Bob Kelso / FPS Lead Privacy Expert and Consultant
For years, HR dodged the data privacy bullet. However, with the passage of new state consumer data privacy laws the debate as to whether employment data should be treated the same as consumer (customer) data has been more than re-kindled, it’s now the law. For at least 15% of Americans (specifically, Californians), HR data privacy laws are in force and driving change into the core of HR operations. Companies with ANY employees in California have new privacy laws to comply with.
Privacy compliance is complex
There are seven new “Employee Privacy Rights” that employers must plan for and respond to:
- Right to Clear Notice of the Point of Data Collection
- Right to Access (know what’s been collected and how it’s used)
- Right to Request Correction
- Right to Request Deletion
- Right to Restrict the Use of Sensitive Data
- Right to Opt-out of the Sharing of the Data
- Right to Retain Only the Personal Data Consented
Understanding and locating your data alone is also a challenge.
It may seem relatively easy to locate personal data captured about employees and applicants, but real-world practices show that it’s stored in as many as 75-125 unique locations. and with more than 20 unique use purposes. Establishing a complete data inventory of employment data offers six unique challenges:
- The pure breadth of owners and uses of employment data
- The number of data locations (where it is stored)
- The type (structure) of the data and ability to find it
- The sharing of data with externals and third-party vendors
- The non-transactional nature of employment data and its related retention
- The trend targeting HR in legal actions for plaintiff discovery
Exactly who is covered by these laws?
Data privacy regulations differ by state, but the California Consumer Privacy Act (CCPA) and the updated California Privacy Rights Act (CPRA) now definitely require inclusion of personal data collected about all job applicants, current employees, former employees, and beneficiaries.
Although the road to compliance seems daunting, there are some basic steps you and your company can implement now to protect data privacy. So, where to start?
A plan of attack!
There seven operational steps to begin your privacy program.
- Understand fully the legal obligations for all persons and systems impacted
- Establish a Privacy Governance Team (even if only for the HR data)
- Create your privacy policies and notices
- Develop a robust and accurate data inventory
- Manage third party data sharing
- Build-out data consent and rights response processes
- Conduct staff training
Once through these steps, there are two additional legal requirements:
- Establish and enforce data retention and deletion policies and
- Conduct an annual security assessment for all employment data systems.
This is where fpSOLUTIONS can help.
fpSOLUTIONS offers a fixed price “Employment JumpStart” service package to deliver all the key pieces needed to ensure your data is identified and your program is compliant by delivering
Specific privacy training
- Privacy leadership engagement
- Creation of your data asset inventory
- Functional alignment on critical tasks
- Compliance Risk Roadmap
- Uses and disclosures needed for compliance.
Importantly, this package is available either with or without attorney engagement (which includes an attorney’s oversight for attorney client privilege protection). For more information on this package or to simply gain greater clarity on data privacy protection issues, click this link to get connected and we’ll connect you to our privacy consultants.