The California Consumer Privacy Act (CCPA), intended to protect the privacy of California residents, is having a ripple effect across the United States. Originally designed to give California consumers new rights, the definition of “consumer” in the Act is so broad that your workforce data may also be affected. If you're an employer who may be impacted by the CCPA, here are 5 actions you can consider before the new privacy law goes into effect on January 1, 2020.
1. Audit your HR data
Before protecting active employee, terminated employee and job applicant data, it’s important to get a full picture of the personal information your company collects. Not sure where to start? A good first step is to connect with teams across the organization to identify how your organization collects, processes, stores and deletes personal employee information. As a more advanced option, many HR teams are conducting risk assessments designed to assure the lawful and legitimate handling of personal information.
2. Reduce your data collection
Once you know the personal employee information your organization collects, it’s time to consider whether you need the data you’re collecting and storing. Under the CCPA, employers are obligated to disclose the personal information collected, shared and sold in the previous 12 months upon request (with some exceptions). This can be challenging for an employer, both in terms of the work involved in compiling records as well as the potentially sensitive nature of the data.
For example, imagine the complications that can arise when an underperforming employee requests communications related to being put on a performance improvement plan. By reducing the personal data that’s collected, you can limit both the burden of compiling data and the risk of having to provide sensitive communications to potentially litigious employees.
3. Create a process to manage employee disclosure and deletion requests
Under the CCPA, individuals can request information about the personal data that’s collected. They can also request the deletion of their personal information and opt-out of the sale of their data (if applicable). For employers with a large California employee population, processing these requests can take a substantial amount of manual work. Consider where you can create efficiencies and move to automated processes to reduce the time it takes to handle information and deletion requests. For example, both U.S. and European employers complying with the General Data Protection Regulation may be able to build on existing processes for individual access requests.
4. Review and update privacy policies and notices
The CCPA requires that individuals are informed of their personal data rights through a special notice to California residents. Review HR-related personal data collection practices to see where notices may need to be updated to reflect the new requirements, and where you may need to create a separate notice for California employees. Some California employers are considering extending the rights to all their employees and job applicants. While this can make it easier to apply the law, it can also create additional risks.
5. Look out for changes to the law
The CCPA has been modified once already and there is the possibility of additional modifications to the legislation prior to 2020. One potential change is allowing “consumers” to take private rights of action for any violation of the CCPA (i.e., employees could initiate lawsuits, even when there are no damages). Given that California is known to be a litigious state, this change could substantially increase liability for employers.
It seems more than possible that there will be certain modifications before the law goes into effect (potentially even excluding employee data from the law). In any case, the Attorney General is expected to issue regulations that will provide additional guidance. Therefore, it’s a good idea to keep an eye out for updates that may impact Californian employee data.
What impact could a no-deal Brexit have on employee data?
Last week, Theresa May’s Brexit plan was defeated, leaving United Kingdom employers (along with the rest of the world) with a number of questions. One primary concern: maintaining compliance with the General Data Protection Regulation (GDPR) if the UK leaves the European Union before a deal is in place. While a lot remains unclear, here are three things to be aware of when preparing employee data for a no-deal Brexit.
It seems like every week there is a news blast on how data has been misunderstood, misused or abused. From Cambridge Analytica’s purposeful abuse of personal data to Strava’s unintentional reveal of military bases, 2018 has brought the consequences of personal data collection to the forefront. That said, it’s important not to forget that with proper use, personal data can have a huge, positive impact on your HR practices. Employers have used personal data to make better hiring decisions, help employees get healthy and address biases in the workplace.
Robin is the HR Compliance Assist Manager at PeopleDoc. She joined the team to help customers remain in compliance globally and easily navigate foreign rules and regulations through HR Compliance Assist.
Previously, Robin managed client HR communications and provided outsourced HR support. She has a Masters in Psychological Counseling from Teachers College, Columbia University.