5 Takeaways from 2024’s Industry Events: A Privacy Pro’s Perspective
In September, the Osano privacy team was lucky enough to attend a...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: March 21, 2023
Published: July 26, 2022
If you haven’t heard of data subject access rights (or DSARs) before, you wouldn’t be the only HR professional to find themselves out of the loop.
Data privacy regulations are a relatively new phenomenon, and they aren’t written with the laymen in mind. Even if you were familiar with what DSARs are, you might be under the impression that they were handled by your organization’s legal counsel, compliance professionals, or maybe even the IT department.
That may be true for certain DSAR requests. But if an employee makes a DSAR request, odds are the buck is going to stop at HR.
Let’s break down all the information that HR needs to know about employee DSARs to ensure you keep your organization in compliance and away from penalties and fines.
Typically, DSARs are about gaining access to the data subject’s (i.e., the requestor’s) data that you have on file. However, data subjects also have the right to object to certain types of data collection or processing, request corrections, request deletions, and more. While consumer DSARs are common to all data privacy regulations, employees are only able to request DSARs in the EU, UK, Canada, and California, thanks to the GDPR, PIPEDA, and CPRA regulations.
Since HR professionals tend to have the greatest insight into what employee data is being collected and where that data lives, the burden of completing an employee DSAR often falls in their lap. In order to respond effectively, HR professionals need to keep in mind the unique factors at play when executing an employee DSAR request.
While employees may make DSAR requests at any time, there are three events that have a high likelihood of triggering a DSAR request:
If an employee is reprimanded or fired, they’ll obviously want to know why. If they’re not satisfied with the answer they receive, they may make a DSAR request in the hopes of uncovering additional information — possibly in support of legal action.
However, it might not be immediately obvious as to how a promotion could trigger a DSAR request. Typically, it isn’t the recipient of a promotion that makes a DSAR request, but rather somebody who feels as though they’ve been passed over for that promotion. This is likely a less common triggering event compared to disciplinary action or termination, but it’s still something that HR professionals should be cognizant of.
As mentioned above, DSAR requests can be used as a method for gathering information to support a lawsuit. Sometimes, disgruntled employees and their legal counsel will go digging for something that they can use in a lawsuit, which is referred to as a “fishing expedition.”
Or, they might not even care whether their DSAR surfaces any legally actionable information; they might just want to throw a monkey wrench into the works and cause trouble.
This isn’t just guesswork, either. DSARs have been used in this way in the EU and UK. Although the CPRA’s employee DSAR component is new to the US, the GDPR has allowed for employee DSARs since its inception.
If you suspect a DSAR is being made in hopes of dredging up some legally actionable information, there isn’t much you can or should do. Your employees or former employees still have their rights, and you’ll have to provide them with the relevant information they request (though properly redacted to protect privileged information and others’ personal information).
Vexatious requests, however, are another matter. Like the GDPR, the CPRA allows businesses to refuse DSARs that are “manifestly unfounded or excessive.” For the moment, the CPRA doesn’t have much specificity around what makes a DSAR unfounded or excessive, and businesses bear the burden of proving that the request is unfounded or excessive.
However, since the GDPR has been around a lot longer and has been dealing with these sorts of requests, we can look at what the UK’s Information Commissioner's Office (ICO) has to say to get a sense of what might be considered illegitimate DSARs under the CPRA.
The ICO states that a request may be manifestly unfounded if:
Regarding manifestly excessive requests, the ICO states that businesses need to assess whether the request is proportionate compared to the effort involved. Businesses can do this by taking into account:
These aren’t exhaustive lists, but they should serve as an example of the kind of criteria that might be reasonable when refusing a DSAR request.
What’s essential to remember is that you can’t refuse a DSAR request simply because you don’t have a process in place to handle them. A lack of a process may very well make it difficult and vexatious to handle a DSAR, but that will be on you and your organization — your employee will still be within their rights to make their request.
If an employee makes a DSAR request, you have to provide them with the information within the scope of their request. What to include within that scope can be a fine line to tread, especially given the sensitive nature of the information that HR handles.
For example, if other employees’ data is included in a document that you share with an employee making a DSAR request, you’ll need to redact or anonymize that information.
You’ll also want to keep an eye out for any privileged information. If you consulted with an attorney over an employee for whatever reason and then that same employee makes a DSAR request, you don’t have to hand over your conversations with your attorney — those are protected under attorney-client privilege. In fact, if you were to share that information, it would void your attorney-client privilege.
Handling DSARs on a one-off basis is a recipe for disaster. Not only does it make it more likely that you’ll deviate from best practices, make errors, or include information that you shouldn’t, it also increases your legal risk.
If you have a documented process in place, you’ll be better able to prove that you made a good-faith effort to handle DSAR requests in case an employee isn’t satisfied with the information you provided. You’ll be able to prove that any DSAR refusals you make aren’t due to a lack of a process. And you’ll be able to demonstrate that certain information falls outside of a reasonable DSAR scope. All in all, you’ll be better positioned to defend your organization’s process and results in the event of legal action.
Keeping the above factors in mind, HR professionals can lay the foundation for a proactive employee DSAR process. Here are three key steps HR professionals should take when getting their organization DSAR-ready.
You won’t be able to quickly respond to an employee’s DSAR request if you don’t know the different data stores in use at your organization. A data mapping exercise will enable you to track down the different systems in your organization and identify what data they contain.
This will include elements of the HR software stack, like payroll systems, people enablement platforms, and recruiting software, but it may also include other internal and external systems as well. You’ll want to consult with other departments to see if they own any systems that hold an appreciable amount of employee data, (especially the Operations department). Additionally, make sure you take into account any data transfers you make to third parties.
Knowing where employee data lives is important, but it’s also important to know what kind of data you’re working with. Employee DSAR requests might ask for everything, but they might also ask for specific categories of information. An employee might say, “I want to see all the data you have on my performance” — performance-related data could span several systems, such as your people enablement platform, email, or payroll system. Thus, it’s important to note down the categories of data you collect in your different systems.
Your organization probably already has a consumer-facing privacy policy, but you could benefit from drafting an employee data privacy policy as well. In order to be compliant with the CPRA, you’ll already need to provide disclosures to your employees regarding:
Delivering these disclosures in a privacy policy will not only be a convenient format, but the act of creating an employee privacy policy will also help clarify what you need to do with employee data in order to be compliant.
You wouldn’t be alone. Even privacy professionals struggle to establish efficient consumer DSAR processes, let alone employee DSARs.
Our DSAR 101 webinar can serve as an excellent next step for HR professionals looking to gain a better grasp of the DSAR process. As the GDPR matures and as new privacy regulations like the CPRA come into effect, more and more businesses will be confronted with DSAR requests for the first time. Without a plan or process in place, those requests can represent a major compliance risk. To learn how to manage DSAR requests in a sustainable, scalable way, access the webinar here.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.