IDC Names Securiti a Worldwide Leader in Data PrivacyView
It’s been over four years since the European Union’s General Data Protection Regulation (GDPR) came into effect. Since its enactment, the renowned data privacy law has revolutionized the data privacy landscape worldwide, as many global data privacy laws are based on the framework set up by the EU’s GDPR.
The GDPR allows EU residents to control how their personal data is processed by granting them several rights with respect to their personal data, including the right to access their personal data.
Like the GDPR, the California Consumer Privacy Act (CCPA), and its amendment, the California Privacy Rights Act (CPRA) also provides consumers with data subject access rights and several other rights. These rights ensure that customers have sufficient control over how their personal data is collected, stored, processed, protected, or sold to other parties.
Responding to DSARs from employees or ex-employees is challenging for employers because employees' personal data, such as their internal and external communications, emails, and other details, are frequently stored in unstructured data assets.
Consequently, employers need dedicated resources and tools to discover and analyze data to find relevant information specific to an employee who has requested a DSAR while ensuring the utmost data confidentiality of other employees.
The employer's failure to comply with a request as per the applicable privacy law and as per the stipulated time frame within the law can have substantial consequences for an organization, even though the requests may sometimes seem burdensome.
Under the GDPR, data subjects have the right to access their personal data processed by the data controller. This includes the right to obtain confirmation from the data controller whether personal data about them is being processed and receive a copy of their personal data processed by the controller. This right can be exercised by the data subject by making a request to the data controller.
The GDPR protects all natural persons, including employees. Employers as data controllers are required to fulfill the DSARs of their employees within the same stipulated deadline of 30 days. This article provides a guide to employers on how they can handle DSARs in compliance with the provisions of the GDPR.
Data subjects in the workplace can be present employees, former employees, or even job candidates. They all can be qualified as data subjects under the GDPR.
Under the GDPR, all individuals have the right to inquire about what personal information an organization may have about them and to request a copy of that information, as well as other supplemental information. In response to a DSAR, the employer must provide the following information to the requesting employee:
In addition to providing the above information, the employer has the following obligations in connection to a DSAR:
The employer's obligation to abide by a DSAR applies to any personal data about the individual their organization has on record. Any information kept about employees may qualify as personal data for DSAR purposes as long as the employees can be identified and the information relates to them specifically.
However, the employer is required to share only those information, including messages or email conversations with the requesting individual whose content relates to the requesting individual. This means that where the individual’s name is only mentioned and the overall content does not relate to him/her, the employer must respond that it has identified the individual's name on this many numbers of messages/emails without disclosing the content of those messages/emails.
In addition, the employer is generally obliged to search for personal data throughout all systems. However, due to a large quantity of information, the employer has the possibility under the GDPR to request the data subject to specify the information he/she wants to access. This will allow the employer to narrow down the search. This has been clarified in Recital 63 of the GDPR.
Information should be provided to the data subject in writing, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally if the data subject's identity is proven by other means.
As per Article 12(5) of the GDPR, information to the requesting data subject should be provided free of charge.
However, when a data subject makes requests that are manifestly unfounded or excessive, especially given their recurrent nature, the data controller may charge a reasonable fee considering the administrative expenses incurred in delivering the information.
As per Article 12(3) of the GDPR, the data controller must provide the information to the data subject without undue delay and, in any case, within one month of receiving the request. Depending on the complexity of the request and the number of requests by the data subject, the response time frame may be extended to two further months.
However, the data controller must notify the data subject of any such extension of the timeline along with the reasons for the delay and the data subject’s right to lodge a complaint with a supervisory authority and seek a judicial remedy within one month of receipt of the request. The information should be conveyed electronically if the data subject submits a request using an electronic form unless the data subject specifies otherwise.
An employer may decline to give all or part of the requested information if an exemption applies as per the national applicable data privacy law.
As per the GDPR, the data subject’s right to obtain a copy of personal data must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and, in particular, the copyright protecting the software. This means in response to a DSAR, employers must not disclose third-party data.
Employers must not disclose personal data belonging to a third party without taking consent from third parties due to the impact on the rights and freedoms of third persons. In such a case, employers must provide only as much information as possible after leaving out or redacting, or rendering illegible those parts that have third-party information or parts that may have negative effects on the rights and freedoms of others.
However, having third-party information should not be the ground for the complete refusal of an access request. The employer must respond with as much information as possible without disclosing third-party data.
