In this article

Sign up for our newsletter

Share this article

For the most part, businesses gather employee data without too much thought. Sure, some data is obviously private, like employee social security numbers, but other than that, businesses can pretty much do what they want with employee data—right? 

Not according to laws like Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CPRA). Under these and other privacy laws, businesses have to treat employee data with the same level of regard as consumer data. Essentially, personal information is personal information, no matter whether it belongs to a prospect, employee, customer, or client. Companies must keep data safe.

Of course, contractual obligations still exist. There’s certain sensitive data you must collect from your employees as a function of their employment. But that just means you have an obligation to that data and your employees. You need to: 

  • Implement security to protect the data. 
  • Inform employees about what data you're collecting and what you’re doing with the information obtained. 
  • Respond to employee data subject access requests (DSARs). 
  • Regularly audit and update company data protection policies.
  • Minimize data collection to only what is necessary for employment purposes.
  • Restrict access to employee data to authorized personnel only.
  • Encrypt data to safeguard personal information from breaches

 If you’re feeling confused, you’re not alone. Here is everything you need to know to comply with employee data protection.

What is employee data protection?

Employee data protection refers to taking security measures to safeguard employees’ information and ensuring the data can’t be accessed by a third party without the employee’s consent. 

A common misconception is that your obligation to protect sensitive employee data stops when an employee leaves the company. That would be true if you were to delete all their data at that point. However, legal obligations in most countries forbid you from doing that for a few years.  

Exactly what data must be kept varies from country to country and regulation from regulation. In the U.S., for instance, the Age Discrimination in Employment Act requires businesses to retain payroll records for three years. Any personal information contained within those records must then be protected if you’re to comply with data privacy laws. While that data is still in your hands, you must protect it. 

How to protect employee data 

Nobody wants to be out of compliance, but it’s often difficult to know where to start protecting your employee data. Some measures you can adopt include:  

  • Securing employee documents and data against cyberattacks through encryption, pseudonymization, multi-factor authentication, and other methods. 
  • Ensuring minimal access—only the people who need to access employee information should be able to access it. 
  • Create an employee privacy policy that includes everything about what data you collect, how you process it, why you’re processing that data, and what rights your employees have in regard to that data. 
  • Inform employees about their rights and be prepared to act on those rights, such as the right to know what data is being collected from them; to correct inaccurate data; to know with whom that data is shared or sold; to opt into or out of data collection, sharing, or sales; and so on. Each individual law will have its own list of rights. 
  • Keep records of consent and records of processing activities (RoPAs).

Ensure general awareness within the company regarding best practices for data protection. Explaining data privacy to your coworkers can be tough, but it’s absolutely essential for achieving your compliance goals.

GDPR employee personal data privacy law

The data protection law took data protection to a whole new level. And it doesn’t differentiate between external data subjects (e.g., customers, website visitors, app users) and internal ones (employees). To be compliant, you’ll need to consider several aspects.  

  • Consent. Since employees have less power than their employers, consent isn’t a reliable legal basis for data processing. Instead, you’ll need to rely on one of the other legal bases identified in the law for processing data, such as the performance of the employment contract. 
  • Purpose of the processing. The employee shared the necessary data to enter a contract with you. That doesn’t mean you’re free to process it in any way you choose. You must limit yourself to the purposes agreed upon when you collected that data. 
  • Transfers to third countries. If your company operates in more than one country, you might need to transfer the employee’s data. When those countries are also in the EU, you’re in the clear. Transferring data outside of the EU is more challenging, and you’ll need to make sure your employees’ rights are respected. If you’re transferring data outside of the EU but within the same organization (i.e., your company is an international organization with offices both within and outside of the EU), then you can rely on binding corporate rules to govern the data transfer.
  • Data security measures. You can’t have true data protection if you don’t implement any security measures. You can encrypt data, use multifactor authentication, restrict access, and employ any other measures you want. The law doesn’t require a certain method to be used, but in case of a data breach, you’ll be held responsible if the methods you used were not adequate.
  • Employees' rights. Under the GDPR, your employees have the same rights as external data subjects. These include the right to be informed, to access their data, to object, to be forgotten, and more.
  • Data minimization. This one is simple—don’t collect or store more data than you need. If you can’t state a clear reason why certain information is useful to you, you don’t need to collect it. All it’ll do for you is create more risk.

Storage limitations. When you no longer need the data, delete it. With employee data, that won’t mean deleting it as soon as they leave the company. Depending on local data protection laws, you might need to keep certain records for a few years. But everything else can and should go.

Manage sensitive employee data with a data protection officer

You may also consider hiring a data protection officer (DPO). Many companies subject to the GDPR will be required to hire a DPO—specifically, all companies with more than 250 employees must hire a DPO, and any company that processes data on a large scale must hire a DPO. 

