Employee Data Rights With GDPR and CCPA: Data Privacy Day Special

Last Updated: December 16, 2021

Following in the heels of GDPR and CCPA, 11 other U.S. states will pass legislation on consumer and employee data rights. What does this mean for companies? In this Data Privacy Day (January 28, 2020) special, we discuss the evolution of data privacy laws in the last two years and five tips to streamline employee data privacy management.

In the last half-decade, conversations around data privacy and employee data rights have taken on new dimensions. Also, laws around this issue are continually evolving, making it hard for companies to keep up. 

Consider this ongoing case in the U.K. Supreme CourtOpens a new window , between various claimants and WM Morrison Supermarkets plc. An employee gained access to the personal data of nearly 100,000 co-workers (including bank details) and published it online. The Court of Appeals said that it is the company – and not the individual employee – that is liable for this breach of employee data rights. The Supreme Court is scheduled to deliver its verdict in the first half of 2020, setting a new precedent for data rights and protection.

With Data Privacy Day just around the corner, it is the perfect time to revisit how you manage employee data and strengthen security measures. We spoke to Kumar Patel, founder, and CEO at OmnidyaOpens a new window , an AI-based consumer bot platform, to explore this in detail.

Learn More: 5 Steps to GDPR Compliance for the HR FunctionOpens a new window

Why Data Privacy Day Should Be on Your Radar

January 28 is Data Privacy Day (known as Data Protection Day in Europe). It is an official occasion recognized by the United States Senate, and HR must recognize this day as well, especially in the current climate of data privacy concerns.

The General Data Protection Regulations (GDPR)Opens a new window came into effect in May of 2018, impacting businesses working with EU citizens. According to this law, users (both consumers and employees) need to provide explicit consent before a company can use their data. Users also have the right to ask for their collected data to be deleted if they so choose.

Following in the heels of the GDPR, American states have also started to roll out bills on consumer and employee data rights. The California Consumer Privacy Act (CCPA) was passed in June 2018 and went into effect on January 1, 2020.

Its provisions resemble the GDPR, including the “Right to Access” and the “Right to Deletion.” While CCPA was designed to protect consumer data, there are specific provisions that employers need to remember. For instance, exemption from compliance is valid if the data is used for employment-related purposes, and only till December 31, 2020. From 2021, the CCPA will apply in full to employee data as well.

Apart from California, 11 other U.S. statesOpens a new window , including Maryland, New Jersey, and Washington, have introduced similar legislation in the last two years.

“High-caliber data security practices are a necessary element of effective HR management in this increasingly digital age,” said Patel in an exclusive with HR Technologist. Simply put, 2020 is an essential year for HR functions looking to bring employee data rights to the forefront. This is why occasions like Data Privacy Day should be on your radar.

Interestingly, proactive compliance in the case of data management also influences your bottom line. A study of 2,900+ respondents by CiscoOpens a new window found that GDPR-ready companies are 15 percentage points less likely to suffer a data breach (and associated costs) than companies that are farthest from GDPR-readiness. They also experience shorter sales delays.

Let’s now consider how you could reimagine employee data rights management this year.

Learn More: How to Ethically Secure People AnalyticsOpens a new window

How to Uphold Employee Data Rights in a Digital Workplace

In a tech-empowered work environment, you have data pouring in from multiple touchpoints. It could be challenging to track how the data is sourced, analyzed, and utilized. Here are five tips to streamline the process, with an eye on employee data privacyOpens a new window .

1. Outline a governance framework for sensitive data identification

Employees’ personally identifiable information (PII) is most vulnerable to breaches. This includes details such as an address, social security numbers, bank details, payroll information.

“HR plays a crucial role in protecting the most sensitive personally identifiable information (PII) of employees, which can be lethal if breached by hackers or leaked to the wrong internal parties,” Patel agreed.

HR needs to know exactly which fields of PII are housed within your enterprise and the location of storage. Is employee PII stored on in-house servers? Are databases uploaded to multiple cloud platforms? Can the data be accessed via web or mobile? The governance framework should answer all of these questions, and as HR, you should be aware of all these points to ensure that employee data is safeguarded.

2. Offer L&D courses on data security ownership

Employees must be aware of their data rights and how to protect them. To help them learn, you could bring in an external cybersecurity professional to conduct sessions on data privacy best practices. This could be as simple as how to avoid non-secure websites when browsing at a workstation. 

