The California Privacy Rights Act (CPRA) Amended: What it Means for Employee Data Subject Access Requests

The California Privacy Rights Act (CPRA) Amended: A Look at the Impact on Employee Data Subject Access Requests

The California Privacy Rights Act (CPRA) has been amended to give current and former employees of California-based businesses the right to request details of personal information collected about them and request the permanent deletion of that information. This is similar to the data privacy provisions in Europe's General Data Protection Regulation (GDPR) and was a key provision in the initial version of the California Privacy Protection Act (CPPA) of 2020. However, the scope was previously limited to consumers of products and services doing business in the state. Under the updated CPRA, California businesses that meet the threshold requirements will be required to respond to these requests from current and former employees.

Understanding the Changes to the CPRA

Employee Data Subject Access Requests (DSARs) are significantly more complex and costly than consumer requests. On average, it takes 83 hours to complete a DSAR and less than 50% of requests are fulfilled within the mandatory time limit, according to one analysis. A Gartner study found that it costs an average of $1,400 to respond to a single consumer request. Due to the complexity of employee DSARs, it is likely that the cost to process an individual employee request will be much higher. This is because employee data is often scattered across various unstructured systems, applications, and archives, such as emails, documents, text messages, and cloud-based collaboration apps like Slack and Teams. Assembling a comprehensive dossier of employee data can be a tedious and time-consuming task that requires input from multiple departments and stakeholders and carries its own risks.

For example, if an employee requests information about a specific email, organizations must be careful to redact sensitive personally identifiable information (PII) such as the other party's email address, to avoid violating their privacy rights.

The Challenges of Employee Data Subject Access Requests (DSARs)

DSAR weaponization refers to the use of Data Subject Access Requests (DSARs) as a tool to cause harm or inconvenience to a company. One example of this is "The Nightmare Letter," a hypothetical letter that global privacy expert Constantine Karbaliotis published shortly after the General Data Protection Regulation (GDPR) went into effect. The letter was designed to demonstrate the difficulties a consumer could cause a company by requesting all their personal data and to provide guidance for legal and compliance teams to respond effectively. The post received widespread attention, with over half a million readers viewing it. Karbaliotis also posted an updated version of the Nightmare Letter specific to the California Consumer Privacy Act (CCPA).

Although most Data Subject Access Requests (DSARs) are made in good faith, it is possible for an employee with a personal vendetta or a union representing a former employee to use a DSAR as leverage in legal disputes. For example, in a wrongful termination lawsuit, an employee can request that their former employer provide all personal data in their custody. If the employee had worked for the organization for many years, the cost and burden of producing all relevant materials could be greater than settling the case.

Preparing for DSARs: Three Foundational Steps

Three foundational steps are needed to establish an effective plan for responding to employee Data Subject Access Requests (DSARs), which are similar to e-discovery requests. These steps include:

Step 1: Establish a comprehensive data inventory. This includes identifying where all the data resides and how quickly and efficiently it can be retrieved. A comprehensive data map is essential for determining how long certain data should be retained, with which third parties it might be shared, and which data sources should be included.

Step 2: Define DSAR workflows, protocols, and roles. This includes identifying where an individual's data lives and ensuring that the request flows to the right areas of the business, such as HR for employee requests. This step also involves determining the appropriate workflows, and roles, and how to enable a former employee to submit a DSAR.

Step 3: Invest in automation tools. Automating the DSAR process can improve operational efficiency by ensuring requests are correctly routed to the appropriate parties, such as HR for former employees and privacy or IT for consumers. Automation tools are also valuable in the collection, review, and redaction process, and in streamlining the routing of data from various sources to ensure that requests are fulfilled according to mandated timelines.

Finally, it's important to conduct a practice run with all stakeholders, similar to preparing for a data breach. This will help identify what works and what doesn't and enable continuous improvement of the process.

It is likely that the new California Privacy Rights Act (CPRA) will result in a significant increase in employee Data Subject Access Requests (DSARs) in the coming year. It is important for organizations to be prepared for this increase, as failing to plan could lead to failure to comply with the law. With the new year now here, it is important to take action and prepare for this increase in DSARs.

REFERENCE:
Preparing for the Employee DSAR Nightmare Letter: What Legal Teams Need to Know as California’s New Data Privacy Law Goes Into Effect
https://www.law.com/legaltechnews/2023/01/23/preparing-for-the-employee-dsar-nightmare-letter-what-legal-teams-need-to-know-as-californias-new-data-privacy-law-goes-into-effect/