Organizations that fall under the scope of the CCPA won’t be strangers to complying with consumer rights requests. Employees were specifically exempted from these rights under the CCPA and were limited to only a right to know and a right to private action in the event of a breach of unencrypted data. This exemption was due to expire on January 1, 2021, but the passing of the CPRA on November 3, 2020, extended the exemption for employees’ rights until January 1, 2023.
The CPRA will extend new rights for employees which will present a unique set of challenges for organizations. The most notable challenge is understanding what employee data they hold and where that data is stored. Organizations will therefore have to prepare for this new scope of data ahead of the 2023 effective date, considering the CPRA’s lookback period beginning January 1, 2022. In this article, we will explore some of the challenges that the CPRA’s employee rights will present to organizations as well as ways to prepare.
Get started: OneTrust CPRA Solutions
What are employee rights under the CPRA?
Among several new compliance obligations, the introduction of employee rights will pose considerable operational challenges to overcome. Under the CPRA, employees will be able to exercise six new rights including:
- Right to know
- Right to correction
- Right to deletion
- Right to opt-out of sale or share
- Right to limit use and disclosure of sensitive personal information
- Right to not be retaliated against for exercising rights
Organizations need to consider these new rights for employees and how they will fulfill requests. This will involve implementing or leveraging existing processes to understand this new scope of data as well as managing the request lifecycle.
What do organizations need to do to prepare?
In preparation for employee rights under the CPRA, there are several key factors that organizations need to consider. First, understand the data that falls under the scope of an employee rights request. This means knowing the classification of the data (e.g., sensitive personal information), where that data lives, and who has access to the data, among other things. The challenge with understanding what data your organization has is finding it.
Vast quantities of employee information are stored within unstructured data sources and when performed manually, discovering employee information can be a time-consuming exercise. Employee data can be spread across structured and unstructured data sources in cloud and on-premise systems and when dealing with tens, if not hundreds, of requests the need for automated data discovery becomes apparent. Once data has been found, organizations should look to catalog this data in a centralized inventory. This will assist with the discovery of requesters’ information as well as giving visibility into the classification of the data, where it is stored, and who has access to the data.
Secondly, organizations must implement the correct processes for managing employee rights requests. When the employee exemption expires, organizations should be prepared for an influx of rights requests and therefore an easily accessible intake method for such requests will be key. Intake submission forms can be placed on websites or through employee portals to centralize the process and can be embedded into existing IT ticketing systems for increased efficiency in managing the requests.
Organizations should also consider how they will verify the identity of the requester as well as automating the discovery of their information. When identities have been verified and personal information has been discovered, the redaction of information related to other individuals or proprietary information is essential for fulfilling the request. Embedding automated redaction solutions into the fulfilment process will help organization save time and increase efficiencies across multiple requests. Having found and prepared the appropriate information to fulfill the employee rights request, organizations should ensure they have a secure method of sharing this with the requester such as encryption or via a secure messaging portal.
Learn more: OneTrust Privacy Rights (DSAR) Automation
How does OneTrust help?
OneTrust Data Discovery & Classification technology scans both structured and unstructured data sources across cloud and on-premise systems to help find employee-related data. The automated data discovery solution classifies personal and sensitive personal information and extracts metadata to assist in the cataloging of information and the fulfillment of requests.
The OneTrust Privacy Rights (DSAR) Automation solution helps organizations automate the employee request lifecycle. The tool covers everything from intake to fulfillment and can be embedded into existing channels such as your website and employee portals. It can also be used with existing IT ticketing systems and can help to streamline the identity verification process and automatic discovery of data associated with the requestor. Using AI & ML-driven classification models, OneTrust Privacy Rights (DSAR) Automation redacts sensitive information that should not be shared with the requestor as well as information related to other individuals and delivers the information to the requesters through an encrypted messaging portal.
Request a demo to learn more about how OneTrust solutions can help your organization prepare for the CPRA’s expanded scope of employee rights.
Further resources for CPRA employee rights:
- Get Started: OneTrust Privacy Rights (DSAR) Automation
- Get Started: OneTrust DataDiscovery & Classification
- OneTrust DatGuidance Blog: The Definitive Guide to California Privacy Laws
- OneTrust Blog: CPRA – What to Know About Employee Rights