Client Challenge
Employee data is everywhere. There are resumes in inboxes, links to social media accounts, information housed in databases, SaaS, laptops. The list goes on.
As of Jan. 1, 2023, when the California Privacy Rights Act (CPRA) goes into effect, all California residents, including employees, job applicants, contractors and retirees, have the right to control their private data.
For-profit companies bringing in more than $25 million in revenue with employees living in California must properly manage all employee information, connecting the data dots between the systems, people, processes and policies that use and store that information.
Failure to properly connect those dots and manage employee data will lead to stiff penalties once CPRA goes into effect next year.
CPRA is an expansion of the California Consumer Privacy Act (CCPA). In addition to giving people control of their data, CPRA defines a new category of Sensitive Personal Information, which takes into consideration data categories like race and ethnic origin, religious beliefs and personal health information that could potentially impact ongoing Diversity Equity & Inclusion (DEI) operations and COVID-19 return-to-office processes.
These requirements build on CCPA and take it a step further. What was once implicit now becomes explicit with CPRA. Once CPRA goes into effect, HR will need to provide extensive privacy notices to employees, respond to data subject access requests, limit HR data uses, and gather and disclose contractual commitments from third-party recipients of employee data.
These data protection laws are already having an impact on global organizations. H&M Germany was fined $41.3 million for non-compliance with the EU’s General Data Protection Regulation (GDPR). Google was fined $57 million by France’s data protection watchdog and Marriott is facing a $124 million fine in the United Kingdom.
Additionally, the Great Resignation shows no signs of slowing, so employees are looking at leadership to provide reasons their organization is the right place for an employee to invest their commitment. One way to preserve employee-employer trust is to protect personal data. As this Washington Post article demonstrates, employees become distrustful when their data isn’t protected.
Implementing a CPRA compliance process will not only preserve company reputation and prevent fines from cutting into profits, but it also protects and preserves trust among employees who will feel confident their personal data is being properly managed and protected within the company.
Considerations
What, exactly, constitutes personal information?
“Any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier (such as IP address or device ID), or to one or more factors specific to the physical, physiological, genetic, mental, economic or social identity of that natural person.”
Under CCPA, companies were required to comply with customer requests for data. CPRA expands that to include employee data. That creates a problem that privacy programs can’t simply solve through consent, because employees cannot legally provide consent. CPRA still allows for the monitoring of employee computer activity, but under the new law employees will have additional rights regarding their data the company collects, uses, stores and protects.
With that in mind, each piece of information requires a business justification. Organizations can only collect what is needed and must delete everything else.
Some personal information requests include the right to delete personal information, the right to know what personal information is being collected and the right to opt out of sale or sharing of personal information.
To manage and process these data requests, business processes need to be implemented.
Implementation
To ensure compliance with employee data rights under CPRA, the first step is to map the data, then discover and classify employee data, and examine/implement data controls and employee request workflows. HR data stewards must remain in sync with existing privacy requirements and upcoming regulations, utilizing a framework that establishes:
1 \ Common Privacy Control Objectives
Partnering with Legal, Compliance and Information Security, create a common set of controls which cover the requirements of all relevant privacy regulations, with a mapping between the controls and applicable regulatory requirements.
2 \ Privacy Risk Management
· By understanding both the formal and real-world (undocumented) business processes and behaviors that use employee data, organizations will understand how their people, systems, applications, products, and services introduce risks to employee data, and can begin to design solutions to manage such risks.
· Nearly every business process touches some piece of employee data. For example, every email contains names. To identify the business processes that require evaluation, adopt a risk-based approach that identifies business processes that involve sensitive employee data, large quantities of data and data sent to third parties, like SaaS vendors, among other data sources that have an elevated risk.
3 \ Data Protection Measures
During data discovery activities, data stewards can seek out risks, identify unprotected employee data, and trigger the appropriate data protection measures that align with CPRA requirements.
4 \ Data Usage
Track the data through your systems and processes: Understand where the data comes from, identify what it is being used for and determine where it goes. Understanding those three components lets you identify which policies apply to the data and how those policies impact your business processes.
Data management and governance
To comply with privacy regulations, improvements need to be made to the way an organization manages data.
If an organization already has a data governance program, this is a great place to start. If not, it is helpful to create an initial data governance privacy use case that addresses regulatory imperatives before launching a broader program.
If there is a data steward, or a similar position within an organization, include them in the project plan. Stewards, who are experts in how data is collected, stored, and used, can accelerate the data privacy use case by implementing privacy controls in the systems they oversee.
Additionally, it is critical to identify and classify Personal Information (PI) and Sensitive Personal Information (SPI), while understanding how this data moves through your systems.
Recognize that one piece of data may be used in multiple systems, often with varying names. For example, SSN is often used as a unique identifier in many systems, but may be called Social, Tax ID, or just User ID. It’s important to identify all the various locations and names of this sensitive data in order to protect it and to comply with CPRA stewardship requests.
Start preparing now
Starting Jan. 1, 2023, it will become imperative for businesses to deftly manage all employee information, connecting the dots between data and the systems, people, processes and policies that use it to ensure compliance with CPRA. Navigating these new regulations now not only ensures an organization will avoid costly fines later, but it will also build trust among employees.
To ensure compliance with CPRA, start (or upgrade) your employee privacy program now.
Unify can assist with each portion of the process. Here are some functional steps to take:
1 \ Build a cross-functional team that includes data stewards, compliance analysts and developers.
2 \ Specify company policies.
3 \ Assess existing resources.
4 \ Discover, catalog and classify personal data.
5 \ Outline specific CPRA compliance requirements – policy mapped to data.
6 \ Define and implement solutions.
To learn more about how our Security, Privacy and Compliance practice can help you prepare for CPRA, safeguard your systems, reputation and preserve customer trust, contact us today.
