Managing Employee DSAR Under CPRA [2023 Guide]

• As of Jan. 1, 2023, employee data collected by businesses under CPRA must be treated the same as any other consumer information.

• Employees, contractors, job applicants, emergency contacts, beneficiaries, and board members in California (CA) now have the same rights as CA consumers, including the right to request access, correction, or deletion of their personal information.

• Even for businesses with an existing DSAR process, fulfilling employee DSAR will present new challenges—verifying identity, gathering the right stakeholders, and wrangling a wider range of unstructured data. 

• To effectively fulfill employee DSAR, businesses will need to create a data inventory, develop internal policies, implement an identity verification process, and more.

• The following text covers the main points from our recent webinar on preparing for employee DSAR under CPRA. You can watch the full recording here.

Note: The following text has been modified for readability.

• Employee DSAR: What does CPRA require

• Unique challenges for employee DSAR fulfillment

• 6 steps for fulfilling employee DSAR

The California Consumer Privacy Act (CCPA) took effect in 2020—imposing broad obligations on businesses that process consumer data in California. At this point in the game, most privacy professionals are familiar with these rights, including the right to be notified of data collection, opt out of the sale of data, and request access, deletion, and correction of personal data.

As of January 1, 2023, when the California Privacy Rights Act (CPRA) went into effect, any employee data collected by a business must be treated the same as consumer information.

This means covered employers will need to add employee and human resource data to their ongoing compliance efforts. For reference, this data may include:

• Employee contact information

• Insurance and benefits selections

• Direct deposit information

• Emergency contacts

• And more 

Though we’re using the term employee as shorthand, these requirements apply to all types of workforce individuals—job applicants, contractors, emergency contacts, beneficiaries, board members, and more. As a starting point, this means your notice of collections should be updated to describe these new workforce rights as of January 1, 2023. 

Businesses also need to provide a way for workforce individuals to opt-out of the sale or sharing of their data and restrict processing of sensitive personal information. They’ll also need a way to respond to employee requests to access, correct, or delete their date, which is what we’ll cover below.

Need a more holistic guide to CPRA compliance? Check out our recent blog post CPRA Compliance: 5 Ways to Start Preparing Now

As of today, no one knows exactly what enforcement will look like. But we do know this: 

• CPRA established the California Privacy Protection Agency (CPPA) as the new agency responsible for implementing and enforcing the law, promulgating regulations, and imposing fines. 

• CPRA removed the mandatory 30 day cure period, wherein businesses had 30 days to fix a violation after receiving notice from the Attorney General. That cure period is now discretionary and we don’t yet know if the CPPA will give folks those 30 days or not. 

• On a per violation basis, there are statutory fines of $2,500 for each unintentional violation and $7500 for each intentional violation. 

This means that, even without a precedent for enforcement, the potential risks are still high. For one, there’s a dedicated agency whose role will be to find violators and facilitate enforcement actions. Plus, in a scenario where there are several violations for multiple individuals, it’s easy to see how quickly those fines could rack up. 

Though CCPA enforcement doesn’t begin until July 1, 2023, all businesses are expected to be in compliance by January 1, 2023. If your business didn’t hit the Jan 1 deadline, it’s time to put in a good faith effort to get there as quickly as possible. 

The level of scrutiny you apply during the verification process should match the sensitivity of the personal information at stake.

Companies need to ensure there’s enough rigor in their verification process to protect the more sensitive data involved with employee requests. 

Also remember that CPRA strongly discourages businesses from collecting net new sensitive data unnecessarily. To limit the sprawl of personal data, they want to see you matching against the personal data you already hold—avoiding net new collection as much as possible.

Identifying and collating additional data types is one of the most challenging aspects of workforce and employee DSAR. Employee data tends to sprawl across a wider variety of systems than consumer data and can include: 

• Employee contact info

• Insurance and benefits selections

• Direct deposit and bank information

• Emergency contacts

• Dependents

• Beneficiaries

• Resumes and employment history

• Performance evaluations

• Time cards

• Stock and equity grants

• Compensation history

In a perfect world, you could sit down and come up with a comprehensive list of typical HR records, most of which would be stored in an HR management system—meaning the HR team would be able to pull most of the data without too much trouble. 

