Rehan Jalil is CEO of cybersecurity and data protection infrastructure firm SECURITI and ex-head of Symantec’s cloud security division.

Personal employee data is governed by a minefield of laws and regulations. To avoid legal "explosions," a company needs to know its obligations in each state and country in which it operates — and implement appropriate privacy and security controls. 

Typically, privacy laws apply to personally identifiable information such as a name, address, phone number, birth date, Social Security number and so on. In the United States, a handful of federal laws protect specific types of personal information. These laws include the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act, the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACT Act).

In Europe, the General Data Privacy Regulation (GDPR) provides privacy protection for sensitive information such as race, ethnicity or national origin, political opinions or associations, union membership, sexual orientation, marital status, health-related information and criminal history.

Some states, notably California, have enacted stricter, more comprehensive privacy laws.

Here are the top obligations that every organization should incorporate into its internal data privacy programs.

1. Know the privacy laws that apply to employees.

Identifying the laws and knowing what employee rights they protect are the most basic of obligations for any company. For enterprises with global operations, this obligation becomes a monumental task.

To comply with global regulations, enterprises need to create security controls and privacy practices that ensure they are obeying the laws in each country where they operate.

2. Justify the collection and processing of personal data.

In general, companies can only collect and process personal data of employees that is necessary and relevant to their job. Typical employee data includes resumes, references, payroll information, medical files, employment contracts, compensation and benefits, as well as performance reviews.

The EU’s GDPR defines personal data as being information about a person "by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

3. Implement formal consent policies and procedures.

Companies need to disclose to employees how they collect, process and share their personal data. The best way to do this is through transparent formal consent policies that are easily accessible and understandable as well as compliant with all relevant laws.

These policies should be reviewed and updated on a regular basis. Companies are obligated to provide thorough and continuous training to ensure employees understand their data protection rights.

4. Meet DSR requests within deadlines.

Companies must fulfill employees’ data subject rights (DSR) requests in a timely fashion or face penalties and possible legal action.

Under GDPR, DSRs include the right to be informed, the right to access, the right to erase, the right to request corrections, the right to object, the right to restrict processing, the right to data portability and the right to object to automated decision-making. California’s Consumer Privacy Act (CCPA) offers similar protections to people.

5. Audit all processing of personal data.

Detect employee data held in your HR system and develop a record of all activities such as recruiting, onboarding and benefits management where employee data is processed.

6. Protect employees’ data and notify them of a data breach without delay.

To comply with privacy laws, such as GDPR and CCPA, companies must ensure they have appropriate security measures to protect their employees’ data. 

If employees’ data is accessed, acquired or compromised in a security breach, a company must notify the impacted employees and/or regulatory authorities within stipulated time frames. 

7. Control access to personal information.

Ensure only authorized users in your organization are able to access employee information.

Although customer data privacy violations often make the headlines, employee data privacy is an emerging area of potential liability and risk for organizations. Consider these seven obligations when developing your employee data privacy program, processes and procedures. Abiding by these guidelines can help keep regulators at bay. 

In today's business environment, it's vital that leaders ensure they are well-equipped to protect and properly handle employee personally identifiable information. 


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on LinkedInCheck out my website