To successfully run a company, you need to collect employee data for payroll, benefits, Diversity, Equity, and Inclusion (DEI) efforts, and just to have metrics to improve the workplace experience. If you’re collecting any employee data, however, you need to stay compliant in collecting, storing, and using that worker information, and for most business owners the very word “compliance” can be stressful. After all, not being compliant with an ever-changing patchwork of data privacy rules can mean significant fines and civil actions which could threaten the very continued existence of a business.
With over 80% of American businesses reporting they have been hacked at some point, the stakes are high. How can you make sure you stay up to date and compliant with an ever-changing set of rules? How can you protect the data your workers have entrusted you with while also reducing liability and protecting your company?
Here are some ideas you can start implementing today.
Step One: Know Where Your Employees Are Located Right Now
With 62% of employees working remotely at least some of the time, there is more flexibility than ever before. Workplaces can hire the best talent from around the world, all while accommodating workers of different physical abilities and backgrounds to do their best work.
There are plenty of advantages to remote workplaces. You have a larger talent pool to draw on and can create a more equitable and diverse workforce. You can hire employees who can serve global clients more effectively and you enjoy more innovation, thanks to creative ideas brought to you by international employees.
Employee data compliance will also depend on where your workers are living right now. If you have workers in the United States, for example, there is no one federal law that governs employee data, though employee health data collection may be subject to rules which prevent personal health information from being revealed. However, there are many federal and state rules which determine how you can store, use, and collect worker information.
For example, in Massachusetts, 201 CMR 17.00 governs data compliance and concerns any information gathered about residents of Massachusetts, including employees. Under this law, you need a compliant written information security plan (WISP) and a formal information security program to keep data safe.
If you have workers in the European Union, whether or not they are EU citizens, the European Union (EU) General Data Protection Regulation (GDPR) regulations apply. Under these broad regulations, employees must consent to the processing of any of their personal data, including any data used for employment, retirement plans, and for most other purposes. Data processors and controllers also need to appoint Data Protection Officers (DPOs) in situations where large amounts of data, special data, or public authorities are involved.
Make sure you have a system for capturing any address changes for your employees so you can review compliance requirements for employee data in their nation. Since it can be complex to have multiple compliance plans for different employees, it may be easiest to make a list of where your workers live, research employee data compliance regulations in each of those locations, and create one employee data collection and use plan that meets requirements for all these rules.
For example, if you have some employees in the EU and some in the US, using GDPR compliance for employee data rules for all employees ensures there are no mistakes made with your EU workers.
Step Two: Stay Aware of Changes
Countries and states are always updating their compliance requirements for employee data. It is important your HR team stays up to date about changes so you stay compliant with new rules. For example, if you have workers in the UK, the UK-GDPR applies as of 2022. Under these rules, consumer and employee data can be collected and used only with transparency and fairness. It can only be kept as long as the data is required.
However, in 2022 the UK has proposed changes to data privacy rules which would move the UK further from GDPR compliance and employee data requirements. Under the proposed rules, it might be possible for companies to develop anonymized datasets, for example, and some paperwork rules may be relaxed as well.
Step Three: Create Smart Policies
Perhaps you have a small business, with no overseas or international employees and no strict state requirements for employee health data collection or any employee data collection rules. Even in these situations, create a formal, written plan for data compliance to keep employee data safe. For example, your written plan may include rules such as:
- All computers which are used to process or access employee data must use password protection & security software
- Company files containing employee data cannot be removed from the offices
- Physical files containing employee data cannot be left anywhere where unauthorized persons can see the files
- All programs installed on company computers need to be approved by the IT department
The rules you create in your plan will depend on your company and your risk factors, but creating a written plan can prevent your employees from exposing sensitive data and can reduce the risk of civil action against you. You may want to review your plans with legal counsel to make sure they reflect current requirements.
Step Four: Choose Data Processors Carefully
Your company likely works with other companies that have access to your employee data, and when working with these organizations, it is important to do your due diligence to make sure all employee data is safe with these organizations. If you work with a business or data processor who has access to your employee data, you are ultimately responsible for the safety of your workers’ information.
When organizations work with Diversio, for example, they often want to know how we work with employee data. After all, Diversio is a metrics-driven, AI-powered DEI solution. Through Diversio for Companies and Diversio for Portfolios, we gather employee data through four-minute pulse surveys and benchmark and analyze that data to help organizations, including governments, make measurable DEI changes. At Diversio, we take data security and privacy seriously. That’s why we:
- Only work with larger companies where employee data, including gender identity & mental health status, cannot be traced back to individual employees
- Encrypt data & store it on secure servers
- Don’t ask anything that would uniquely identify an employee
- Only identify roles or departments if there are at least eight members in these roles or in a department, so characteristics cannot be traced to any individual
- Never share employee data with companies, so companies never see any identifying data which could help them trace survey replies to a specific employee
- Have strict internal policies which significantly limit how much data about clients we can discuss with each other internally
- Create strong company agreements which let you see exactly how your employee data & other sensitive information will be used
If you’re curious about how Diversio uses data to help companies, read these case studies to see what working with us is like.
Step Five: Offer Employee Data Collection Training
Anyone in HR, leadership, and management needs ongoing employee data collection training. They need to understand the current best practices and rules that govern any of their employees. If you are collecting DEI data, specifically, Diversio Academy can offer training for HR directors, DEI directors, and other stakeholders.
In addition to leadership and management training, offer employees information and training. If you explain what employee information you gather, why, and how you keep it safe, your employees may feel more comfortable with your data collection efforts.
Step Six: Review Employee Data Collection Tools Regularly
Employee data collection tools are any platforms or tech you use to collect, store, and manage employee data. For most companies, there are more of these tools in use than you may realize. The average company today uses 254 applications, though only 45% are used on a regular basis. This means employee data can be stored on many, potentially forgotten, employee data collection tools, employee management apps, and SaaS solutions.
Make it a practice to carefully review how any new tech you use stores, collects, and uses employee data. Is the tech provider aware of and compliant with GDPR and other relevant rules? Read the fine print to evaluate encryption efforts and other ways the company keeps data secure. Only work with reputable companies who take security seriously.
Your Employee Data is a Precious Resource
Employees trust you with their personal details, including contact information, health information, and sensitive data. Honor that trust and stay compliant with best practices to keep worker data secure and compliant with all relevant regulations.