CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
July 26, 2022
If you haven’t heard of data subject access rights (or DSARs) before, you wouldn’t be the only HR professional to find themselves out of the loop.
Data privacy regulations are a relatively new phenomenon, and they aren’t written with the laymen in mind. Even if you were familiar with what DSARs are, you might be under the impression that they were handled by your organization’s legal counsel, compliance professionals, or maybe even the IT department.
That may be true for certain DSAR requests. But if an employee makes a DSAR request, odds are the buck is going to stop at HR.
Let’s break down all the information that HR needs to know about employee DSARs to ensure you keep your organization in compliance and away from penalties and fines.
Typically, DSARs are about gaining access to the data subject’s (i.e., the requestor’s) data that you have on file. However, data subjects also have the right to object to certain types of data collection or processing, request corrections, request deletions, and more. While consumer DSARs are common to all data privacy regulations, employees are only able to request DSARs in the EU, UK, Canada, and California, thanks to the GDPR, PIPEDA, and CPRA regulations.
Since HR professionals tend to have the greatest insight into what employee data is being collected and where that data lives, the burden of completing an employee DSAR often falls in their lap. In order to respond effectively, HR professionals need to keep in mind the unique factors at play when executing an employee DSAR request.
While employees may make DSAR requests at any time, there are three events that have a high likelihood of triggering a DSAR request:
If an employee is reprimanded or fired, they’ll obviously want to know why. If they’re not satisfied with the answer they receive, they may make a DSAR request in the hopes of uncovering additional information — possibly in support of legal action.
However, it might not be immediately obvious as to how a promotion could trigger a DSAR request. Typically, it isn’t the recipient of a promotion that makes a DSAR request, but rather somebody who feels as though they’ve been passed over for that promotion. This is likely a less common triggering event compared to disciplinary action or termination, but it’s still something that HR professionals should be cognizant of.
As mentioned above, DSAR requests can be used as a method for gathering information to support a lawsuit. Sometimes, disgruntled employees and their legal counsel will go digging for something that they can use in a lawsuit, which is referred to as a “fishing expedition.”
Or, they might not even care whether their DSAR surfaces any legally actionable information; they might just want to throw a monkey wrench into the works and cause trouble.
This isn’t just guesswork, either. DSARs have been used in this way in the EU and UK. Although the CPRA’s employee DSAR component is new to the US, the GDPR has allowed for employee DSARs since its inception.
If you suspect a DSAR is being made in hopes of dredging up some legally actionable information, there isn’t much you can or should do. Your employees or former employees still have their rights, and you’ll have to provide them with the relevant information they request (though properly redacted to protect privileged information and others’ personal information).
Vexatious requests, however, are another matter. Like the GDPR, the CPRA allows businesses to refuse DSARs that are “manifestly unfounded or excessive.” For the moment, the CPRA doesn’t have much specificity around what makes a DSAR unfounded or excessive, and businesses bear the burden of proving that the request is unfounded or excessive.
However, since the GDPR has been around a lot longer and has been dealing with these sorts of requests, we can look at what the UK’s Information Commissioner's Office (ICO) has to say to get a sense of what might be considered illegitimate DSARs under the CPRA.
The ICO states that a request may be manifestly unfounded if:
Regarding manifestly excessive requests, the ICO states that businesses need to assess whether the request is proportionate compared to the effort involved. Businesses can do this by taking into account:
These aren’t exhaustive lists, but they should serve as an example of the kind of criteria that might be reasonable when refusing a DSAR request.
What’s essential to remember is that you can’t refuse a DSAR request simply because you don’t have a process in place to handle them. A lack of a process may very well make it difficult and vexatious to handle a DSAR, but that will be on you and your organization — your employee will still be within their rights to make their request.
If an employee makes a DSAR request, you have to provide them with the information within the scope of their request. What to include within that scope can be a fine line to tread, especially given the sensitive nature of the information that HR handles.
For example, if other employees’ data is included in a document that you share with an employee making a DSAR request, you’ll need to redact or anonymize that information.
You’ll also want to keep an eye out for any privileged information. If you consulted with an attorney over an employee for whatever reason and then that same employee makes a DSAR request, you don’t have to hand over your conversations with your attorney — those are protected under attorney-client privilege. In fact, if you were to share that information, it would void your attorney-client privilege.
Handling DSARs on a one-off basis is a recipe for disaster. Not only does it make it more likely that you’ll deviate from best practices, make errors, or include information that you shouldn’t, it also increases your legal risk.
If you have a documented process in place, you’ll be better able to prove that you made a good-faith effort to handle DSAR requests in case an employee isn’t satisfied with the information you provided. You’ll be able to prove that any DSAR refusals you make aren’t due to a lack of a process. And you’ll be able to demonstrate that certain information falls outside of a reasonable DSAR scope. All in all, you’ll be better positioned to defend your organization’s process and results in the event of legal action.
Keeping the above factors in mind, HR professionals can lay the foundation for a proactive employee DSAR process. Here are three key steps HR professionals should take when getting their organization DSAR-ready.
You won’t be able to quickly respond to an employee’s DSAR request if you don’t know the different data stores in use at your organization. A data mapping exercise will enable you to track down the different systems in your organization and identify what data they contain.
This will include elements of the HR software stack, like payroll systems, people enablement platforms, and recruiting software, but it may also include other internal and external systems as well. You’ll want to consult with other departments to see if they own any systems that hold an appreciable amount of employee data, (especially the Operations department). Additionally, make sure you take into account any data transfers you make to third parties.
Knowing where employee data lives is important, but it’s also important to know what kind of data you’re working with. Employee DSAR requests might ask for everything, but they might also ask for specific categories of information. An employee might say, “I want to see all the data you have on my performance” — performance-related data could span several systems, such as your people enablement platform, email, or payroll system. Thus, it’s important to note down the categories of data you collect in your different systems.
You wouldn’t be alone. Even privacy professionals struggle to establish efficient consumer DSAR processes, let alone employee DSARs.
Our DSAR 101 webinar can serve as an excellent next step for HR professionals looking to gain a better grasp of the DSAR process. As the GDPR matures and as new privacy regulations like the CPRA come into effect, more and more businesses will be confronted with DSAR requests for the first time. Without a plan or process in place, those requests can represent a major compliance risk. To learn how to manage DSAR requests in a sustainable, scalable way, access the webinar here.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.