A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
March 16, 2023
To date, 71% of the world’s countries feature some form of privacy legislation. More and more businesses are subject to data privacy regulations, and more and more businesses are working hard to ensure they’re respecting their customers’ data privacy rights. But these organizations may not realize they have a responsibility to respect the rights of another group: their employees.
Data Protection and Data Privacy Legislation Worldwide (Source: United Nations Conference on Trade and Development)
It can seem like employees ought to be exempt from data privacy regulations—after all, they’ve entered into a contract with your business. But the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), and other privacy laws have made it clear that employees also have privacy rights. If anything, it’s even more important to respect employees’ privacy because of the sensitive nature of the data businesses collect from them. All human resources data collected by an employer, regardless of its purpose, is now subject to the same requirements of the law as consumer data.
The law gives consumers—and employees—control of their personal information and provides an avenue for them to exercise that control via a data subject access request (DSAR). Employees and consumers can request to access data, update it, delete it, restrict its use, and more.
The California Consumer Privacy Act (CCPA) created consumer rights surrounding data privacy similar to those established by the EU’s GDPR. But while the CCPA broadly matched the GDPR’s requirements, it departed from the GDPR by excluding data collected and used for employment-related actions for job applicants, along with current and past employees of a company.
January 1, 2023 ushered in an amendment to the CCPA with the CPRA, and because employer exemptions weren’t extended, human resource data collected by an employer is now subject to the same requirements of the law as consumer data.
The CPRA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with or linked with a particular consumer or household. Additionally, the CPRA includes a second category of sensitive personal information, which has tighter requirements and harsher penalties for violations.
The CPRA also includes professional or employment-related information within the definition of personal information. What’s more, much of the personal information you collect in relation to an employee will be sensitive in nature, such as their social security number or other identification numbers, financial information, and more.
The CPRA only applies to businesses who operate within California and meet certain threshold requirements. To date, it’s the only U.S. privacy law that allows for employee DSARs, but given the influence of California and the size of its market, its best for businesses to strive for compliance with employee data requirements regardless. That’s doubly true if you ever want to serve the Canadian or European markets, since PIPEDA and the GDPR also allow for employee DSARs.
Responding to employee DSARs can quickly become a challenging, burdensome, and costly task. In part, this is because employee data is often spread across multiple data stores. An individual employee can also create a massive amount of data over the course of their tenure. And, as we’ve alluded to, this data is often highly sensitive in nature.
One survey of companies with more than 250 employees found that it takes an average of 83 hours to complete a DSAR and half weren’t finished within the mandatory time limit. That’s for consumer DSARs, too, which aren’t as complex as employee DSARs.
Once your policy is in place, the real challenge lies in operationalizing it. DSAR solutions, such as Osano Subject Rights Management, can keep your company compliant. Osano’s software manages the DSAR workflow, automatically searches data stores for employee data, and automates tedious DSAR actions like data summaries and deletion.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.