The New CPRA Umbrella Covers HR Data

Cole PrudenCPRA, HR Data, Personal Data Protection

Is it too early to start talking about New Year’s resolutions? Well, come January 1st, 2023, the only goal for many HR departments will be unraveling the CPRA’s latest privacy law on HR data. So, will you wait until after Christmas to finally see what all the fuss is about, or will you dive into the CPRA deep end while there’s still time?

What Even Is the CPRA?

The California Privacy Rights Act is the strongest consumer privacy law ever enacted in the United States. This extensive regulation aims at putting Californians even more in charge of their online data while also presenting a considering stumbling block for those doing business in the state or with its inhabitants online.

And What Even Is HR Data?

Speaking of stumbling blocks, the CPRA will soon go well out of its way to regulate how HR data (also known as HR metrics) is used. For anyone unfamiliar, HR data is all the PII a company’s Human Resources Department stores on its employees. HR Data is often considered the most sensitive form of PII, given it includes everything from:

The Relationship Between the CPRA and HR Data

“But how exactly will the CPRA interact with HR data?” Good question. As things currently stand, numerous exemptions apply to HR data. For instance, the PII of a job applicant, employee, owner, contractor, etc., of a covered business is exempt as long as the covered business collects and uses this PII:

By January 1st, 2023, you can expect all this to change.

Time to Up Your Defenses

Another highlighted section of the CPRA is how HR data should be safeguarded. We already touched on the highly sensitive nature of this form of PII, so, predictably, the CPRA would really want to hammer this point home.

One way to better secure all the data stored by your HR department is to locate and protect any “obvious” HR data. That means any data kept in the Human Resource Information System (HRIS), if your department uses one, as well as payroll, applicant tracking systems, travel and expense reimbursements, and so on.

The safeguarding doesn’t end there, however. It’s best not to forget any specialized databases or sets of records you may have lurking about. They include workers’ compensation claims, OSHA records, internal investigations, benefits, etc. And, heaven forbid, please transfer to a secure storage and then liquidate any non-digital records or files carrying HR data. The days of the filing cabinet should be long gone by now.

HR Data Everywhere You Look

So, that constitutes the more visible data actually stored by the HR department, but what about HR data maintained by all of your company’s other departments? For example, payroll might be handled by Accounting, not HR. And the same goes for workers’ comp and OSHA records that fall under the Safety Department. Simply put, no matter where the sensitive HR data is found, you need to track it down and store it in an audit-compliant location.

Taking the size of your company into account, simply “locating all the HR data” is probably easier said than done. Luckily, there are multiple ways you can go about this:

Just the Beginning

Unfortunately (unless you love reading extensive government-mandated data regulations), the topics addressed above are only a few of what’s coming with the CPRA. But just because it takes effort to protect HR data and move closer toward CPRA compliance doesn’t mean you should simply close your computer and put it off. As we already established, January 1st, 2023 is coming sooner than you think, and you don’t want to be one of those people who forget about their New Year’s resolutions the moment the fireworks end.

Plus, better protecting the HR data you store is only ever a good thing. In this way, you can guarantee improved work culture, take care of those working alongside you, and avoid any negative run-ins with the CPRA. And because, well, it’s just the right thing to do.

Chances Are You Have HR Data Hiding in Places You Don’t Even Know About. Discovery It with PII Tools!