The GDPR also allows member states to have their own restrictions while responding to data subjects’ requests. For example, a member state law could say that controllers are not obliged to provide information that is held for management forecasting or management planning (information about promotion, transfer of employees, etc.). Therefore, employers must carefully check the requirements of the national provisions and take note of any specific conditions that may apply within domestic law.
The data controllers must record reasons for any refusal to a DSAR in order to be able to demonstrate compliance. Moreover, reasons for refusal of the DSAR must be recorded and communicated to the individual diligently and clearly.
If the data controller does not respond to an employee’s DSAR or only gives them a part of what they have requested and the employee believes they should receive more details, the employee can take several actions, such as:
Learn more about employee data under GDPR.
Data Subject Access Requests (DSAR) were a crucial component of the privacy protections provided by the California Consumer Privacy Act (CCPA) when it was passed in 2019. By law, organizations must swiftly respond to these demands by collecting and providing the required information related to the collection and processing of personal information to the consumer or provide reasons for refusing to honor the request.
However, under the CCPA, only consumers could submit DSARs, and current and former employees, including job applicants, could not. This is because, as per CCPA Section 1798.145(h), personal information collected by businesses within an employment context was exempt from CCPA protections (apart from providing former and current employees and job applicants with a notice at the point of collection of personal information as per CCPA Section 1798.100 and the quantum of damages a business is liable to pay for a breach incident caused by its unreasonable security practices). However, this exemption is set to expire on January 1st, 2023. From this date, the CPRA amendments come into effect, and thus all the DSAR protections under CPRA will now be available to former and current employees and job applicants in California.
Learn more about CPRA Employee Data Obligations.
As per CPRA Draft Regulations § 7020:
For the organization to avoid possible fines and penalties, a response is required within 45 days. An extension is permitted of up to 90 days where necessary, but the consumer must be informed as to the reasons why the extension in time was necessary. As per the draft CPRA Regulations § 7021, the business must acknowledge receipt of a verified DSAR within a time period of 10 days.
As an employer operating in California or doing business there, if you receive a DSAR from a current or former employee or a job applicant, you may be asked to disclose specific pieces of personal information or information on categories of personal information collected and processed by you.
Businesses are required to provide all the personal information they have collected and maintained about former and current employees and job seekers, including personal information collected and maintained pursuant to a written contract, on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort or the consumer requests data for a specific time period.
In case you are required to disclose specific pieces of personal information, you should note that as per draft CPRA Regulations:
In case you are required to disclose information on categories of personal information collected by you as an employer, you must disclose:
As an employer, if an employee asks for their personal data, the CPRA mandates organizations to:
Given that there are more than 40 million residents of California, CCPA's compliance had a broad impact, and so will compliance with the CPRA. This is because most organizations' databases will contain at least a few Californians, and as a result, they will be subject to the CCPA/CPRA.
Additionally, the CPRA imposes $2,500 for every unintentional violation and $7,500 for intentional violation, which includes receiving and honoring DSAR requests from current and former employees and job applicants for personal information collected in an employment context.
It is also important to note that the CCPA’s cure provision, which allowed businesses 30 days to cure their violations, has been removed from the CPRA - thus, businesses in California cannot afford to be non-compliant now and expect a chance to correct their actions without facing liability. Learn how to automate DSAR under CCPA.
Under the CCPA and CPRA, the right to access personal data must be provided electronically, in a portable format, and to the extent technically feasible, provided in a readily usable format that the consumer can transmit to another entity without hindrance.
Regarding the right to access personal data, the CCPA/CPRA highlights certain exemptions: as per CPRA Regulations § 7024(c), a business is not required to search for personal information if all of the following conditions are met, including:
Depending on its organization's complexity, manual DSAR processing can run a business anywhere from $1,400 to $10,000 for every DSAR. Despite this, several businesses aren't set up to manage DSARs cost-effectively.
The modern-day and most efficient method of honoring DSAR is by embracing DSAR automation. Automation enables businesses to save costs during the DSAR process, significantly reduce the risk of compliance penalties, and ensure brand image remains intact.
Additionally, individuals increasingly expect more transparency from businesses that collect their personal data. Businesses must ensure they’re better custodians of an individual’s data and that their data processing practices comply with evolving data privacy laws to avoid non-compliance penalties.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.