Employee data in CPRA vs GDPR

If you’re a chief information officer, chief technical officer, human resources professional, or another executive, you’ve undoubtedly heard of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA), both of which have caused ripples (and sometimes waves) in the world of privacy, both in their respective places of origin and outside.

Both landmark privacy laws extend far beyond their borders. DSARs are constantly being updated, so it’s critical that organizations understand the rights of consumers – and now employees – regarding privacy and data subject access requests.

What is a DSAR, and why does it matter?

At their core, data subject access requests are simply requests. According to the premise, consumers have a right to know and understand what information a company has about them, as well as how it is used. Companies must provide consumer information when a customer (or user) submits a request.

With the GDPR, employees are also covered by DSARs, not just consumers. A similar right to privacy will be granted to employees as the California Consumer Privacy Act (CCPA) gives way to the California Privacy Rights Act (CPRA). There will be an expiration date in January 2023 for the exemptions for employees and business-to-business data. It is anticipated that two bills will be proposed for the extension of these exemptions during the California 2022 legislative session, which ends at the end of August. It is unclear what employers’ responsibilities will be when their employees submit a DSAR.

How the EU handles employee DSARs

As one of the world’s most stringent privacy laws, the EU was among the first to provide consumers with their privacy rights. California’s CCPA/CPRA and most other privacy laws follow the GDPR model of consumer rights, which includes employees’ rights regarding their employer’s personal information.

The EU allows employees to request all the personal data that their former workplace or place of employment holds about them. Regardless of the reason for the request (which employers are not permitted to ask), the employer is only permitted to clarify certain points if, for example, providing the data could create an overflow of information that needs to be reduced.

As part of this requirement, employers must provide accurate information in a “concise, transparent, intelligible, and easily accessible form using clear and plain language.” Failure to comply can result in hefty fines, ranging from €20 million (*20.4 million USD) to 4% of global turnover for noncompliance.

Get ready for the expiration of CPRA employee data exemptions

Employee data is often held by employers, which could complicate DSAR compliance. Several bills aim to keep employee data exempt from California DSARs, but it would be imprudent to not begin planning for such a change now. To remind you, the CPRA applies to any for-profit organization that:

Has a gross revenue of at least $25 million, and

Collects the personal information of at least 100,000 California Residents, or

Derives at least 50% of its revenue from the sale or sharing of the personal information of California residents.

Keep an eye on legislation and developments.

Employers should stay apprised of laws both foreign and domestic to see how others are working through employee data subject access requests.

Understand how your data flows.

Understand what employee data is collected, how it flows within the organization, where it is stored, and whether it is processed by third parties.

Update your notices and privacy disclosures.

Data subject rights, retention times, and other rights will be notified to applicants by companies under the CPRA employee data regulations. It is also critical that privacy disclosures reflect the new right for employees to have businesses correct their personal information, outline how sensitive personal information is processed, review retention criteria, and note whether or not personal information is sold or shared.

Check third-party agreements.

Provider agreements with third parties that access employee data must meet the CPRA’s obligations. The CPRA also requires that cybersecurity and data policies be reviewed as they relate to employee data.

Create an action plan.

Whether it’s January 1, 2023, or another date in the future, organizational leaders will need to deal with employee DSARs eventually. It is important to develop a strategy for ensuring policies are current and ready for implementation when compliance is needed.

Understand your data, but let us streamline the process

Privacy law compliance will require companies to understand, track, and create access to collected data so it can be collated for requests.

Osano Data Discovery utilizes artificial intelligence and machine learning to categorize and discover data even for the most complex companies. You’ll save time, money, and frustration. Take a look at what data discovery can do for you.

Leave a Reply

Your email address will not be published.