In practice, the process is much trickier, especially when you start thinking about the other areas of your business where personal information about a job applicant or employee might live. Things like emails or Slack messages between management as they’re doing performance reviews and calibration. Or a Slack channel where interviewers debrief about an applicant. 

This type of personal information can sprawl across various unstructured communication channels, which makes the discovery process much more difficult.

Setting up a process for managing workforce data requests is going to be a team effort—one that probably looks different from how your business has handled consumer data requests so far. But while this is a new right in California, a version of the employee DSAR right has existed under GDPR for years. We can use that as a model of what the process might look like. 

The main takeaway from GDPR precedent is that employers most commonly receive access requests during pre-litigation or a pre-dispute process. A terminated employee or disgruntled job applicant may look to leverage these privacy rights as a form of free discovery.

This means that to set up an effective process for handling employee access requests, you’ll need to work really closely with your HR team, HR system admins, and employment and litigation counsel. Getting these stakeholders to the table will ensure you’re all fully aligned on how to effectively manage and respond to these requests when they come in.

There are several steps to take when setting up an employee DSAR fulfillment process: 

1. Create a data inventory

2. Develop internal policies

3. Verify identity

4. Determine which steps should be automated

5. Take advantage of integrations (if possible)

6. Establish a redaction process

You can’t manage or govern what you don’t see. This holds even more true with employee DSAR than it does with consumer DSAR.

Not confined to a transaction or product use, as it might be on the consumer side, employee data tends to sprawl.

Remember, employees spend 8+ hours a day for years generating personal data in almost every system your company has. That’s why generating an overview of where the data lives is so important. 

At first glance, it seems easy to check the box and say that most employee data lives in HR systems. And you do need to map data in those systems, but discovering all your employee data goes far beyond that. 

You also need to consider role specific systems, like a marketing tool or development platform, as well as common professional tools like email, messaging, and video conferencing. These are all significant generators of bulk unstructured data and often have personal and/or sensitive data mixed in—doctors appointments on calendars, emails about personal life events, and more. 

Legacy approaches to data mapping, ones that rely on a static quarterly survey process, can’t catch this granularity of data. Which is why finding a tool that maps unstructured data effectively and doesn’t go out of date is crucial when building an employee DSAR process. 

Because fulfilling employee DSAR can be quite different from consumer DSAR, businesses should develop internal policies to govern this process ahead of time. 

Start by identifying the key stakeholders in your business. At a minimum that should include an HR leader, employment counsel, security team, and privacy counsel. Once you assemble that group, work with them to identify a workflow that makes sense for your business. 

Make sure to answer questions like—how robust do we want to be on authenticating the DSAR? 

Or for a deletion request—when do we want to put that request on hold because we believe there might be an applicable exception under CCPA? 

That question is important because under CCPA there are some instances when you don’t need to comply with a delete request. Or at least don’t need to comply immediately. For example, if the business is completing a transaction or upholding a legal obligation. Or, in the pre-litigation or dispute context, you may have to put a litigation hold in place to preserve employee records. 

Either way, you’ll want to get these stakeholders together to talk through these issues, so you can draft clear policies ahead of time. That way you’ll understand how to respond in different contexts before the requests start rolling in. 

Imagine an email chain with information about the employee who’s making the DSAR. This email will likely include a lot of personal information about not just that person, but other individuals in the business. Now imagine that email, which includes all the information requested in the DSAR, gets sent back to the wrong person i.e. not the person who made the request.

Under CCPA, there’s actually a private right of action for unauthorized disclosure of an individual's information—meaning this accidental send would constitute a data breach. This is why it’s so important to have robust verification controls when an access request is made, because if you deliver a fulfilled DSAR to the wrong person it can create liability. 

Not only that, but identity verification is part of the experience your end user, the data subject, is going to go through—it sets the tone for the rest of the request process. It’s also the first thing a regulator or individual looking for enforcement is going to see. 

