Employee Data Protection 101

For the most part, businesses gather employee data without too much thought. Sure, some data is obviously private, like employee social security numbers, but other than that, businesses can pretty much do what they want with employee data—right? 

Not according to laws like the GDPR and CPRA. Under these and other data privacy laws, businesses have to treat employee data with the same level of regard as consumer data. Essentially, personal information is personal information, no matter whether it belongs to a prospect, employee, customer, or client. 

Of course, contractual obligations still exist. There’s certain data you must collect from your employees as a function of their employment. But that just means you have an obligation to that data and your employees. You need to: 

• Implement security to protect the data. 
• Inform employees about what data you collect and what you’re doing with it. 
• Respond to employee data subject access requests (DSARs). 
• And more.  

If you’re feeling confused, you’re not alone. Here is everything you need to know to be compliant with employee data protection. 

What is employee data protection? 

Employee data protection refers to taking security measures to safeguard employees’ personal data and ensuring the data can’t be accessed by a third party without the employee’s consent. 

A common misconception is that your obligation to protect employee data stops when an employee leaves the company. That would be true if you were to delete all their data at that point. However, legal obligations in most countries forbid you from doing that for a few years.  

Exactly what records you need to keep varies from country to country and regulation from regulation. In the U.S., for instance, the Age Discrimination in Employment Act requires businesses to retain payroll records for three years. Any personal information contained within those records must then be protected if you’re to comply with data privacy laws. While that data is still in your hands, you must protect it. 

How to protect employee data 

Nobody wants to be out of compliance, but it’s often difficult to know where to start. Some measures you can adopt include:  

• Securing data against cyberattacks through encryption, pseudonymization, multi-factor authentication, and other methods. 
• Ensuring minimal access—only the people who need to access employee data should be able to access it. 
• Create an employee privacy policy that includes everything about what data you collect, how you process it, why you’re processing that data, and what rights your employees have in regard to that data. 
• Inform employees about their rights and be prepared to act on those rights, such as the right to know what data is being collected from them; to correct inaccurate data; to know with whom that data is shared or sold; to opt into or out of data collection, sharing, or sales; and so on. Each individual law will have its own list of rights. 
• Keep records of consent and records of processing activities (RoPAs).
• Ensure general awareness within the company regarding best practices for data protection. Explaining data privacy to your coworkers can be tough, but its absolutely essential for achieving your compliance goals. 

GDPR employee data protection 

The GDPR took data protection to a whole new level. And it doesn’t differentiate between external data subjects (e.g., customers, website visitors, app users) and internal ones (employees). To be compliant, you’ll need to consider several aspects.  

• Consent. Since employees have less power than their employers, consent isn’t a reliable legal basis for data processing. Instead, you’ll need to rely on one of the other legal bases identified in the GDPR for processing data, such as the performance of the employment contract. 
• Purpose of the processing. The employee shared the necessary data to enter a contract with you. That doesn’t mean you’re free to process it in any way you choose. You must limit yourself to the purposes agreed upon when you collected that data. 
• Transfers to third countries. If your company operates in more than one country, you might need to transfer the employee’s data. When those countries are also in the EU, you’re in the clear. Transferring data outside of the EU is more challenging, and you’ll need to make sure your employees’ rights are respected. If you’re transferring data outside of the EU but within the same organization (i.e., your company is an international organization with offices both within and outside of the EU), then you can rely on binding corporate rules to govern the data transfer. 

• Security measures. You can’t have true data protection if you don’t implement any security measures. You can encrypt data, use multifactor authentication, restrict access, and employ any other measures you want. The GDPR doesn’t require a certain method to be used, but in case of a breach, you’ll be held responsible if the methods you used were not adequate. 
• Employees’ rights. Under the GDPR, your employees have the same rights as external data subjects. These include the right to be informed, to access their data, to object, to be forgotten, and more. 
• Data minimization. This one is simple—don’t collect or store more data than you need. If you can’t state a clear reason why certain information is useful to you, you don’t need to collect it. All it’ll do for you is create more risk. 
• Storage limitations. When you no longer need the data, delete it. With employee data, that won’t mean deleting it as soon as they leave the company. Depending on local laws, you might need to keep certain records for a few years. But everything else can and should go. 

