Employee Privacy under the CCPA
So how’s that employee data privacy program coming along?
When Governor Brown signed the California Consumer Privacy Act of 2018 (CCPA), it marked a significant change in the way US businesses need to look at privacy. Companies operating internationally were already rethinking their strategies based on the European Union’s General Data Protection Regulation (GDPR), but CCPA brought the issue home for any company doing business with California residents.
One issue that attracted attention in those early days was employee data. Many thought the issue was resolved with Assembly Bill 25, which modified the CCPA to give businesses an exemption for personal data relating to employees. In recent days, however, the California Senate Judiciary Committee has modified the language of the Bill, limiting the exemptions to exclude the requirements for notification of data collection and use, and preserving employees’ right to private action, including participation in class action. Perhaps more importantly, the remaining exemptions are now temporary, with the exemptions expiring on January 1, 2021.
Now, it’s possible that things will change yet again, but realistically this version of the amendment or something very like it is probably the final word on employee data. Organizations need to be thinking now about how they collect, store, and use data on their employees and how to clearly disclose that information. What’s more, they’ll need to have a comprehensive employee privacy program within the following year.
Sound difficult? It doesn’t have to be. Start by building an inventory of how you collect and store personal information, for your employees and, while you’re at it, consider your customers, suppliers, sales leads, etc. as well. It helps to build out data flow diagrams or maps of this information so you can really get a good picture of what’s going on.
Then, for each of those data flows, think about its value. Why are you collecting it? Where do you keep it? What do you need it for? How long should you hang on to it? Who can access it, when, and what are they using it for? The answers to these questions can be complex, especially if you’ve never considered things from this aspect before, but if you begin the process now, you’ve got time to work it out.
Based on the answers, you’ll need to create policies and notifications, maybe change processes, and certainly train people in the changes. It can be a lot of work, but your customers and your employees will appreciate the visible evidence that you’re taking their privacy and security seriously.
An effective privacy program doesn’t have to be a burden on the organization or its management, especially if it actively encourages and supports the active involvement of its employees. An employee privacy program isn’t just a requirement – it’s also a great springboard for the kind of program you need to help make all of your privacy efforts more effective.
How is your organization going to adjust to the new privacy regulations? Talk to us at Smooth Sailing – we’ll be glad to help you work out a strategy.