In April 2016, the EU Commission rolled out one of the most sweeping consumer data protection policies in the world. The General Data Protection Regulation (GDPR) has fundamentally restructured the way that private data gets handled across every sector, from banking to healthcare and, yes, even staffing. In a digital era where customer information has become its own sort of currency, concerns have naturally arisen about how that data is collected, used, and sold for marketing purposes. Privacy and security have long been concerns, particularly in lieu of breaches, thefts, cyberattacks, and the scandal involving Facebook and Cambridge Analytica. But Europe extended protections to users far beyond those of other nations. Now, in California, a new privacy regulation slated for January 2020 could bring the EU Commission’s blueprint to the western shores of the United States—and every employer should be prepared. That begins with understanding the implications and effects.

We Are What We Browse

As Danny Palmer explained in ZDNet: “At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy… The reforms are designed to reflect the world we're living in now, and brings laws and obligations - including those around personal data, privacy and consent - across Europe up to speed for the internet-connected age.”

Today, virtually every service we use carries with it the implication that our personal data will be collected and analyzed. That includes our names, addresses, credit card numbers, and more. In response, the EU Commission set out to launch a more prohibitive set of rules to help consumers guard against abuses such as illicit data gathering and surreptitious practices in storing and distributing that information.

“Under the terms of GDPR,” Palmer wrote, “not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so.”

Until recently, GDPR really only affected American companies transacting business abroad. With California’s latest legislative maneuver, a similarly European precedent could be set domestically.

California Poised to Launch First Consumer Privacy Law in the United States

The California Consumer Privacy Act could become a landmark law that reshapes the way companies use and handle customer data nationwide. Discussing the new regulation for ERE, Josh Torres breaks down the issue:

The California Consumer Privacy Act is a new privacy regulation that will go into effect on January 1, 2020, and it is the first law in the United States that will closely align with the General Data Protection Regulation. The California Consumer Privacy Act seeks to protect all California residents with respect to any personal information that relates to them. As such, the new legislation is causing a great deal of confusion among employers. Specifically, it could impose considerable compliance burdens on every employer that employs California residents — not just businesses that are located in California. This compliance risk, however, is not guaranteed.

The confusion, Torres asserts, “stems from the vagueness surrounding the applicability of the California Consumer Privacy Act to employee and job applicant data. As a result, this vagueness is also creating a waiting game for employers, who are trying to determine the best approach to California Consumer Privacy Act compliance.”

The current language of that act is somewhat ambiguous and could, if broadly interpreted, include employee and job applicant data. California Assembly Bill 25 (“AB 25”) has been offered for consideration to clarify the intent by introducing an exclusion in its definition of “consumer,” exempting candidates and workers. But that remains a topic of debate. If the workforce does fall into the category of consumer, its members would have new individual controls:

Preparing for the Privacy Act

Every organization involved in staffing can’t escape the reality of processing and managing scores of private data for clients and workers through an array of technologies that include VMS, ATS, CRMs, ERPs, and cloud-based HR information systems (HRIS). Privacy standards do exist in rules covering data such as census-type details (EEOC opt-out) and health information (HIPAA). California’s act could encompass much more. Employers should respond sooner rather than later with safeguards and preventative measures, whether the bills pass as written or with amendments. Torres, the regulatory and privacy counsel for iCIMS, presents solid advice on key steps we can take.

Data Ethics: Go Above and Beyond

To really differentiate our companies, we can develop data ethics procedures that take our commitment to candidates, workers, and clients to the next level.

Bringing our companies into compliance with California’s new regulations may not be inexpensive or easily achieved, but if the state moves forward, you can bet that others will follow soon enough. Paying for protections upfront will always save money longer term, especially if your business runs afoul of regulators. Penalties, fines, and lawsuits will cost much more. Apart from that, however, we as employers should take our obligations to clients and workers seriously. Just as we provide health and wellness programs to ensure the salubrity of our employees, we should adopt a committed stance to protecting their personal data from falling into the wrong hands. Companies that do will demonstrate that they genuinely care. And that kind of culture goes a long way in attracting and retaining the best talent.

Photo by Lianhao Qu on Unsplash