GDPR and CCPA: Are you ready for 2020?
With new modes of analyzing productivity, legislation in Europe and now California is setting the boundaries around what can and should be monitored in the workplace.
You may have heard of Europe’s General Data Protection Regulation (GDPR), which protects not only the personal data of your employees but so much more. And now, California has followed suit. Starting in 2020, California’s Consumer Privacy Act (CCPA) will kick-off.
The CCPA will allow consumers to have the right to know what information is being collected on them. They will also have the right to say no to the sharing or selling of their personal information and the right to hold a business legally responsible for a violation of their privacy.
The CCPA is more specific than the GDPR and it provides more basic privacy to the consumer. For example, the GDPR only applies to “data subjects”, whereas the CCPA specifies that it protects California consumers. The CCPA also expands the definition of personal information. In the CCPA, things like internet browsing could be considered personal information and therefore restricted.
The CCPA will require openness from companies and allow more agency on behalf of the consumers. For example, if consumers sign up for an account or create an online order, they must have the ability to opt-out of the selling of their private information.
Now, the CCPA might not affect your company. But, chances are your market reaches to California in some way or another.
So, there are certain criteria that you need to hit in order to comply with the CCPA:
- Exceed an annual gross revenue of $25 million;
- Obtains personal information of 500,000 or more Californian residents, households or devices per year; or
- If 50% or more of annual revenue is from selling Californian residents’ personal information
If your business hits any of these criteria, then you can be subjected to a violation. CCPA fines are more defined (as compared to the GDPR’s “up to $20 million or 4 percent of worldwide turnover”) and quite nominal. For each domestic violation, you can expect to pay $2,500 USD. And international violations are up to $7,500 USD. There is also a per-incident fine, where you would compensate individuals $100 to $750 depending on the severity of the incident.
Complying with these regulations should be standard for every company. Regardless of whether or not your company is affected by these regulations, if you are monitoring your employees you should start implementing best practices around data privacy to protect the rights of you and your employees.
Draw up a Data Privacy Plan
To prepare for the implementation of this data law, you should start to monitor what data your company is collecting or has collected, as well as how you are selling or sharing it. Then put in motion some of the technical solutions designed to handle this.
Specificity is critical
Your company needs to be prepared for external audits. And with any audits, you’ll need to keep detailed records. This means that the California government will start cracking down on companies who are selling or misusing the private information of California residents, so be prepared to share this information.
Another reason to be specific in what (and why) data is being collected is that employees may soon be able to access and request that their data be deleted. On January 1, 2021, an amendment to the CCPA that does not allow employees to request the deletion of their data will expire. If this expires, you need to be prepared to be upfront about what data your company is collecting, why it is collecting it, and provide avenues for employees to delete their data.
You’ll likely want to collect employee data for productivity purposes. However, if your data is hosted online then you’ll need to set up protective measures against online threats. CCPA and GDPR compliance requires you to show that you’ve put forth the effort into protecting both customer and employee data.
Since you could end up collecting massive amounts of data, there are a few ways to go about managing this.
One way is to delete excess data on a regular basis and after the statistics have been run. You also do not need to store unnecessary personal information. Make sure to acquire encrypted storage for the information you need to keep and monitor insider threats and who can access what.
Be open with employees
Although not required, it is best to be as open and honest with your employees as you possibly can. This is especially important since it could break down trust if your company is caught violating any of these privacy laws. Share your data privacy plan with your employees, and include the purposes for monitoring, the specific information being monitored, and how the data is collected by the company.
You should also be open to hearing what employees think about your data privacy plan. Provide regular opportunities to learn from your employees about concerns. You could even create an open, yet anonymous feedback forum so employees are able to discuss their concerns with you easily.
Start to automate
When collecting regular data, even in small increments, it is easy to build up massive banks of data. This can easily become overwhelming. Begin to automate these processes wherever it is possible. There are features in the collection software that could support the privacy laws as well, such as an autoredacting feature and minimization.
If you are a company that tracks time for hourly wages, your employees might start asking questions about how their data operate through the system that you are using. You’ll also need to regularly train the employees who interact with customers and their personal information to ensure compliance.
One of the biggest hurdles in adapting to this type of legislative change is the lag that your company might experience from shifting over. Start reviewing your company’s policy around data privacy and prepare to explain what your company needs to monitor and why. It’s best to begin to implement these changes sooner so that your company can adapt quickly and more easily.
By SoftActivity Team