• Privacy

7 Things to Do to Get Ready for Employee DSARs


Rick Buck Chief Privacy Officer

Once you start gearing up for the wave of new state-level data privacy laws in 2023, you’ll notice that the California Privacy Rights Act (CPRA) has one big distinction that sets it apart: it protects both consumers and employees. If your business falls under the guidelines for compliance under CPRA, employee data is also included. What does this mean for businesses that’ll be fielding Data Subject Access Requests (DSARs) from Californians? Not only should you expect to receive a greater volume of DSARs, you’ll also be dealing with the intricacies of employee data.

Let’s take a look at the unique challenges of employee DSARs and how you can prepare your business to process them.


Learn how does CPRA protect employees

CPRA defines a “consumer” as any person who is a California resident, including employees, former employees, job applicants, contractors, or other staff of a business. This is similar to Europe’s General Data Protection Regulation (GDPR), which also protects the data rights of employees. Two other US-based privacy laws coming into effect in 2023, the Colorado Privacy Act (CPA) and Virginia’s Consumer Data Protection Act (CDPA), do not include employees in their definition of consumers. To date, CPRA is the only state-level privacy law that grants the same data protection rights to employees as it does to consumers.


Know your obligations as an employer

Under CPRA you’re required to extend the same rights to your employees as you do other consumers, including:

  • Notice: Employers must provide notice of the collection of PII to their employees, job applicants, and contractors
  • Right to access: Employees have the right to access the PII you’ve collected
  • Right to correct: Employees have the right to correct their PII which they believe is incorrect
  • Right to delete: Employees may request the deletion of any of their PII in your possession
  • Right to restrict uses of sensitive PII: Sensitive PII may include a social security number, account login, financial information, geolocation, racial or ethnic origin, religious beliefs, sexual orientation, health information, and biometrics
  • Right to opt-out: Employees may opt-out of the sale of their PII to third parties


When it comes to employee DSARs, know what employers should expect

Employee DSARs may impact your company in ways you haven’t experienced up to this point with consumer DSARs. If your company operates in the Business-to-Business (B2B) space, you’ve probably received relatively few DSARs to date. Business-to-Consumer (B2C) companies collect much more consumer data so it’s only natural that they would receive the vast majority of DSARs. And if you’re a B2B company in a commercial relationship with your customers, you likely have a Master Services Agreement in place that covers data privacy requirements and allows your customers to access or remove their data whenever they want.

Under CPRA, however, B2C and B2B companies are equally liable to receive DSARs from their employees. If you’re a B2B company that’s been relatively immune to DSARs, here’s your wake-up call: you could receive a huge uptick in DSARs starting with the introduction of CPRA in January 2023.


Understand how fulfilling employee DSARs introduces new complexities

California includes employees in its definition of consumers, but employee DSARs have some unique characteristics which can make them more complicated than typical consumer DSARs. These complexities warrant extra attention to ensure you’re in compliance. Rick Buck, Chief Privacy Officer at WireWheel, delved into the intricacies of fulfilling employee DSARs in a recent interview. Rick explains:

“What complicates employee subject requests, particularly when we are looking for employee data in unstructured formats, is that data is going to be exposed potentially about people other than the person who requested the information and those people’s information are completely out of scope and completely inappropriate to be presented by an employer (in response to an employee DSAR) and so that data needs to be redacted.”

Let’s take a closer look at the two issues Rick highlights: unstructured data and redaction.


Learn how unstructured data weaves a tangled web

Typical consumer data is stored in structured databases. However, your employees’ personally identifiable information (PII) is more likely to be stored as unstructured data. Most companies store large quantities of employee PII in unstructured data sources such as emails, text messages, and audio files. If the employee has a long tenure with your company, their unstructured PII may span countless systems and applications.

This makes it even more important for companies to automate their process for locating and retrieving PII in unstructured data when fulfilling employee DSARs.


Know not to overshare: rely on automated redaction

Another challenge you may face when locating employee data is the inevitable co-mingling of your employees’ PII. Let’s look at an example of how this could happen.

Employee A submits a DSAR to your company requesting access to her PII. When searching for Employee A’s PII in your unstructured data, you find that Employee B’s PII is also mixed in the same HR files. This presents a predicament because you don’t want to violate Employee B’s privacy rights when fulfilling Employee A’s DSAR.

“When responding to a DSAR and there is third party data involved, a careful balancing exercise should be carried out by an employer as to the employee’s request and any third party competing rights.”

—Data subject access requests: data redaction in an employment context, Shoosmiths LLP


What can you do if you face this DSAR dilemma? You could try to obtain Employee B’s permission to disclose his PII to Employee A, but that scenario is rarely feasible. The best solution is redacting Employee B’s PII before you fulfill Employee A’s DSAR. Redaction ensures that you’re completely removing Employee B’s PII before handing over any data related to Employee A’s DSAR.


Utilize integrations to streamline employee DSARs

If tackled manually, redaction is an onerous process. You don’t want to rely on an old-school black marker when CPRA comes into effect in January 2023. It’s critical to have a scalable, automated DSAR solution that includes comprehensive data search, discovery, and redaction capabilities. Employee PII is stored in the apps that employees and HR teams use the most, such as emails, SharePoint sites, and Microsoft 365 applications. WireWheel’s integration with Microsoft Priva is part of WireWheel’s DSAR solution that automates the process of finding and retrieving PII in unstructured data. This kind of integration can save your team thousands of hours and make DSAR fulfillment a much easier process.

Get a head start on CPRA by talking to WireWheel about how we can help you simplify employee DSARs for your organization.

Further Reading

Innovating DSAR Fulfillment with Microsoft and WireWheel

CCPA vs CPRA: A Guide to California’s Data Privacy Laws

The DSAR Guide: Overview of Data Subject Access Requests

Rick Buck is the WireWheel Chief Privacy Officer and acts as a Privacy Advisor to WireWheel clients, helping them with the implementation and optimization of their privacy programs. Over the past 20 years, Rick has…