5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: December 4, 2024
Published: August 2, 2022
If you’re a chief information officer, chief technical officer, human resources professional, or another executive, you’ve undoubtedly heard of the General Data Protection Regulation (GDPR) and California's privacy laws — the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). All of these laws have caused ripples (and sometimes waves) in the world of privacy, both in their respective place of origin and beyond.
Both landmark privacy laws expand well beyond their borders. As they’re updated, it’s critical that organizations understand consumer – and now employee – rights related to privacy and data subject access requests (DSARs).
At its core, a data subject access request is simply that, a request. The premise is that consumers have a right to know and understand what information a company has about them and how the information is used, among other rights. When a consumer (no matter if they’re a customer or user) submits a request, companies must provide the information it has collected about the person.
The GDPR was the first to introduce the idea that DSARs aren’t just for consumers, but for employees as well. And as the California Consumer Privacy Act (CCPA) gives way to the CPRA, employees will have similar rights to data as consumers. In January 2023, exemptions for employee and business-to-business data will expire. Employers are left wondering what their responsibilities will be when employees submit a DSAR.
The EU was the first and remains among the most stringent with privacy rights provided to consumers. Most other privacy laws, including California’s CCPA/CPRA follow the GDPR model of consumer rights, including providing employees rights with respect to their personal information that their employer holds.
In the EU, employees can request all personal data their place of employment or former workplace holds about them. Regardless of the reason for request (which employers are not permitted to ask), the employer can only clarify certain points if, for example, providing the data could create an overflow of information and needs to be pared down.
The employer must make a reasonable effort to provide the correct information, and it is required to be handed over in a “concise, transparent, intelligible and easily accessible form using clear and plain language.” Noncompliance carries hefty fines, up to €20 million (~20.4 million USD) or up to 4% of annual global turnover.
Employers hold a lot of data about their employees, which could make DSAR compliance cumbersome. Now that the exemption of employee data in California DSARs is officially expired, you need to begin planning (if you haven't already done so). As a reminder, the CPRA applies to any for-profit business that:
Employers should stay apprised of laws both foreign and domestic to see how others are working through employee data subject access requests.
Ensure you understand what employee data your company collects, how it flows organizationally, where and how it’s stored, and whether third parties are processing the data.
The CPRA employee data regulations will require companies to notify applicants of data subject rights, retention times, and other rights. Privacy disclosures also should be updated to include the new right for employees to have businesses correct their personal information, outline how sensitive personal information is processed, review retention criteria, and note whether personal information is sold or shared.
Ensure agreements with third parties that access employee data meet the obligations for service provider agreements under the CPRA. It’s also a good time to review cybersecurity and data policies as they relate to employee data under the CPRA.
Whether it’s January 1, 2023, or at another time, organizational leaders will likely have to grapple with employee DSARs at some point. Creating a strategy for ensuring policies are up to date and ready to put into place can go a long way in ensuring compliance when the time comes.
Privacy law compliance will require companies to understand, track, and create access to collected data so it can be collated for requests.
Osano Data Discovery uses artificial intelligence and machine learning to discover and categorize data for even the most complex organizations. Save time, your budget, and frustration. See what data discovery can do for you.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.