Blog by Divebell

Raised fists with graphic icons floating above representing subject data rights

Data Subject Requests — Your Employees Are Ready. Are you?

Jan 25, 2023
Ashish Shrowty

In January 2023, US-based tech companies laid off more than 46,000 employees in mass job cuts, according to Crunchbase News. So what’s different about these layoffs, other than the typical cycle of ups and downs, where companies seek to balance the over hiring they did during times of growth?

This time around, Data Privacy Officers and HR professionals will need to contend with the new privacy laws that provide current employees and former employees with data rights. Within the United States, the stringent California Privacy Rights Act (CPRA) that went into effect on January 1, 2023, is leading the way for other states.

Data Privacy Laws and Your Former Employee

Employment-related information refers to employees’ personal data, including their login activity, security camera footage, or data from swiping their security badges. Under California Consumer Privacy Act (CPRA) provisions, employees not only have the right to access their employment-related information, but they can request for it to be deleted or opt out of sharing it with third parties. The CPRA also mandates that employers are obligated to tell their employees the kind of information they are collecting about them, and employees can sue their employer for data breaches. If a data breach affects employees, any organization found to have failed to maintain reasonable security procedures could be liable for monetary fines.

Employee data privacy legislation could make wrongful termination claims more complex. With legal access to data collected about them during employment, they could use it as evidence against their employer in discrimination, whistleblowing claims, or employment status litigation. 

The Impact Is Not Limited to Large Organizations

Even mid-sized employers could face a wave of DSR coming at them, and unless they are ready to handle these on time as per the provisions, they could face stiff penalties and reputational damage. US privacy laws are modeled on European privacy laws such as GDPR. According to a recent study by Guardum in the UK, almost half (46%) of all DSRs received by mid to large organizations are from employees or contractors. A third (33%) comes through legal representation, with ex-employees accounting for 15% of this proportion. 

Data Retention and Deletion 

When an employee makes a DSR, it is challenging to locate the personal data of a former employee, especially if it has been stored for a long time across data sources. Organizations need to have an appropriate retention policy and a procedure to respond to DSRs. Data cleanup helps reduce the amount of data held by employers. It’s an excellent time to consider applying data retention and disposal to that sensitive data. 

End-to-End Automation

Querying and fetching the correct data quickly, an up-to-date data inventory, and customizable workflows in keeping with your organization’s unique requirements are just some of the requirements that come with fulfilling employee DSRs in a compliant manner. Plus, there are competing IT priorities that any privacy executive must contend with. A completely automated solution that does the heavy lifting for you and your team — from intake to response and compliance reporting — is one of the best ways to address the upcoming DSR deluge. 

Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.

Contact Us