To provide a great user experience from the jump, consider offering a holistic privacy center—one where subjects can authenticate their identity, make their initial request, review your privacy policy, and check on the status of their request. Consolidating everything in one place uplevels the user experience from start-to-finish by simplifying the process and providing greater transparency.

Remember also that CPRA’s requirements apply to both former and current employees. It makes more sense to have a current employee login with a single sign-on, which is better facilitated through a privacy center than a static web form. 

Though predicated by a compliance need, the identity verification process is still an extension of your brand, so you want to make sure your users have a seamless experience. 

Like most modern processes, fulfilling employee DSAR exists on a spectrum with manual intervention on one end and full automation on the other. As you build out this process, you’ll need to determine which steps should be manual and which should be automated.

Right now you may have a fully manual approach for processing consumer requests. But given the volume of unstructured data in employee DSAR, we don’t see that approach scaling well.

Manual discovery of unstructured data is extremely time intensive and can cost thousands, if not tens of thousands, of dollars in labor. 

However, some level of manual review is often necessary due to the sensitivity of the information involved. Finding a middle ground is key.

In an ideal world you would use technology and automation to assist in the most time consuming portions—collation, collection, and detection of the data—and then surface it in an intelligent way for those manual steps. 

Once you’ve made that determination, you should consider what identifiers you need to be using to find responsive data. 

During the verification or request intake process, you might ingest something like an email address from the end user. But the data relevant to that employee could be sprawled across your systems in the form of an employee ID, internal company user name, and one or more employee email addresses. This makes it tricky to use a single static identifier.

Going back to the choice between manual vs automated, identifiers are a big reason we suggest automation for these more complex portions.

An automated DSAR system can ingest a single identifier and then enrich it with a map of other identifiers.

Meaning that when it goes to your connected systems to find data, it’s not just looking for johnsmith@company.com, but relevant variables as well. 

Identifying data across different systems is where integrations become really important. For many companies, taking advantage of integrations is really the only way to effectively scale data discovery. Beyond the time savings, it’s also a best practice from a sensitivity standpoint. 

For example—consider an email to multiple employees revealing there’s a sensitive request in play for a former or current employee and asking them to collect data. This is producing additional trails of data and disclosing data unnecessarily—it’s just not ideal. 

It’s much safer and cleaner to use integrations and API connections to collect the data without passing it through other hands.

This also ensures it’ll be at your fingertips for review, redaction, and discussions with counsel when you need it. And, it’s highly auditable. 

Looking at this process as pre-discovery and ensuring you’re doing it in a way that minimizes the odds of something going awry offers a lot of benefits over manual methods. 

To ensure data privacy and prevent unintended disclosures, redaction is going to be key as these employee DSARs start coming in.

Many of these workforce access requests will include personal information that’s adjacent to the personal information of the requestor. Making thoughtful redactions helps ensure that personal information not relevant to the requestor isn’t shared without authorization.

Right now, there’s no regulatory guidance from the CPPA on how to approach this, but if we look to GDPR or ICO there are a variety of methods available—from printing out documents and using a blackout pen to programmatic redactions such as scrambling the information. 

Ultimately, you should work to put a process in place that’s comprehensive and scalable.

As of Jan. 1, 2023, employee data collected by a business under CPRA must be treated the same as any other consumer information. This means that employees, contractors, job applicants, emergency contacts, beneficiaries, and board members in California (CA) now have the same rights as CA consumers.

These rights include the right to access, correct, and delete information, be notified about data collection, and opt out of the sale of data. Fulfilling these employee DSAR will present new challenges, even for businesses with an existing consumer DSAR process. Businesses should be prepared to verify identity, gather the right stakeholders, and wrangle a wide range of unstructured data. 

To fulfill employee DSAR effectively businesses will need to create a data inventory, develop internal policies, implement an identity verification process, determine which steps should be automated, take advantage of integrations if possible, and establish a robust redaction process.

If your organization has been impacted by the California Privacy Rights Act's new employee data requirements or other consumer privacy laws, Transcend can help you ensure compliance. Learn how to fulfill employee DSAR with Transcend.

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, mitigate risk with smarter privacy Assessments, or discover data silos and auto-generate reports with Data Mapping.