“Organizations such as the International Association of Privacy Professions (IAPP) regularly post updates surrounding data protection and privacy, and provide free access to educational courses and webinars that will keep your data protection officer (DPO) fully informed of the dynamic data protection landscape,” suggests Patel.

Courses on password best practices, secure internal communication, and data privacy laws, can go a long way in giving employees ownership of their data. You could take a look at this 30-minute course on data privacy by Thomson ReutersOpens a new window , intended to bring employees up to speed on this critical issue.

3. Select your HR technology platforms carefully

Your HR tech stack must comply with the data security laws in your region. Check for compliance with GDPR, (potentially) CCPA, HIPAA, and other laws regulating data privacy both in your region and in your industry. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, governs the handling of medical data. Therefore, your health insurance and medical benefits technology must be HIPAA compliant.

The HR platforms you choose must have:

  • Privacy by default: The default platform configuration is the one that collects the least possible amount of employee data
  • Privacy by design: Employees are given the option to further configure how the data is used

 

Make employee data privacy a key parameter in your Service Level Agreements (SLAs) with HR technology providers right at the time of implementation. This will ensure clear accountability while also letting you monitor adherence to the laws applicable to your data.

4. Hire for the role of Data Protection Officer (DPO)

Larger enterprises with a globally distributed workforce need a dedicated DPO to manage processes that directly affect the data rights of employees. The DPO works in conjunction with the CIO and the CHRO to ensure that data privacy is maintained without holding back technology or people outcomes.

Patel tells us, “This is a GDPR requirement if you handle any data belonging to EU citizens and residents but is a best practice for any company regardless of location. I personally believe the ideal DPO has a legal background with a specialty in data protection and privacy.”

You could also strengthen your privacy maintenance capabilities with a specialized Center of Excellence for Data Protection. This involves collaboration with key enterprise stakeholders across compliance, technology, finance, and of course, HR.

5. Ensure you have a single source of truth

A fragmented, difficult-to-monitor data landscape is the first thing to avoid for companies looking to uphold employee data rights.

With data scattered across multiple platforms, there is always a risk of wrongful access or incorrect utilization. Instead, HR needs a single, reliable source of information with role-based visibility. “In addition to solid infrastructure security, a strict data-handling process that emphasizes role-based data access is essential,” mentions Patel. This means, for example, unless directly managed by another employee, an employee’s data should not be accessible by their colleagues.

There are two best practices to remember here. First, any new software that you add to your HR tech stack must be connected with a centralized data governance dashboard. Second, legacy companies with multiple (and often innumerable) employee data sources should bring in a third-party expert for a refresh/overhaul.

Learn More: Everything You Need to Know About Processing HR Data Under GDPROpens a new window

Investing in Employee Data Rights Protection: The Way Forward

Occasions like Data Privacy Day shine a light upon a key employee concern – how their organization will use their data. This concern is only going to get more complex with time. As an ethical, responsible, and compliance-focused employer, invest in cutting-edge technology to address this. We recommend investing in solutions such as mobile device management (MDM), identity and access management (IAM), and compliance management software in 2020.

MDM is essential for companies with a large remote workforce or a frequently-used Bring Your Own Device (BYOD) policy. This type of software streamlines administration and compliance for portable devices. IAM, on the other hand, has a much broader scope and is critical for any company. One of its functionalities is role-based access to data that Patel mentions. Finally, there are several useful compliance managementOpens a new window tools out there – make sure to choose the best compliance software solution for your businessOpens a new window .

In a dynamic and tech-empowered work climate where people bring in unregulated devices via BYODOpens a new window and new data flows in every day, these solutions can protect employee data rights and mitigate your company’s risk exposure. 2020 demands that we place top priority on data management, and Data Privacy Day is an excellent reminder for organizations and HR to begin.

Are you looking to strengthen employee data rights protection measures this year? Tell us on FacebookOpens a new window LinkedInOpens a new window , or TwitterOpens a new window . We’d love to know more about your strategy!

Chiradeep BasuMallick
Chiradeep is a content marketing professional, a startup incubator, and a tech journalism specialist. He has over 11 years of experience in mainline advertising, marketing communications, corporate communications, and content marketing. He has worked with a number of global majors and Indian MNCs, and currently manages his content marketing startup based out of Kolkata, India. He writes extensively on areas such as IT, BFSI, healthcare, manufacturing, hospitality, and financial analysis & stock markets. He studied literature, has a degree in public relations and is an independent contributor for several leading publications.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.