California's CPRA Employee Requests
Add employee DSARs to your Transcend instances to comply with California CPRA’s employee rights requirement.
Under CCPA, employees were exempt from consumer rights, but starting January 1, 2023 under CPRA, B2B and HR personal information will be under the same regulation as consumer data. CPRA extends rights to employees, contractors, and job applicants including right to know, deletion, correction, opt out of sale/share, limited use and disclosure of sensitive personal information.
First, you’ll want to create a new data subject type(s) to represent employee requests. You can configure these how you like based on the regions you operate in, systems with employee data, etc. We recommend:
Creating a single new Employee data subject: If the EU and California employees will be allowed to make the same data requests (e.g. access, erasure, etc.) and have data in the same systems. Creating two new data subject types for California employees under CPRA and EU employees under GDPR: You prefer to configure different systems for each of the regimes (e.g. California employees have data in System A, while EU employees have data in System B). This option also allows for different request types under the different regimes.
Next, configure the new data subject type(s) to allow for the correct data actions (e.g. Access, Erasure, Opt out of Communication, etc.)
Using Transcend Privacy Requests, reference for instructions on setting this up. These docs will also walk you through setting up identity verification and email communication templates, if you plan to use different verification methods and/or email templates for your employee requests.
It’s critical you have a comprehensive view of all systems with personal employee data and the personal information being collected and processed.
Transcend Data Mapping does an initial remote scan of your website using a headless Chromium browser and also identifies backend tooling that may not be visible client-side, such as systems connected to your Customer Data Platform (e.g. Segment) or SSO provider (e.g. Okta). Follow the to catalog your company's entire data inventory and ensure you are not missing any data silos that might keep you from being fully compliant.
Your Data Inventory includes a “Recommended for Privacy Requests” column that you can use to reference to understand which systems should be integrated for data subject request workflows.
Now that you have identified all systems containing employee data (see Step 1. Note, some companies may also have a manual list recorded somewhere), you can connect these systems to your Transcend instance.
Transcend integrates directly to common HR SaaS applications like Greenhouse, HiBob, Deputy. You can reference our full integration catalog here.
Note: For any systems that may not have an API integration built, Transcend can set up a manual process, triggered through Transcend to extract the data from the systems as an interim approach while we build new API integrations needed.
Depending on your company’s preference, you can follow the instructions below to add additional configurations for a more tailored workflow to employee data subject requests.
- E.g. Your People Ops team wants to verify the validity of an employee requests before it is processed in Transcend
- E.g. Your HR team wants to review the data itself before it is sent to the employee
- E.g. Your People Ops rep wants specific permissions to submit and manage employee requests, but does not need to be involved in other data subject requests.