California's CPRA Employee Requests

Add employee DSARs to your Transcend instances to comply with California CPRA’s employee rights requirement.

Under CCPA, employees were exempt from consumer rights, but starting January 1, 2023 under CPRA, B2B and HR personal information will be under the same regulation as consumer data. CPRA extends rights to employees, contractors, and job applicants including right to know, deletion, correction, opt out of sale/share, limited use and disclosure of sensitive personal information.

For more on what’s new in CPRA, read the exact modifications to the law with Transcend's diffed document, showing the changes between CCPA and CPRA.

First, you’ll want to create a new data subject type(s) to represent employee requests. You can configure these how you like based on the regions you operate in, systems with employee data, etc. We recommend:

Creating a single new Employee data subject: If the EU and California employees will be allowed to make the same data requests (e.g. access, erasure, etc.) and have data in the same systems. Creating two new data subject types for California employees under CPRA and EU employees under GDPR: You prefer to configure different systems for each of the regimes (e.g. California employees have data in System A, while EU employees have data in System B). This option also allows for different request types under the different regimes.

Adding a new data subject type in Transcend Privacy Requests.

Next, configure the new data subject type(s) to allow for the correct data actions (e.g. Access, Erasure, Opt out of Communication, etc.)

Using Transcend Privacy Requests, reference Configuring Requests > Data subjects and data actions for instructions on setting this up. These docs will also walk you through setting up identity verification and email communication templates, if you plan to use different verification methods and/or email templates for your employee requests.

It’s critical you have a comprehensive view of all systems with personal employee data and the personal information being collected and processed.

Transcend Data Mapping does an initial remote scan of your website using a headless Chromium browser and also identifies backend tooling that may not be visible client-side, such as systems connected to your Customer Data Platform (e.g. Segment) or SSO provider (e.g. Okta). Follow the Data Mapping implementation docs to catalog your company's entire data inventory and ensure you are not missing any data silos that might keep you from being fully compliant.

Catalog systems with employee data.

Your Data Inventory includes a “Recommended for Privacy Requests” column that you can use to reference to understand which systems should be integrated for data subject request workflows.

Now that you have identified all systems containing employee data (see Step 1. Note, some companies may also have a manual list recorded somewhere), you can connect these systems to your Transcend instance.

Transcend integrates directly to common HR SaaS applications like Greenhouse, HiBob, Deputy. You can reference our full integration catalog here.

Follow the instructions in Privacy Requests > Connecting Integrations to connect and configure these systems for requests to your new employee data subject type(s).

Connect new systems holding employee data.

Note: For any systems that may not have an API integration built, Transcend can set up a manual process, triggered through Transcend to extract the data from the systems as an interim approach while we build new API integrations needed.

Depending on your company’s preference, you can follow the instructions below to add additional configurations for a more tailored workflow to employee data subject requests.