A DPO’s job is to ensure that all personal data processing at your company is done in a compliant fashion. Since that includes employee data, it may be worthwhile to hire one even if you aren’t strictly required to do so. 

Types of personal information employers can process through GDPR

Companies can process employee records and data as long as there's legal basis and they remain compliant:

  • Personally identifiable information (PII): names, addresses, phone numbers, etc.
  • Banking information Covers banking information, Social Security numbers, and related financial data.
  • Employee benefits data: Pertains to pension schemes, health insurance plans, and additional employee benefits.
  • Biometric data: facial recognition data, iris scans, voiceprints, etc.
  • Employment documents: Includes job titles, salaries, performance reviews, disciplinary records, and related details.
  • Personal health information: Documents incidents of workplace injuries or accidents (not to be confused with HIPAA or the Health Insurance Portability and Accountability Act)

CPRA employee data privacy and protection

The CPRA went into effect on January 1st, 2023. Unlike its predecessor, the CCPA, the CPRA has no exemptions for employee data. Employers must protect it just as you protect consumers’ data. How to do that? 

Start with a privacy notice. With it, you’ll inform your employees: 

  • What type of data you collect. 
  • How you process it. 
  • The purposes of the processing. 
  • The retention period. 
  • If you share personal information with third parties. 
  • If you’ll use the data for profiling or targeted advertising. 
  • If you’re receiving financial incentives for data processing. 

Can you use the same privacy notice for consumers and employees? Unfortunately, you’re probably looking at two separate policies and procedures. In most cases, you’ll be collecting more sensitive information from employees than from your customers. Examples include government ID and social security numbers. Your customers don’t need to read about the data you collect from your employees, and vice versa, so keep the two policies separate. 

Your employees also have the same rights regarding their data as consumers. That means they have the right to access it, correct it, and have it deleted. We go into more detail on employee DSARs below.  

Finally, don’t forget about security. If a malicious third party accesses the data in an attack that could’ve been prevented by some simple security measures and best practices, you might face some hefty fines and risk your company’s reputation.

Employee DSAR Best Practices

Whether you’re complying with the GDPR, the CCPA, or both, employees can file DSARs. When you receive one, you’ll have 30 days (or 45 days under the GDPR) to respond to the request. Different laws afford employees with different rights, but as we mentioned above, DSARs can commonly be made for access, update, and deletion. 

How to respond to employee DSARs

The HR department, DPO, legal counsel, or other privacy professionals are usually the best qualified to manage employee DSARs. They’ll either be the ones collecting and processing personal data directly or they’ll have the skills and knowledge to find out where employee data lives. 

While employees don’t need a specific reason to submit a DSAR, it’s common for employees to submit DSARs in response to some negative career event, such as a termination of contract or when disciplinary action is taken against them. The DSAR might be a way to understand why they were fired, for instance. Sometimes, disgruntled employees submit DSARs in the hopes they’ll find something they can use to take legal action against the company. 

Do you have to give your employee all the data you have on them? That depends on how they formulate the request. They might want to see everything or something very specific that will help them understand why the company took a certain decision. Whatever the case, you will need to provide the information that falls within the scope of their request. 

Excessive and unfounded requests can be rejected, such as when someone keeps sending daily DSARs even though you already responded. But in most cases, you’ll need to respond. 

Before you respond, don’t forget to verify the person’s identity and clarify the nature of the request. Otherwise, you could be handing employee personal information over to a malicious actor.  

Lastly, you’ll need to provide the data in a format that can be easily accessed and copied, also known as a portable data format. 

DSAR solutions 

Small companies may feel they can handle DSARs manually, but relying on email and spreadsheets to manage DSARs can put you at risk of missing required deadlines, and increases the risk of making a confidentiality error like exposing others’ sensitive personal information, and takes time away from more strategic initiatives. 

DSAR automation will save you a lot of time and money in the long run. There are a few factors you’ll need to consider when choosing your software. 

  • Does it provide a means of accepting requests and identity verification from data subjects? 
  • Does it allow you to create workflows with ease so that you can assign the DSAR to the right person or department?
  • Does it provide visibility into new, in-process, blocked, and completed requests?
  • Can it integrate into your stores of personal data?
  • Can it automate common requests like summaries and deletions? 

Fulfilling DSARs is a challenge, let alone doing so in an efficient, compliant manner. When you have to contend with requests from both consumers and employees, it can be easy to get overwhelmed if you’re not prepared. Diving into the end-to-end DSAR process is outside of the scope of this blog, however. If DSARs are something you’re concerned about—whether from employees or consumers—check out our DSARs and Beyond ebook.
Schedule a demo of Osano today

Ebook: DSARs and Beyond

Learn what a DSAR is, why you should care about them, and what steps you can take to handle them more easily.

Download Now
dsars-and-beyond-cover

Osano Staff

Osano Staff

Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.

Share this article