Why have employee requests under GDPR exploded and what that means for CCPA in California?

Why have employee requests under GDPR exploded and what that means for CCPA in California?

Employees (like any other data subject such as consumers) have for several years been able to make a data subject access request under the prior privacy laws in Europe (before GDPR came into effect). GDPR maintained that right and made it free (there was a nominal fee before). So with GDPR coming into effect, one could have expected the number of employee requests to remain more or less constant. However, this has not been the case: instead, we have witnessed an explosion in the volume of employee data subject access requests (“DSAR”) with the advent of GDPR. We do not think the removal of the nominal fee had much effect and we believe the awareness surrounding GDPR has led to employees being aware of the DSAR in their toolkit vis-a-vis their employers.

Why do employees make DSARs?

An employee DSAR is typically a sign of the employee being unhappy about something at work. The employee DSAR allows the employee to obtain information about that employee which may help the employee make arguments with the employer about the issue at hand, and in certain cases, help their case in a potential litigation. We hear from law firms which advise clients on employee DSARs that the employee DSAR is now one of the tactics used by employees to get to a favorable outcome much faster.

So an employee DSAR typically indicates potential litigation — now what?

As an employee DSAR is usually in the context of a potential litigation, employers have an incentive to take these requests seriously (not that they should not take other requests seriously — the point here is that the incentives may be different here for an employer because of potential employee litigation.

The specific problem with employee data: some structured data and a lot of unstructured data

The specific characteristics of employee data are that they are often structured such as in recruiting and employee HR systems, and also a lot of the personal data relating to employees will sit in a lot of other places, especially in emails and documents. This situation leads to a unique problem for employers when needing to respond to an employee DSAR. They need to go through lots of emails and documents to review what personal data is there and also what (non-relevant) data to exclude from the request. Often the employee emails after some filtering, will be, for each employee, in the tens of thousands of emails to be reviewed. There are a few factors which will drive the employee review process:

1. The seriousness/risk involved in this potential employee dispute and the risk in the disclosure under the privacy law, GDPR, potentially releasing privileged information which might then hurt the potential litigation case from the employer’s perspective.
2. The amount of other people’s personal information that may be commingled in the emails and documents that would need to be excluded from the request.
3. The level of confidential information that the employer has in the emails and documents that it should legitimately protect, such as trade secrets.

With these factors at play, the review can and often can take a lot of internal time and external lawyer time, and can be costly.

Ways to make the employee DSAR less painful

Here are a few things employers can think about to lessen the pain of employee DSARs:

• Use a system that helps coordinate among different people within and outside the organization (e.g., the law firm advising the employer)
• Try to narrow the scope of the request by asking clarifying questions
• Know where to look for data when a DSAR comes in
• Look at ways to make the review process faster

The California privacy law, CCPA — What should we expect?

Today, we hear from companies and law firms that employee DSAR under GDPR is still a problem for them in terms of resources and cost. GDPR offers us a preview of what is likely to play out under CCPA in terms of the challenges that employers will face with employees making DSARs under the CCPA. With CCPA on the horizon only a matter of months away, there is likely to be a similar widespread awareness by employees of CCPA and their rights as employees. With such awareness, we expect an explosion of employee DSARs under the CCPA when it comes into effect in 2020.

How can employers who will be impacted by the CCPA prepare for this?

The ideas here will mirror those that would be useful under GDPR. Here are a few things employers can think about to lessen the pain of employee DSARs under CCPA.

• Use a system that helps coordinate among different people within and outside the organization (e.g., the law firm advising the employer)
• Try to narrow the scope of the request by asking clarifying questions
• Know where to look for data when a DSAR comes in
• Look at ways to make the review process faster

We want to hear from you who are dealing with employee DSARs. How are you approaching employee DSARs?

DocuVision.ai is an early stage tech startup which helps companies manage personal data security and privacy, such as helping companies comply with GDPR and the upcoming CCPA and other privacy laws. We are currently part of UC Berkeley’s SkyDeck. Find our more about our product that helps companies and law firms respond to employee DSARs: https://docuvision.ai/dsar/