Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.

< BACK TO ALL STORIES

Data Privacy Risks from the Great Resignation

Created on January 6, 2023


Vice President - Data Privacy, Exterro

This article originally appeared in October 2022 on HR Review here

Post-pandemic, the employment market is in a state of flux as people seek to progress or change careers, but The Great Resignation is having an unprecedented impact on the HR function in some unexpected ways, argues Ray Pathak. It is not just resulting in higher job vacancies but is also impacting data privacy by potentially breaching data protection regulations and it is fuelling Data Subject Access Requests (DSARs).

As employees leave, they can often take sensitive data with them such as customer lists, employee records or confidential data and may use various exfiltration methods to get that data out, from a USB stic to webmail, to print or even upload it to cloud storage such as Dropbox. Any exfiltrated data will be regarded as a data breach and will require a digital investigation involving forensics and incident response. It then falls to HR to help carry out this e-discovery.

Finally, employees often know the bad retention practices of their employers, and can use DSARs to surface issues in retention – why is this data still held when the retention policy says it should not be? Retention policies and schedules can become evidence that the organisation knew better.

Diverse Data

Employee data is generally unstructured and held in lots of different locations. making it unsearchable and, depending on the time the employee has spent with the company, can span decades. It may cover mobile texts, perhaps from when the employee phoned in sick, any work documents that bear their name or have been edited by them, as well as correspondence i.e. emails. Working from home has further complicated matters, with personal data residing on collaborative platforms, such as WhatsApp. In fact, much of that data will not be discovered until during litigation.

Disgruntled employees are also more likely to exercise their rights and request a DSAR upon leaving and higher redundancy rates coupled with the Great Resignation undoubtedly saw requests increase. A survey of 460 UK-based DPO’s from the UK Data Protection Index revealed an average of 10.85 DSARs per month, peaking at 18.04 in December 2020 – a 66% increase.

Employee requests are more time intensive and therefore expensive to fulfil. Estimates suggest businesses with over 5,000 employees can expect to spend £1.58m annually on responding to DSARs. Consequently, many firms don’t fulfil requests within the required 30-day window and seek an extension. Indeed, 58 percent of companies failed to address DSARs within this timeframe according to research from Talend.

Certain documents can be withheld by the company when fulfilling a DSAR but the HR team need to tread carefully here. So-called Dark Patterns, whereby the business attempts to manipulate the user and their privacy rights, can also apply to a DSAR. Influencing or discouraging people from exercising their privacy rights or making it harder for them to pursue a request could all be seen as Dark Patterns.

Regulatory Change

To ensure the business operates without fear of impunity, it is imperative to focus on a HR privacy compliance strategy. The first step for the team is to understand their legal obligations and these are expected to change under the Data Reform Bill which is set to replace GDPR. There may well be a more relaxed approach, as requirements for a Data Protection Officer (DPO), Data Protection Impact Assessments (DPIAs) or Records of Processing Activities (ROPAs) are liable to be dropped. Regardless of any changes to the law, it’s important to have a privacy governance team in place as someone will still need to be in charge of the program.

With respect to the DSAR process, it’s expected that the Data Reform Bill will make it easier for organisations to decline these. Previously they had to be unfounded and excessive but it’s likely the rejection of those deemed vexatious and excessive will also be allowed. Those lodging a DSAR will also need to first try and resolve any complaint with the data controller before approaching the ICO. However, this could increase the HR workload as it could potentially see a rise in complaints and cause some frustration for subjects, as they will effectively be losing access to the regulator.

Key to maintaining a consistent compliant approach is the maintenance of a robust data inventory which ensures that the business can understand what it has and what it is trying to protect. This needs to be embraced company-wide and involves interdepartmental cooperation between teams. An accurate data inventory ensures HR can locate the correct data to fulfil the DSAR request.

And regardless of changes to the law, the ICO has signalled that responding to DSARs is not something to be taken lightly; recently seven organisations were ‘named and shamed’ in relation to ongoing failures and delays in responding to DSARs.

Using Retention to Reduce Risk

Locking down the data inventory provides the basis for a sound data retention schedule. This details what data should be kept and for what duration, helping to minimise risk and reducing the volume of data that could be demanded in the event of a DSAR or any litigation. If the business can disclose the purposes for which employee data is being used, it may be able to exclude the data from the DSAR or decline it altogether.

The HR privacy policy should also include details on how data will be secured at different points during its lifecycle, lessening the likelihood of a breach and ensuring incident response processes can kick-in should data be exfiltrated. Plus, it should cover how DSARs will be managed and responded to, with clear processes in place to help the business to try and meet requests within the 30-day window to reduce costs.

Unlike consumer data which tends to be used for a discrete period of time and has limited uses, HR data is wide-ranging and used for a broad range of purposes. There is frequent data sharing with third parties and it is not uncommon to have 50-60 functions outsourced. So, the privacy policy also needs to cover how data will be managed and shared with third parties and this should be stipulated in the contracts that are in place with providers.

Finally, the policy should provide opportunities for training and seek to keep the channels of communication open across the business to ensure that inventory is updated correctly and the retention policy observed.

HR teams have had to adapt quickly to these demands, with many still continuing to support a remote or hybrid workforce. This means we can expect to see employee data continue to be disseminated widely, over collaborative platforms, chat applications and disparate devices. Keeping a handle on all of this will continue to prove challenging, even with the relaxation of GDPR, which is why HR teams need to reassess their data privacy policies and workflows.