Employee-related data protections in California’s landmark privacy law take effect in 2023, making it crucial your organization write a retention policy if it doesn't have one, especially if you’re seeing a higher than usual number of workers leave for greener pastures, specialists in the field say.
Much of the focus on the California Consumer Privacy Act (CCPA), enacted in 2018 with amendments set to kick in soon, has been on the consumer side, but starting in January all of the same requirements will apply to employees, Darcey Groden, an attorney with Fisher Phillips, said in an Exterro webcast.
That means current or former employees can request to know what personal information you have on them and can ask you to delete it.
Especially if you have disgruntled former employees, you can expect to see the law evoked.
“Unhappy employees are more likely to exercise rights related to data requests … whether they left of their own volition or otherwise,” said Constantine Karbaliotis, senior privacy advisor at Exterro.
Complying with a deletion request will get tricky because you can’t let it force you into conflict with other laws. If you’re holding personal data to meet requirements for tax or other regulatory purposes, for example, you can’t just get rid of the data.
“An employee can’t use CCPA to force you to break that law,” said Groden. “It doesn’t trump other laws.”
Wide-ranging data
The California law, the first in the United States and which has tougher employee-data mandates than other, subsequent state laws, requires organizations to have a secure process for retaining employee data and to let employees know what you’re retaining, if you’re asked by them, and to delete it if they request that and doing so doesn’t violate other laws.
In some ways, organizations can expect compliance to be more complicated than with consumer data requests, because on the consumer side, data is typically transaction-related, so as long as you have a process for maintaining transaction data, you can honor a data request relatively easily.
It’s harder on the employee side because the data comes in all types of formats, over long periods of time and is stored in any number of places.
What’s more, much of the data is unstructured, meaning it’s not searchable in a database. Emails, text messages and work products, among other things, can all contain personal employee information but knowing what you have, where it is and so on, promises to be a big challenge.
“Employers often don’t even know what’s out there,” Groden said.
Third-party use of employee data is another problem area, compounded by HR departments’ typical reliance on outside companies to handle much of what they do.
“Benefits and insurance” are third-party functions, Groden said.
Organizations that are already complying with privacy laws outside the United States, like the General Data Protection Regulation (GDPR) in the European Union, will have a leg up on the California law because these other laws already include employee rights.
For organizations to which employee-data rights will be new, best practices for compliance start with creating a multi-function task force to write a data retention policy and set in motion a process for inventorying employee data in all its forms. The team also needs to know what other employee data laws are in effect so the process can be built to respond to data requests in compliance with these other laws.
The California law lets organizations deny an employee request for data if it conflicts with other laws or the data is needed for a legitimate business purpose. But when there is a denial, the data that’s retained can only be used for the purposes related to the denial. That means you can’t use data you’re hanging on to for, say, tax compliance for some other use.
It’s these kinds of nuances that will make compliance a challenge even for mature organizations that have a good team and process in place.
“California became the first but it won't be the last” to have this kind of law in place, Groden said.
