A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
March 30, 2023
For the most part, businesses gather employee data without too much thought. Sure, some data is obviously private, like employee social security numbers, but other than that, businesses can pretty much do what they want with employee data—right?
Not according to laws like the GDPR and CPRA. Under these and other data privacy laws, businesses have to treat employee data with the same level of regard as consumer data. Essentially, personal information is personal information, no matter whether it belongs to a prospect, employee, customer, or client.
Of course, contractual obligations still exist. There’s certain data you must collect from your employees as a function of their employment. But that just means you have an obligation to that data and your employees. You need to:
If you’re feeling confused, you’re not alone. Here is everything you need to know to be compliant with employee data protection.
Employee data protection refers to taking security measures to safeguard employees’ personal data and ensuring the data can’t be accessed by a third party without the employee’s consent.
A common misconception is that your obligation to protect employee data stops when an employee leaves the company. That would be true if you were to delete all their data at that point. However, legal obligations in most countries forbid you from doing that for a few years.
Exactly what records you need to keep varies from country to country and regulation from regulation. In the U.S., for instance, the Age Discrimination in Employment Act requires businesses to retain payroll records for three years. Any personal information contained within those records must then be protected if you’re to comply with data privacy laws. While that data is still in your hands, you must protect it.
Nobody wants to be out of compliance, but it’s often difficult to know where to start. Some measures you can adopt include:
The GDPR took data protection to a whole new level. And it doesn’t differentiate between external data subjects (e.g., customers, website visitors, app users) and internal ones (employees). To be compliant, you’ll need to consider several aspects.
You may also consider hiring a data protection officer (DPO). Many companies subject to the GDPR will be required to hire a DPO—specifically, all companies with more than 250 employees must hire a DPO, and any company that processes data on a large scale must hire a DPO.
A DPO’s job is to ensure that all personal data processing at your company is done in a compliant fashion. Since that includes employee data, it may be worthwhile to hire one even if you aren’t strictly required to do so.
The CPRA went into effect on January 1st, 2023. Unlike its predecessor, the CCPA, the CPRA has no exemptions for employee data. You must protect it just as you protect consumers’ data. How to do that?
Start with a privacy notice. With it, you’ll inform your employees:
Can you use the same privacy notice for consumers and employees? Unfortunately, you’ll likely need two separate policies. In most cases, you’ll be collecting more sensitive data from employees than from your customers. Examples include government ID and social security numbers. Your customers don’t need to read about the data you collect from your employees, and vice versa, so keep the two policies separate.
Your employees also have the same rights regarding their data as consumers. That means they have the right to access it, correct it, and have it deleted. We go into more detail on employee DSARs below.
Finally, don’t forget about security. If a malicious third party accesses the data in an attack that could’ve been prevented by some simple security measures, you might face some hefty fines.
Whether you’re complying with the GDPR, the CCPA, or both, employees can file DSARs. When you receive one, you’ll have 30 days (or 45 days under the GDPR) to respond to the request. Different laws afford data subjects with different rights, but as we mentioned above, DSARs can commonly be made for access, update, and deletion.
The HR department, DPO, legal counsel, or other privacy professionals are usually the best qualified to manage employee DSARs. They’ll either be the ones collecting and processing employee data directly or they’ll have the skills and knowledge to find out where employee data lives.
While employees don’t need a specific reason to submit a DSAR, it’s common for employees to submit DSARs in response to some negative career event, such as a termination of contract or when disciplinary action is taken against them. The DSAR might be a way to understand why they were fired, for instance. Sometimes, disgruntled employees submit DSARs in the hopes they’ll find something they can use to take legal action against the company.
Do you have to give your employee all the data you have on them? That depends on how they formulate the request. They might want to see everything or something very specific that will help them understand why the company took a certain decision. Whatever the case, you will need to provide the information that falls within the scope of their request.
Excessive and unfounded requests can be rejected, such as when someone keeps sending daily DSARs even though you already responded. But in most cases, you’ll need to respond.
Before you respond, don’t forget to verify the person’s identity and clarify the nature of the request. Otherwise, you could be handing personal information over to a malicious actor.
Lastly, you’ll need to provide the data in a format that can be easily accessed and copied, also known as a portable data format.
Small companies may feel they can handle DSARs manually, but relying on email and spreadsheets to manage DSARs can put you at risk of missing required deadlines, increases the risk of making an error like exposing others’ personal information, and takes time away from more strategic initiatives.
DSAR automation will save you a lot of time and money in the long run. There are a few factors you’ll need to consider when choosing your software.
Fulfilling DSARs is a challenge, let alone doing so in an efficient, compliant manner. When you have to contend with requests from both consumers and employees, it can be easy to get overwhelmed if you’re not prepared. Diving into the end-to-end DSAR process is outside of the scope of this blog, however. If DSARs are something you’re concerned about—whether from employees or consumers—check out our DSARs and Beyond ebook.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”