You may also consider hiring a data protection officer (DPO). Many companies subject to the GDPR will be required to hire a DPO—specifically, all companies with more than 250 employees must hire a DPO, and any company that processes data on a large scale must hire a DPO. 

 A DPO’s job is to ensure that all personal data processing at your company is done in a compliant fashion. Since that includes employee data, it may be worthwhile to hire one even if you aren’t strictly required to do so. 

CPRA employee data protection 

The CPRA went into effect on January 1st, 2023. Unlike its predecessor, the CCPA, the CPRA has no exemptions for employee data. You must protect it just as you protect consumers’ data. How to do that? 

Start with a privacy notice. With it, you’ll inform your employees: 

• What type of data you collect. 
• How you process it. 
• The purposes of the processing. 
• The retention period. 
• If you share data with third parties. 
• If you’ll use the data for profiling or targeted advertising. 
• If you’re receiving financial incentives for data processing. 

Can you use the same privacy notice for consumers and employees? Unfortunately, you’ll likely need two separate policies. In most cases, you’ll be collecting more sensitive data from employees than from your customers. Examples include government ID and social security numbers. Your customers don’t need to read about the data you collect from your employees, and vice versa, so keep the two policies separate. 

Your employees also have the same rights regarding their data as consumers. That means they have the right to access it, correct it, and have it deleted. We go into more detail on employee DSARs below.  

Finally, don’t forget about security. If a malicious third party accesses the data in an attack that could’ve been prevented by some simple security measures, you might face some hefty fines. 

Employee DSARs 

Whether you’re complying with the GDPR, the CCPA, or both, employees can file DSARs. When you receive one, you’ll have 30 days (or 45 days under the GDPR) to respond to the request. Different laws afford data subjects with different rights, but as we mentioned above, DSARs can commonly be made for access, update, and deletion. 

How to respond to employee DSARs 

The HR department, DPO, legal counsel, or other privacy professionals are usually the best qualified to manage employee DSARs. They’ll either be the ones collecting and processing employee data directly or they’ll have the skills and knowledge to find out where employee data lives. 

While employees don’t need a specific reason to submit a DSAR, it’s common for employees to submit DSARs in response to some negative career event, such as a termination of contract or when disciplinary action is taken against them. The DSAR might be a way to understand why they were fired, for instance. Sometimes, disgruntled employees submit DSARs in the hopes they’ll find something they can use to take legal action against the company. 

Do you have to give your employee all the data you have on them? That depends on how they formulate the request. They might want to see everything or something very specific that will help them understand why the company took a certain decision. Whatever the case, you will need to provide the information that falls within the scope of their request. 

Excessive and unfounded requests can be rejected, such as when someone keeps sending daily DSARs even though you already responded. But in most cases, you’ll need to respond. 

Before you respond, don’t forget to verify the person’s identity and clarify the nature of the request. Otherwise, you could be handing personal information over to a malicious actor.  

Lastly, you’ll need to provide the data in a format that can be easily accessed and copied, also known as a portable data format. 

DSAR solutions 

Small companies may feel they can handle DSARs manually, but relying on email and spreadsheets to manage DSARs can put you at risk of missing required deadlines, increases the risk of making an error like exposing others’ personal information, and takes time away from more strategic initiatives. 

DSAR automation will save you a lot of time and money in the long run. There are a few factors you’ll need to consider when choosing your software. 

• Does it provide a means of accepting requests and identity verification from data subjects? 
• Does it allow you to create workflows with ease so that you can assign the DSAR to the right person or department? 

• Does it provide visibility into new, in-process, blocked, and completed requests? 
• Can it integrate into your stores of personal data? 
• Can it automate common requests like summaries and deletions? 

Fulfilling DSARs is a challenge, let alone doing so in an efficient, compliant manner. When you have to contend with requests from both consumers and employees, it can be easy to get overwhelmed if you’re not prepared. Diving into the end-to-end DSAR process is outside of the scope of this blog, however. If DSARs are something you’re concerned about—whether from employees or consumers—check out our DSARs and Beyond ebook.