost doesn’t show up on the penalty notice. It’s the leadership time spent cleaning up and the trust lost with your people. Not to mention the growth you never got to chase because you were too busy firefighting.

Once you start treating your payroll and people data as fully connected, traceable and auditable assets, something shifts. Compliance stops being the thing you worry about. It becomes the thing your competitors haven't figured out yet.