'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on June 15, 2021 AUTHOR - PRIVACY RESEARCH TEAM
When we think about privacy regulations, our first thought centers around the protection of consumer data. That most organizations should also keep in mind is that these data privacy laws also pertain to protecting your employees' data as well.
According to employment attorneys Jessica Gross and Justine Philips, there are three points that the HR department of an organization needs to keep in mind with regards to staying compliant with the CCPA:
The organization's HR department has a huge responsibility and stake in keeping the organization compliant with data privacy regulations. If the organization fails to fulfill the aforementioned points it could result in non-compliance, which means penalties, both as statutory damages and fines along with reputational damage.
Employees and potential employees are both very concerned about how their personal information is being collected and captured by their employers. And employees will not hesitate to go to court to enforce their rights. Thus employers should work to implement all responsibilities on employment data imposed by data privacy regulations such as the CCPA.
This article will talk about the importance of employee data under the CCPA and steps that can be taken to comply with this regulation.
While it is true that employment data was excluded from many of the legal obligations and requirements of the CCPA, as per a time sensitive exemption brought by the California Legislature via Assembly Bill No. 25, there are still some obligations on employee data under the CCPA which are enforceable right now and which businesses have to follow to avoid violation and potential penalties.
Under Section 1798.145(h)(3) of the CCPA, since Jan. 1, 2020, a notice must be provided to employees by employers, at or before the point of the collection of personal information.
Under Section 1798.100(b) read along with CCPA Regulation § 999.305.(f) this notice to employees needs to include the following information:
It is important to note that the notice should be:
It is important to note that a business shall not collect categories of personal information other than those disclosed in the notice at the time of collection. If the business intends to collect additional categories of personal information, the business shall have to provide a new notice when collecting the new information.
Furthermore, Section 1798.150, which applies to employee data, means that businesses are liable for undertaking adequate and reasonable security measures to protect the data of their employees. Because, if unredacted or unencrypted employee personal information is breached, due to the employers’ failure to take reasonable security measures, they will have to face civil actions brought by the employees. Under Section 1798.150, damages in suits brought by aggrieved individuals in such cases of breach can be granted $100-$750 in statutory damages or actual damages (whichever is higher). Thus, employers must make sure to protect employee data as it protects consumer data to avoid facing penalties under the CCPA.
In order to have a strong HR strategy, the team must first interpret the applicable state law and then ensure compliance with that law.
Data privacy laws such as the CCPA are constantly evolving (take, for example, the CPRA amendment), so it’s important for the HR department to stay on top of all the regulatory amendments. It is advised to have automated alerts set up in order to inform the organization about new and changing cybersecurity and data privacy laws.
Privacy regulations can differ based on industry, location, and types of data being processed. It is paramount that the organization is aware of the compliance requirements of laws that apply to them.
Becoming well-versed about privacy regulations can help keep your employees updated about their data rights. Better understanding of data privacy will lead to more effective leadership on how these regulations can potentially impact a business.
The HR department needs to make their staff aware of the importance of protecting an individual's sensitive information and how they can balance individual privacy concerns against the privacy requirements of running an organization.
HR professionals are required to maintain transparency on the data they have collected. This will promote trust among employees and third parties and also help the company stay compliant with privacy regulations.
Organizations today are collecting more and more data, whether that be from their consumers or their employees. Privacy regulations such as the CCPA require organizations to keep track of data collected from their own employees and in turn protect this data being responsible custodians.
The past shows that doing this through manual methods, although may be possible, is a tedious task and organizations are encouraged to automate their operations. With the constant evolution of privacy regulations, automation is the only way an organization can keep up.
Seucriti offers organizations a fully automated solution that can help them easily detect personal data, map it to the owner, and keep it protected. This helps comply with several privacy requirements such as DSR fulfillment and “adequate security” of the stored data. Securiti recently joined hands with Workday, enabling Sensitive Data Intelligence driven Security, PrivacyOps, Governance and Compliance for sensitive employee and financial data in Workday. This is a huge step towards protecting employee data on a global scale.
The Securiti Sensitive Data Intelligence Solution will help organizations comply with privacy requirements, by offering the following functionalities:
Learn more about how Securiti can help you comply, watch a demo today!