The old saying went that “if you don’t want it on the front page of the newspaper, don’t put it in an email.” Well, if you don’t want to produce it as part of an employee’s Data Subject Access Request (DSAR), it shouldn’t be part of your employee files.
Employee DSARs are coming soon to a California employer near you. But the European Union, United Kingdom and Canada have been handling them for while.
Here are some things we can learn from their experiences.
1) Map out your HR related systems.
This includes actual assets and systems. This includes unstructured data and things that go to die in send items and in “group mailboxes.” This includes things in employees’ devices like personal text messaging. This includes things in backup and filing cabinets. This definitely includes your service providers. Reach out to them, ask for a sample access request response, vet it, mark it up.
2) Review your processes and train.
Train your HR stakeholders about the new requirements in the law. Train them to recognize the requests. Allocate responsibility for the responses. Review your processes, including those internal notes and scribbles. Should they be part of the formal record or is there another way to do this? Review your records retention policies (but be mindful of minimum retention periods e.g. in Canada).
3) Review the data that you are collecting.
What is “personal information” of the individual and what isn’t? What are the problem points you would have an