Medha Bhatt, Product Manager at CYTRIO
With the passing of the California Privacy Rights Act (CPRA), compliance and governance around Human Resources (HR) and employee data will be enforced as of January 1, 2023. Essentially, organizations need to treat HR data with the same level of care and security controls as they do consumer’s personal information.
If your organization falls within the scope of the CPRA, you need to start preparing for these expanded obligations immediately.
Here is what you need to know about the inclusion of employee data within CPRA.
Current scenario with CCPA
Currently, the California Consumer Privacy Act (CCPA) provides employers with limited exemptions with respect to employment-related personal information, when that personal information is collected and solely used in connection with the individual’s role as an employee or job applicant, dependent, beneficiary, independent contractor or owner.
Specifically, CCPA does not extend certain consumer rights, including the right to access or the right to delete personal information, to employees.
New employee rights and HR data under CPRA
With the exemption no longer in place, CPRA will require organizations to:
- Honor employee requests with regards to the right to know, right to deletion and right to collection, along with the right to opt-out of sale or disclosure of this data for advertising purposes. These rights extend to data collected through employee monitoring software.
- Answer employee questions about where, when, and why their company is using their personal identifiable data.
Apart from personal information, within the context of employees and the workplace, the following information will also fall under CPRA:
- Employment contracts
- Performance reviews
- Salary, benefits, and tax information
- Biometric data
- Identification badges
- Surveillance footage from employee monitoring software
- Data used for workforce management (e.g., talent management system)
Employer checklist for CPRA
Employers hold a lot of data about their employees and job applicants, which could make Data Subject Access Request (DSAR) compliance cumbersome. Now that the exemption of employee data in California DSARs is officially expiring as part of CPRA in January 2023, companies need to prepare in advance. Below are the key considerations:
- Map your data – Ensure you understand what employee data your company collects, how it flows organizationally, where and how it’s stored, and whether third parties are processing the data.
- Update your Data Processing Agreements (DPA) – Ensure agreements with third parties that access employee data meet the obligations for service provider agreements under CPRA.
- Review your data classification and cybersecurity policies – Under CPRA, HR data is often considered sensitive and therefore requires greater protection. Make sure you align your data classification and security policies to the definitions outlined in CPRA.
- Be prepared for DSARs from employees – Ensure you extend your data subject right procedures to include employee data.
- Update notices and privacy disclosures – Privacy disclosures should be updated to include the new right for employees to have businesses correct their personal information, outline how sensitive personal information is processed, review retention criteria, and note whether personal information is sold or shared.
CYTRIO helps with CPRA Employee Rights
CYTRIO’s data privacy management solution helps organizations easily and cost effectively comply with the specific requirements of CPRA.
Use CYTRIO’s solution to:
- Automatically discover personal information of the requestor spread across your data sources on cloud or on-premises.
- Map all your data flows, business processes, and manage agreements with service providers.
- Track, manage, and fulfill employee privacy right requests using DSAR automation solution.