Senior Content Marketing Manager II
January 6, 2023â˘13 min read
Note: The following text has been modified for readability.
The California Consumer Privacy Act (CCPA) took effect in 2020âimposing broad obligations on businesses that process consumer data in California. At this point in the game, most privacy professionals are familiar with these rights, including the right to be notified of data collection, opt out of the sale of data, and request access, deletion, and correction of personal data.
As of January 1, 2023, when the California Privacy Rights Act (CPRA) went into effect, any employee data collected by a business must be treated the same as consumer information.
This means covered employers will need to add employee and human resource data to their ongoing compliance efforts. For reference, this data may include:
Though weâre using the term employee as shorthand, these requirements apply to all types of workforce individualsâjob applicants, contractors, emergency contacts, beneficiaries, board members, and more. As a starting point, this means your notice of collections should be updated to describe these new workforce rights as of January 1, 2023.Â
Businesses also need to provide a way for workforce individuals to opt-out of the sale or sharing of their data and restrict processing of sensitive personal information. Theyâll also need a way to respond to employee requests to access, correct, or delete their date, which is what weâll cover below.
Need a more holistic guide to CPRA compliance? Check out our recent blog post CPRA Compliance: 5 Ways to Start Preparing Now
As of today, no one knows exactly what enforcement will look like. But we do know this:Â
This means that, even without a precedent for enforcement, the potential risks are still high. For one, thereâs a dedicated agency whose role will be to find violators and facilitate enforcement actions. Plus, in a scenario where there are several violations for multiple individuals, itâs easy to see how quickly those fines could rack up.Â
Though CCPA enforcement doesnât begin until July 1, 2023, all businesses are expected to be in compliance by January 1, 2023. If your business didnât hit the Jan 1 deadline, itâs time to put in a good faith effort to get there as quickly as possible.Â
The level of scrutiny you apply during the verification process should match the sensitivity of the personal information at stake.
Companies need to ensure thereâs enough rigor in their verification process to protect the more sensitive data involved with employee requests.Â
Also remember that CPRA strongly discourages businesses from collecting net new sensitive data unnecessarily. To limit the sprawl of personal data, they want to see you matching against the personal data you already holdâavoiding net new collection as much as possible.
Identifying and collating additional data types is one of the most challenging aspects of workforce and employee DSAR. Employee data tends to sprawl across a wider variety of systems than consumer data and can include:Â
In a perfect world, you could sit down and come up with a comprehensive list of typical HR records, most of which would be stored in an HR management systemâmeaning the HR team would be able to pull most of the data without too much trouble.Â
In practice, the process is much trickier, especially when you start thinking about the other areas of your business where personal information about a job applicant or employee might live. Things like emails or Slack messages between management as theyâre doing performance reviews and calibration. Or a Slack channel where interviewers debrief about an applicant.Â
This type of personal information can sprawl across various unstructured communication channels, which makes the discovery process much more difficult.
Setting up a process for managing workforce data requests is going to be a team effortâone that probably looks different from how your business has handled consumer data requests so far. But while this is a new right in California, a version of the employee DSAR right has existed under GDPR for years. We can use that as a model of what the process might look like.Â
The main takeaway from GDPR precedent is that employers most commonly receive access requests during pre-litigation or a pre-dispute process. A terminated employee or disgruntled job applicant may look to leverage these privacy rights as a form of free discovery.
This means that to set up an effective process for handling employee access requests, youâll need to work really closely with your HR team, HR system admins, and employment and litigation counsel. Getting these stakeholders to the table will ensure youâre all fully aligned on how to effectively manage and respond to these requests when they come in.
There are several steps to take when setting up an employee DSAR fulfillment process:Â
You canât manage or govern what you donât see. This holds even more true with employee DSAR than it does with consumer DSAR.
Not confined to a transaction or product use, as it might be on the consumer side, employee data tends to sprawl.
Remember, employees spend 8+ hours a day for years generating personal data in almost every system your company has. Thatâs why generating an overview of where the data lives is so important.Â
At first glance, it seems easy to check the box and say that most employee data lives in HR systems. And you do need to map data in those systems, but discovering all your employee data goes far beyond that.Â
You also need to consider role specific systems, like a marketing tool or development platform, as well as common professional tools like email, messaging, and video conferencing. These are all significant generators of bulk unstructured data and often have personal and/or sensitive data mixed inâdoctors appointments on calendars, emails about personal life events, and more.Â
Legacy approaches to data mapping, ones that rely on a static quarterly survey process, canât catch this granularity of data. Which is why finding a tool that maps unstructured data effectively and doesnât go out of date is crucial when building an employee DSAR process.Â
Because fulfilling employee DSAR can be quite different from consumer DSAR, businesses should develop internal policies to govern this process ahead of time.Â
Start by identifying the key stakeholders in your business. At a minimum that should include an HR leader, employment counsel, security team, and privacy counsel. Once you assemble that group, work with them to identify a workflow that makes sense for your business.Â
Make sure to answer questions likeâhow robust do we want to be on authenticating the DSAR?Â
Or for a deletion requestâwhen do we want to put that request on hold because we believe there might be an applicable exception under CCPA?Â
That question is important because under CCPA there are some instances when you donât need to comply with a delete request. Or at least donât need to comply immediately. For example, if the business is completing a transaction or upholding a legal obligation. Or, in the pre-litigation or dispute context, you may have to put a litigation hold in place to preserve employee records.Â
Either way, youâll want to get these stakeholders together to talk through these issues, so you can draft clear policies ahead of time. That way youâll understand how to respond in different contexts before the requests start rolling in.Â
Imagine an email chain with information about the employee whoâs making the DSAR. This email will likely include a lot of personal information about not just that person, but other individuals in the business. Now imagine that email, which includes all the information requested in the DSAR, gets sent back to the wrong person i.e. not the person who made the request.
