At Red Clover, we love a good workflow. Workflows and business processes are the key to running a profitable and efficient organization.
So we’re going to bet that, as a business owner, you also rely on comprehensive business workflows—from the first moment HR sets up an interview to when your IT department troubleshoots a malfunctioning email address—designed to support the productivity and well-being of your business and employees.
Through these processes, you probably collect significant amounts of personal information from your employees: names, addresses, contact information, Social Security numbers, and more.
Is that data getting the protection it deserves?
As data collection becomes more prevalent in the workplace, data protection laws that wrap employees into their scope are becoming increasingly common. As of 2022, two major laws affect how businesses must approach employee privacy rights: the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).
Even if your business is located outside of California or Europe, though, you’re not immune to these laws. Privacy laws aren’t just about where a business is located, but also where customers and employees are—which makes today’s work-from-home life a major consideration. If you don’t comply with these data protection laws, your business could face serious consequences. And if the current trend continues, there will likely be even more privacy regulations coming our way.
The best way to maintain compliance with these laws is to create policies that protect the privacy of your employees and to be transparent about those policies. Plus, you don’t want to be held liable for the mishandling of sensitive data in the event of a data breach.
Not sure where to start? Follow the steps below.
1. Create processes that reflect employee privacy rights
We hope you take lots of useful information away from this article, but if you take only one, make it this: your employees have individual privacy rights under CCPA and GDPR, just like your customers do. These privacy rights include:
|Right to notice
|Right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom
|Right to request access to information
|Right to delete personal information collected from the consumer
|Right to get data in an easily accessible format
|Right to opt-out of the sale of personal information (if applicable)
|Right to deletion
|Right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable)
|Right to opt out
|Right to non-discriminatory treatment for exercising any rights
|Right to equal service and price
|Right to initiate a private cause of action for data breaches
|Right to be informed
|Right to correct inaccurate personal information
|Right to access
|Right to limit use and disclosure of sensitive personal information.
|Right to rectification
|Right to erasure
|Right to restrict processing
|Right to data portability
|Right to object
|Right to not be subject to automated decision-making
Keep in mind that the California Privacy Rights Act (CPRA) builds on the rights that CCPA establishes by creating two additional rights:
- The right to correct inaccurate personal information
- The right to limit use and disclosure of sensitive personal information.
Know what employees’ personal information you’re collecting and how
What kind of employee data gets collected in your data ecosystem? There are many different scenarios, from the obvious (think recruiting, payroll, benefits, etc.) to the less obvious (HR complaints, employee engagement metrics, time-tracking, etc.). Where does this data live? How long does it stay there? Who has access to it, and why?
Over time, this information can become unwieldy to track. That’s why we highly recommend running a data inventory that includes employee information, to give you a big-picture view of what information you have and how it’s managed.
Understand how you’re handling employees’ personal information
Once your team has determined how employee information comes into your systems, you will need to determine ways to make these processes compliant with privacy best practices.
Typically, that should involve:
- Minimizing data collection
- Identifying clear uses for the data
- Limiting access based on what type of information is being stored
- Implementing sufficient security measures (see below)
- Ensuring you’ve obtained proper consent to collect the information
Allow employees to exercise their personal rights
This means your business needs a repeatable process to allow authorized individuals to:
- Make access requests
- Receive copies of private data
- Request that data be deleted or corrected
- Know how data is being used
If and when your employees want access to this information, you will need a process for receiving and storing those requests. Whether you use manual processes, spreadsheets, or automated software, you will need to implement systems and processes that align with your operational needs.
For example, does your HR department field a lot of employee complaints? You would need to consider the volume and type of these complaints and ensure that you have practices in place that support your HR department’s collection, use, and management of personal information—and employee access to it.
Before implementing any processes, though, your team needs to compare them to the existing state, sectoral, and international privacy regulations. At a minimum, your processes should meet those regulations. Though, for the sake of protecting your business from potential lawsuits or legal action—and to sustain the trust of your employees—it’s better to exceed current regulations.
2. Make your processes clear to employees
No matter how big or small your organization is, you need to ensure all your privacy practices are clear to your employees:
- How your employees can make access requests
- Who receives and honors those requests
- How you will process the requests in a timely manner
These policies all need to be documented and shared with anyone who is impacted by them. This can be stated in an employee manual, covered in ongoing professional development training, and implemented as a core organizational concept through the advocacy of a privacy champion.
Whether they’re employees who make access requests or employees who process those requests, keep in mind that it is a cross-functional effort between your HR, privacy, legal, and IT departments.
3. Get the right team members involved
Data privacy isn’t the purview of a single individual or department, though. It’s a challenge that requires the attention of team members from multiple departments throughout your business—not to mention outside experts.
When you’re building a data privacy team, include personnel from:
- Your in-house legal department
- Human resources
- Outside privacy specialists
Any effective data privacy plan will require input from individuals in all these fields. If they are included in your team from the beginning, your plan will be more efficient and more likely to protect the data of your employees.
4. Consider threats to data
Unfortunately, no matter how good your privacy processes are, there is always a chance that the data of your employees could get accessed by a bad actor—and even if it’s a third party, you will still be held responsible.
You can reduce your chances of cyber attacks and data breaches by following best practices and taking all reasonable steps to ensure that your business isn’t sharing the information with parties that shouldn’t have access. While protecting your employees’ personal identifiable information should be your top priority, you also want to protect yourself from potential lawsuits.
This is where your compliance efforts will matter most. The more records you have showing that your business made every reasonable effort to protect data and follow applicable regulations, the more likely you are to come out ahead in court.
One of the biggest concerns about data privacy is how third parties use that data. Based on current privacy regulations, your business could be held liable for how third parties use the data that you provide them.
To protect your business, your team should determine which third parties you are sharing data with and whether you need to alter your agreements with those parties to ensure that data is protected and managed in compliance with privacy regulations.
Be aware that many businesses trade or sell customer data to other businesses, often for marketing purposes. Some regulations strictly limit how this can be done. If your business engages in these deals with employee data, you should allow the owners of the information in question to opt out easily. Consider creating an opt-in contract to protect your business, as well.
Bonus step: contact Red Clover Advisors
The lesson is simple: compliance with privacy regulations means going above and beyond.
If you have any questions or concerns about your company’s data security and privacy needs, rest assured that you don’t have to figure it all out on your own. The experts at Red Clover Advisors are here to help businesses of all sizes in industries ranging from technology and digital media to e-commerce and professional services. You can check out our 2022 Privacy Compliance Checklist here.
Contact us to get started on your employee privacy plan today.