For US businesses, startups, and the legal professionals defending them, data privacy regulations like the GDPR and CCPA and the federal data protection law proposed by Congress, ADDPA, are a source of significant concern.
Data Subject Access Requests (DSARs), which give customers and employees additional rights by enabling them to request access to the personal data held by a corporation, are one feature that unites all of these various data privacy regulations.
The average number of DSARs received in 2021 increased by 66%, according to the UK's DPIndex. If global trends are a credible indication, then businesses that operate in states with privacy laws will experience a sharp increase in requests as consumers and employees in the US are given the right of access to their information. This will only worsen as more states pass legislation, or the ADDPA goes into effect.
As of January 1, 2023, when the California Privacy Rights Act (CPRA) went into effect, any employee data collected by a business must be treated the same as consumer information.
While requests for employee data might not initially seem all that different from requests for customer data, they are an entirely distinct species. And it's mandatory for governance, legal, and private entities to understand those distinctions before these new laws go into effect.
Employee DSAR vs. Consumer DSAR
The formal process by which people can ask businesses for access to the information they have about them is known as a data subject access request or DSAR. Employees will have the same right to access, update, and delete personal data as consumers do under GDPR today, as well as CPRA, enacted on January 1, 2023.
While fulfilling requests for customer data can be laborious in and of itself, most consumers' information can be found in a limited number of discrete places.
This is very different from a request from a long-term employee who may have served in multiple roles because their personal information is spread and replicated across numerous databases, systems, and applications.
A typical consumer request doesn't add to the complexities created by existing data repositories with large volumes of employee data. Additionally, since an employee's data may be dispersed across numerous HR and accounting systems, responding to an employee's request may take much more time and effort than responding to a consumer's subject request.
DSAR failures: How much it costs a business?
Companies that respond to DSAR requests may incur high costs, including the time and labor needed to process each bid and the potential for steep fines if they are out of compliance or unable to respond within the required timeframes.
Sapio Research discovered that it takes an average of 83 hours to complete a DSAR and that less than 50% of organizations with 250+ employees could satisfy these requests within the legally required time frame. Gartner estimates that, on average, reacting to just one customer inquiry costs $1,400.
Given the difficulty in discovering and granting employee requests, the average cost will probably be much higher because, in violation of the CCPA, firms that fail to respond to a DSAR within the stipulated deadline adequately may be subject to fines of $2,500 to $7,500 each. If this amount is multiplied by dozens or hundreds of requests, the average business may be subject to annual penalties that easily exceed six figures.
Four necessary stages for a successful DSAR response
To stay relevant in a rapidly changing regulatory landscape and maintain compliance, businesses must invest in a thorough DSAR response procedure. Consider these four actions as serving as the cornerstone for putting into practice a successful DSAR response strategy:
Operationalize Data Inventory
In addition to dealing with significantly more data than ever, businesses must now consider a wider variety of data types and communications unique to employees. Data governance teams must locate crucial data besides email, documents, and spreadsheets in intranet systems like SharePoint, chat and IM logs, video or audio recordings in Zoom, video or audio recordings in Slack, and Teams interactions.
Without an operational data inventory, it is virtually hard to abide by privacy rules because you won't be able to respond to requests for information within the required time if you don't know what data you have or where it is being stored and replicated in your environment.
Implement Data Discovery
Understanding where an employee's information is kept is one thing; linking that information so that your systems can easily search for and find information on a data subject request is another. This becomes more difficult when digging through the vast and complex unstructured data environments where an employee's information may be duplicated or stored, including anything from social media and multimedia files. Artificial intelligence and data discovery automation are expected to be crucial in assisting in the timely completion of these requests.
Create a DSAR workflow
The second problem is ensuring that the request gets sent to the appropriate departments within the company, such as HR, in case of an employee request, where it may be appropriately remedied. Your current processes and workflows can be streamlined and supplemented by a thorough DSAR workflow process, significantly as new legislation changes the compliance requirements.
Workflows may become more complex as businesses become more diverse on a global scale and consequently collect and store more employee data across the organization.
Start Investing in Automation
Many businesses still use a manual to handle these requests, from confirming an employee's identity to locating, gathering, reviewing, and redacting PII before returning the requested data to the subject.
To efficiently re-direct requests to the appropriate person (e.g., HR for former employees, privacy or IT for consumers, etc.), organizations need to find ways to automate not only the intake and fulfillment of DSARs but also the overall workflow. They also need to collect data that might be stored across multiple data sources and to make the review and redaction part of the DSAR process easier.
Conclusions
Data privacy regulations are causing American businesses more and more stress. Enterprises and even small-medium scale businesses must act now to prepare for the oncoming wave of employee DSARs as the CPRA will be enforced by July-end 2023.
Implementing and automating routine maintenance of your organization's data will become crucial requirements with the right combination of people, processes, and technology for complying with these new regulations right away and ensuring that your team can adapt to whatever new data privacy laws may be passed in the future.