Data Privacy and Security: What’s the Difference?
Information has always been a form of currency in society—from buying...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: July 18, 2023
Published: March 16, 2023
To date, 71% of the world’s countries feature some form of privacy legislation. More and more businesses are subject to data privacy regulations, and more and more businesses are working hard to ensure they’re respecting their customers’ data privacy rights. But these organizations may not realize they have a responsibility to respect the rights of another group: their employees.
Data Protection and Data Privacy Legislation Worldwide (Source: United Nations Conference on Trade and Development)
It can seem like employees ought to be exempt from data privacy regulations—after all, they’ve entered into a contract with your business. But the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), and other privacy laws have made it clear that employees also have privacy rights. If anything, it’s even more important to respect employees’ privacy because of the sensitive nature of the data businesses collect from them. All human resources data collected by an employer, regardless of its purpose, is now subject to the same requirements of the law as consumer data.
The law gives consumers—and employees—control of their personal information and provides an avenue for them to exercise that control via a data subject access request (DSAR). Employees and consumers can request to access data, update it, delete it, restrict its use, and more.
Because of these rights, it is a best practice to draft a privacy policy specific to your employees in addition to your organizations’ consumer privacy policy. Creating an employee privacy policy will help your company stay compliant with the law, provide required disclosures, and outline the DSAR process.
The California Consumer Privacy Act (CCPA) created consumer rights surrounding data privacy similar to those established by the EU’s GDPR. But while the CCPA broadly matched the GDPR’s requirements, it departed from the GDPR by excluding data collected and used for employment-related actions for job applicants, along with current and past employees of a company.
January 1, 2023 ushered in an amendment to the CCPA with the CPRA, and because employer exemptions weren’t extended, human resource data collected by an employer is now subject to the same requirements of the law as consumer data.
The CPRA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with or linked with a particular consumer or household. Additionally, the CPRA includes a second category of sensitive personal information, which has tighter requirements and harsher penalties for violations.
The CPRA also includes professional or employment-related information within the definition of personal information. What’s more, much of the personal information you collect in relation to an employee will be sensitive in nature, such as their social security number or other identification numbers, financial information, and more.
Since employee data is covered by the CPRA, employers need to treat it the same way they treat consumer data. That includes disclosing all of the requisite information around collection, use, data subject rights, and so on. The most convenient way to meet the bulk of those disclos requirements is through a dedicated employee privacy policy.
The CPRA only applies to businesses who operate within California and meet certain threshold requirements. To date, it’s the only U.S. privacy law that allows for employee DSARs, but given the influence of California and the size of its market, its best for businesses to strive for compliance with employee data requirements regardless. That’s doubly true if you ever want to serve the Canadian or European markets, since PIPEDA and the GDPR also allow for employee DSARs.
If you search “employee privacy policy examples,” online, you’ll find a myriad of companies that already have policies in place, from Nike to GitLab, Twilio, and many others.
Similar to a consumer privacy policy, an employee privacy policy is a document that outlines the rights of employees related to their personal information. It specifies what and how information is collected as well as how it is used and disclosed.
It’s important to note that an employee privacy policy applies to prospective, current, and former employees. The policy should include:
Responding to employee DSARs can quickly become a challenging, burdensome, and costly task. In part, this is because employee data is often spread across multiple data stores. An individual employee can also create a massive amount of data over the course of their tenure. And, as we’ve alluded to, this data is often highly sensitive in nature.
One survey of companies with more than 250 employees found that it takes an average of 83 hours to complete a DSAR and half weren’t finished within the mandatory time limit. That’s for consumer DSARs, too, which aren’t as complex as employee DSARs.
New laws going into effect, updated regulations, and a greater understanding of employee rights all are making DSARs more common, and knowing how to respond and what to include could feel like a moving target. Creating an employee privacy policy is one part of an overall approach to employee privacy matters.
Once your policy is in place, the real challenge lies in operationalizing it. DSAR solutions, such as Osano Subject Rights Management, can keep your company compliant. Osano’s software manages the DSAR workflow, automatically searches data stores for employee data, and automates tedious DSAR actions like data summaries and deletion.
If employee DSARs and privacy rights are a concern at your organization, check out our DSARs 101: Getting started webinar or schedule a demo of Osano today.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.