Under CCPA, thereâs actually a private right of action for unauthorized disclosure of an individual's informationâmeaning this accidental send would constitute a data breach. This is why itâs so important to have robust verification controls when an access request is made, because if you deliver a fulfilled DSAR to the wrong person it can create liability.Â
Not only that, but identity verification is part of the experience your end user, the data subject, is going to go throughâit sets the tone for the rest of the request process. Itâs also the first thing a regulator or individual looking for enforcement is going to see.Â
To provide a great user experience from the jump, consider offering a holistic privacy centerâone where subjects can authenticate their identity, make their initial request, review your privacy policy, and check on the status of their request. Consolidating everything in one place uplevels the user experience from start-to-finish by simplifying the process and providing greater transparency.
Remember also that CPRAâs requirements apply to both former and current employees. It makes more sense to have a current employee login with a single sign-on, which is better facilitated through a privacy center than a static web form.Â
Though predicated by a compliance need, the identity verification process is still an extension of your brand, so you want to make sure your users have a seamless experience.Â
Like most modern processes, fulfilling employee DSAR exists on a spectrum with manual intervention on one end and full automation on the other. As you build out this process, youâll need to determine which steps should be manual and which should be automated.
Right now you may have a fully manual approach for processing consumer requests. But given the volume of unstructured data in employee DSAR, we donât see that approach scaling well.
Manual discovery of unstructured data is extremely time intensive and can cost thousands, if not tens of thousands, of dollars in labor.Â
However, some level of manual review is often necessary due to the sensitivity of the information involved. Finding a middle ground is key.
In an ideal world you would use technology and automation to assist in the most time consuming portionsâcollation, collection, and detection of the dataâand then surface it in an intelligent way for those manual steps.Â
Once youâve made that determination, you should consider what identifiers you need to be using to find responsive data.Â
During the verification or request intake process, you might ingest something like an email address from the end user. But the data relevant to that employee could be sprawled across your systems in the form of an employee ID, internal company user name, and one or more employee email addresses. This makes it tricky to use a single static identifier.
Going back to the choice between manual vs automated, identifiers are a big reason we suggest automation for these more complex portions.
An automated DSAR system can ingest a single identifier and then enrich it with a map of other identifiers.
Meaning that when it goes to your connected systems to find data, itâs not just looking for johnsmith@company.com, but relevant variables as well.Â
Identifying data across different systems is where integrations become really important. For many companies, taking advantage of integrations is really the only way to effectively scale data discovery. Beyond the time savings, itâs also a best practice from a sensitivity standpoint.Â
For exampleâconsider an email to multiple employees revealing thereâs a sensitive request in play for a former or current employee and asking them to collect data. This is producing additional trails of data and disclosing data unnecessarilyâitâs just not ideal.Â
Itâs much safer and cleaner to use integrations and API connections to collect the data without passing it through other hands.
This also ensures itâll be at your fingertips for review, redaction, and discussions with counsel when you need it. And, itâs highly auditable.Â
Looking at this process as pre-discovery and ensuring youâre doing it in a way that minimizes the odds of something going awry offers a lot of benefits over manual methods.Â
To ensure data privacy and prevent unintended disclosures, redaction is going to be key as these employee DSARs start coming in.
Many of these workforce access requests will include personal information thatâs adjacent to the personal information of the requestor. Making thoughtful redactions helps ensure that personal information not relevant to the requestor isnât shared without authorization.
Right now, thereâs no regulatory guidance from the CPPA on how to approach this, but if we look to GDPR or ICO there are a variety of methods availableâfrom printing out documents and using a blackout pen to programmatic redactions such as scrambling the information.Â
Ultimately, you should work to put a process in place thatâs comprehensive and scalable.
As of Jan. 1, 2023, employee data collected by a business under CPRA must be treated the same as any other consumer information. This means that employees, contractors, job applicants, emergency contacts, beneficiaries, and board members in California (CA) now have the same rights as CA consumers.
These rights include the right to access, correct, and delete information, be notified about data collection, and opt out of the sale of data. Fulfilling these employee DSAR will present new challenges, even for businesses with an existing consumer DSAR process. Businesses should be prepared to verify identity, gather the right stakeholders, and wrangle a wide range of unstructured data.Â
To fulfill employee DSAR effectively businesses will need to create a data inventory, develop internal policies, implement an identity verification process, determine which steps should be automated, take advantage of integrations if possible, and establish a robust redaction process.
If your organization has been impacted by the California Privacy Rights Act's new employee data requirements or other consumer privacy laws, Transcend can help you ensure compliance. Learn how to fulfill employee DSAR with Transcend.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, mitigate risk with smarter privacy Assessments, or discover data silos and auto-generate reports with Data Mapping.
Senior Content Marketing Manager II