California's CPRA Employee Requests
Add employee DSARs to your Transcend instances to comply with California CPRA’s employee rights requirement.
Under CCPA, employees were exempt from consumer rights, but starting January 1, 2023 under CPRA, B2B and HR personal information is subject to the same requirements as consumer data. CPRA extends rights to employees, contractors, and job applicants including right to know, deletion, correction, opt out of sale/share, limited use and disclosure of sensitive personal information.
For more on what’s new in CPRA, read the exact modifications to the law with Transcend's diffed document, showing the changes between CCPA and CPRA.
First, you’ll want to create a new data subject type(s) to represent employee requests. You can configure these how you like based on the regions you operate in, systems with employee data, etc. We recommend:
Creating a single new Employee data subject: If the EU and California employees will be allowed to make the same data requests (e.g. access, erasure, etc.) and have data in the same systems. Creating two new data subject types for California employees under CPRA and EU employees under GDPR: You prefer to configure different systems for each of the regimes (e.g. California employees have data in System A, while EU employees have data in System B). This option also allows for different request types under the different regimes.
Next, configure the new data subject type(s) to allow for the correct data actions (e.g. Access, Erasure, Opt out of Communication, etc.)
Using Transcend DSR Automation, reference Configuring Requests > Data subjects and data actions for instructions on setting this up. These docs will also walk you through setting up identity verification and email communication templates, if you plan to use different verification methods and/or email templates for your employee requests.
It’s critical you have a comprehensive view of all systems with personal employee data and the personal information being collected and processed.
- Transcend Silo Discovery finds data silos across your business, including backend tooling which may not be visible client-side, such as systems connected to your Customer Data Platform (e.g. Segment) or SSO provider (e.g. Okta). Follow the Silo Discovery guide to auto-populate your Data Inventory.
Your Data Inventory includes a “Recommended for DSR Automation” column that you can use to reference to understand which systems should be integrated for data subject request workflows.
Now that you have identified all systems containing employee data (see Step 1. Note, some companies may also have a manual list recorded somewhere), you can connect these systems to your Transcend instance.
Transcend integrates directly to common HR SaaS applications like Greenhouse, HiBob, Deputy. You can reference our full integration catalog here.
Follow the instructions in DSR Automation > Connecting Integrations to connect and configure these systems for requests to your new employee data subject type(s).
Note: For any systems that may not have an API integration built, Transcend can set up a manual process, triggered through Transcend to extract the data from the systems as an interim approach while we build new API integrations needed.
Depending on your company’s preference, you can follow the instructions below to add additional configurations for a more tailored workflow to employee data subject requests.
-
Configuring holds or checks: Configuring Requests > Data subjects and data actions
- E.g. Your People Ops team wants to verify the validity of an employee requests before it is processed in Transcend
-
Adding a data review: Processing Requests > Review and approve a request
- E.g. Your HR team wants to review the data itself before it is sent to the employee
-
Setting up a new role in Transcend: Security > Access control
- E.g. Your People Ops rep wants specific permissions to submit and manage employee requests, but does not need to be involved in other data subject requests.