In April 2016, the EU Commission rolled out one of the most sweeping consumer data protection policies in the world. The General Data Protection Regulation (GDPR) has fundamentally restructured the way that private data gets handled across every sector, from banking to healthcare and, yes, even staffing. In a digital era where customer information has become its own sort of currency, concerns have naturally arisen about how that data is collected, used, and sold for marketing purposes. Privacy and security have long been concerns, particularly in lieu of breaches, thefts, cyberattacks, and the scandal involving Facebook and Cambridge Analytica. But Europe extended protections to users far beyond those of other nations. Now, in California, a new privacy regulation slated for January 2020 could bring the EU Commission’s blueprint to the western shores of the United States—and every employer should be prepared. That begins with understanding the implications and effects.
We Are What We Browse
As Danny Palmer explained in ZDNet: “At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy… The reforms are designed to reflect the world we're living in now, and brings laws and obligations - including those around personal data, privacy and consent - across Europe up to speed for the internet-connected age.”
Today, virtually every service we use carries with it the implication that our personal data will be collected and analyzed. That includes our names, addresses, credit card numbers, and more. In response, the EU Commission set out to launch a more prohibitive set of rules to help consumers guard against abuses such as illicit data gathering and surreptitious practices in storing and distributing that information.
“Under the terms of GDPR,” Palmer wrote, “not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so.”
Until recently, GDPR really only affected American companies transacting business abroad. With California’s latest legislative maneuver, a similarly European precedent could be set domestically.
California Poised to Launch First Consumer Privacy Law in the United States
The California Consumer Privacy Act could become a landmark law that reshapes the way companies use and handle customer data nationwide. Discussing the new regulation for ERE, Josh Torres breaks down the issue:
The California Consumer Privacy Act is a new privacy regulation that will go into effect on January 1, 2020, and it is the first law in the United States that will closely align with the General Data Protection Regulation. The California Consumer Privacy Act seeks to protect all California residents with respect to any personal information that relates to them. As such, the new legislation is causing a great deal of confusion among employers. Specifically, it could impose considerable compliance burdens on every employer that employs California residents — not just businesses that are located in California. This compliance risk, however, is not guaranteed.
The confusion, Torres asserts, “stems from the vagueness surrounding the applicability of the California Consumer Privacy Act to employee and job applicant data. As a result, this vagueness is also creating a waiting game for employers, who are trying to determine the best approach to California Consumer Privacy Act compliance.”
The current language of that act is somewhat ambiguous and could, if broadly interpreted, include employee and job applicant data. California Assembly Bill 25 (“AB 25”) has been offered for consideration to clarify the intent by introducing an exclusion in its definition of “consumer,” exempting candidates and workers. But that remains a topic of debate. If the workforce does fall into the category of consumer, its members would have new individual controls:
- The right to access personal information
- The right to delete personal information
- The right to opt out of the sale of personal information to third parties
Preparing for the Privacy Act
Every organization involved in staffing can’t escape the reality of processing and managing scores of private data for clients and workers through an array of technologies that include VMS, ATS, CRMs, ERPs, and cloud-based HR information systems (HRIS). Privacy standards do exist in rules covering data such as census-type details (EEOC opt-out) and health information (HIPAA). California’s act could encompass much more. Employers should respond sooner rather than later with safeguards and preventative measures, whether the bills pass as written or with amendments. Torres, the regulatory and privacy counsel for iCIMS, presents solid advice on key steps we can take.
- Establish a formal method for candidates and workers to submit requests for exercising their new rights.
- Update website privacy policies to reflect the changes, explain the provisions of the act, and transparently describe how personal information is handled under the coming rules.
- “Revisit policies and procedures to verify, respond to, and document personal information requests,” Torres recommends. New policies may need to be drafted or existing policies revised to address all the different aspects of the California Consumer Privacy Act.
- Review all data security protocols in place and bridge any gaps that are identified as non-compliant with the new regulations.
- Conduct internal training and awareness programs that address the operational and HR practices that could transform once the act goes into effect.
Data Ethics: Go Above and Beyond
To really differentiate our companies, we can develop data ethics procedures that take our commitment to candidates, workers, and clients to the next level.
- Include orientations surrounding ethical data usage and information handling in onboarding programs.
- Have internal or external counsel coach team members on the legal obligations and best practices for processing, storing, analyzing, and disseminating data.
- Include revised data policies and compliant provisions for the California Consumer Privacy Act in contracts and service agreements.
- Deploy enhanced cybersecurity policies.
- Safeguard mobile devices and company issued equipment that could contain sensitive personal, corporate, client, or candidate data.
- Purchase the latest encryption and antivirus software.
- Segregate salary details and personally identifiable information on separate networks, and impose access restrictions.
- Make sure business continuity and disaster recovery plans exist or are updated to reflect the potential changes.
- Increase insurance policy coverage to include cyber liability.
Bringing our companies into compliance with California’s new regulations may not be inexpensive or easily achieved, but if the state moves forward, you can bet that others will follow soon enough. Paying for protections upfront will always save money longer term, especially if your business runs afoul of regulators. Penalties, fines, and lawsuits will cost much more. Apart from that, however, we as employers should take our obligations to clients and workers seriously. Just as we provide health and wellness programs to ensure the salubrity of our employees, we should adopt a committed stance to protecting their personal data from falling into the wrong hands. Companies that do will demonstrate that they genuinely care. And that kind of culture goes a long way in attracting and retaining the best talent.