Employee data in CPRA vs GDPR

If you’re a chief information officer, chief technical officer, human resources professional, or another executive, you’ve undoubtedly heard of the General Data Protection Regulation (GDPR) and California's privacy laws — the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). All of these laws have caused ripples (and sometimes waves) in the world of privacy, both in their respective place of origin and beyond.

Both landmark privacy laws expand well beyond their borders. As they’re updated, it’s critical that organizations understand consumer – and now employee – rights related to privacy and data subject access requests (DSARs).

What is a DSAR, and why does it matter?

At its core, a data subject access request is simply that, a request. The premise is that consumers have a right to know and understand what information a company has about them and how the information is used, among other rights. When a consumer (no matter if they’re a customer or user) submits a request, companies must provide the information it has collected about the person.

The GDPR was the first to introduce the idea that DSARs aren’t just for consumers, but for employees as well. And as the California Consumer Privacy Act (CCPA) gives way to the CPRA, employees will have similar rights to data as consumers. In January 2023, exemptions for employee and business-to-business data will expire. Employers are left wondering what their responsibilities will be when employees submit a DSAR.

How the EU handles employee DSARs

The EU was the first and remains among the most stringent with privacy rights provided to consumers. Most other privacy laws, including California’s CCPA/CPRA follow the GDPR model of consumer rights, including providing employees rights with respect to their personal information that their employer holds.
In the EU, employees can request all personal data their place of employment or former workplace holds about them. Regardless of the reason for request (which employers are not permitted to ask), the employer can only clarify certain points if, for example, providing the data could create an overflow of information and needs to be pared down.

The employer must make a reasonable effort to provide the correct information, and it is required to be handed over in a “concise, transparent, intelligible and easily accessible form using clear and plain language.” Noncompliance carries hefty fines, up to €20 million (~20.4 million USD) or up to 4% of annual global turnover.

Prepare proactively for the CPRA employee data exemption expiration

Employers hold a lot of data about their employees, which could make DSAR compliance cumbersome. Now that the exemption of employee data in California DSARs is officially expired, you need to begin planning (if you haven't already done so). As a reminder, the CPRA applies to any for-profit business that:

• Has a gross revenue of at least $25 million, or
• Collects the personal information of at least 100,000 California Residents, or
• Derives at least 50% of its revenue from the sale or sharing of the personal information of California residents.

Keep an eye on legislation and developments.

Employers should stay apprised of laws both foreign and domestic to see how others are working through employee data subject access requests.

Understand how your data flows.

Ensure you understand what employee data your company collects, how it flows organizationally, where and how it’s stored, and whether third parties are processing the data.

Update your notices and privacy disclosures.

The CPRA employee data regulations will require companies to notify applicants of data subject rights, retention times, and other rights. Privacy disclosures also should be updated to include the new right for employees to have businesses correct their personal information, outline how sensitive personal information is processed, review retention criteria, and note whether personal information is sold or shared.

Check third-party agreements.

Ensure agreements with third parties that access employee data meet the obligations for service provider agreements under the CPRA. It’s also a good time to review cybersecurity and data policies as they relate to employee data under the CPRA.

Create an action plan.

Whether it’s January 1, 2023, or at another time, organizational leaders will likely have to grapple with employee DSARs at some point. Creating a strategy for ensuring policies are up to date and ready to put into place can go a long way in ensuring compliance when the time comes.

Understand your data, but let us streamline the process

Privacy law compliance will require companies to understand, track, and create access to collected data so it can be collated for requests.

Osano Data Discovery uses artificial intelligence and machine learning to discover and categorize data for even the most complex organizations. Save time, your budget, and frustration. See what data discovery can do for you.