What employers need to know about employee data protection—from GDPR to US laws

Not a week goes by without another data breach making the headlines. If hackers gain access to your confidential information, they can steal identities, extort you and your employees, and leave your business in serious legal jeopardy.

While every employer needs to collect confidential information from employees—for things like payroll, taxes, and health insurance—it’s your responsibility to keep their information safe. Implementing a robust data protection plan can help protect your workers and build their trust. But, the specifics around protecting their data will depend on where you and your employees are located. 

Not only do you have to comply with the employee privacy regulations in your own state, but you also have to comply with federal laws and possibly those of other states and countries. California, Connecticut, and Delaware have particularly tough laws. In fact, the California Consumer Privacy Act (CCPA) is the strictest in the US. Additionally, being a US-based company doesn’t exclude you from complying with the European Union’s General Data Protection Regulation (GDPR).

Read on for an easy guide on safeguarding employee data, complying with privacy regulations, and reducing your liability as an international employer.

What is employee data protection?

Employee data protection means ensuring your employees’ personal data is safe and secure, especially from third-party breaches. 

Complying with privacy laws and maintaining data security, however, limits an employer's ability to collect employee data. Most privacy laws only allow you to collect data that is absolutely necessary. In most cases, employees must be notified of how their data is being used and allowed to correct it. Retention policies (how long you can keep data before destroying it) may also be required, specifically regarding the data of former employees. 

As a US-based employer, remember that international regulations will apply to you if you have employees in other countries. For example, US companies hiring employees in Germany or France need to comply with the EU’s GDPR. 

What data do employers need to protect?

Employers are responsible for protecting the following kinds of employee data:

• Name
• Address
• Phone number
• Date of birth
• Social Security number 
• Sex and gender
• Sexual orientation
• Race
• Marital/family status 
• Banking information
• Medical information
• Employment history
• Results of background checks
• Performance reviews and other HR files (information from job applicants like resumes)
• Disability status
• Citizenship
• National origin
• Any identifying information

Keep in mind that different jurisdictions may protect varying kinds of information.

Which employee data protection laws apply in the US? 

Data protection laws in the US are a mix of federal and state regulations. On the federal level, these are the main laws to keep in mind: 

• Health Insurance Portability and Accountability Act (HIPAA): This federal law covers personal health information and how it’s shared with an employer. An employer can’t ask for private information from an employee’s health plan or health care provider without the employee’s knowledge and consent unless required by law.

• The Americans with Disabilities Act (ADA): Under the ADA, employers may ask disability-related questions and require medical exams only after a job offer has been made or when accommodating a worker’s special needs. This information must be kept in separate, confidential medical files. It may be shared with state agencies, emergency services, and, in some cases, the employee’s managers.

• Fair Credit Reporting Act (FCRA): If your organization uses credit reports or background checks in the hiring process or for other HR purposes, you must comply with the FCRA. First, you must obtain permission from the applicant/employee to conduct these kinds of checks. Any information obtained (electronic or hard copy) must be destroyed after it’s no longer needed. This includes any documentation that contains sensitive information from the credit report or background check.

• Fair and Accurate Credit Transactions Act (FACT): The Fact Act relates to the accuracy of credit-related records and identity theft. Data must be scheduled for deletion when no longer required, and any shared data (like with a credit reporting agency) must be accurate or corrected if it isn’t.

• The Privacy Act: Personal data held by the federal government is protected by the Privacy Act. It doesn’t play a direct role in the private employer-employee relationship, but it is another law that protects individuals from the disclosure of confidential information. 

Data protection laws vary from state to state. The strictest of these is the California Consumer Privacy Act (CCPA). The CCPA grants consumers several rights concerning their private data, including: 

• Knowing what personal information is being collected (and how it’s being used) 
• Opting out of data collection
• Correcting or deleting data
• Being protected from discrimination for exercising these rights

Most for-profit companies in California also fall under the CCPA. If your company does, you must inform employees of any personal information you transfer to a third party—you’ll need a Data Processing Agreement (DPA) for this. Employers who fail to protect private data can be subject to fines and liable for damages.

What about my European employees? 

Europe’s robust General Data Protection Regulation (GDPR) protects personal data in the 27 member states of the European Union plus countries in the European Economic Area. The goal of the GDPR is to give EU citizens and residents more control over how their data is collected, used, and protected online. The regulation also applies strict rules on how organizations collect, use, and secure personal data.

Because the GDPR applies to EU citizens and residents, it also applies to organizations outside the EU if they handle EU data (extra-territorial effect). This includes US employers who recruit and hire EU citizens and residents. Whether full-time or contract, US employers have to comply with the GDPR if they process the personal data of EU citizens.

Here are some things to keep in mind if your company is subject to the GDPR: 

• Inform EU citizens that you’re collecting their data and provide a reason as to why. This can be done in your privacy notice. 
• Perform a data protection impact assessment (DIPA) to reduce risks and improve protection.
• Designate a data protection officer (especially for larger companies) to oversee security and compliance.
• Appoint a representative in the EU, if required. 
• Put adequate safeguards in place before transferring employee records and data to a country outside the EU.
• Prove compliance with the GDPR. This means keeping detailed records of the data you’re obtaining, where it’s stored, how it’s used, and who’s responsible for it. 

If you fail to comply with the GDPR, you might face significant fines of EUR 20,000,000 (USD 21,500,000) or more.

7 steps to protecting your employee data

Protecting your employee data can be complicated (and understandably so). If you follow the steps below, you’ll be well along your way to ensuring the security of your employee data. 

1. Know the law 

Knowing your data handling responsibilities is critical to creating a protection plan. Doing business in other states and countries adds an extra layer of complexity, so be sure to keep track of applicable regulations—on the federal, state, and local levels. 

2. Establish data privacy policies and security measures 

Be aware of what you’re collecting, who you’re collecting it from, and where you’re storing it. Establish policies that cover your data protection plan and institute specific security measures. 

Here are some measures you can take:

• Limit employee access to data: Follow the “principle of least privilege,” and allow employees to access only the information they need for their job. 
• Secure physical devices: Company phones and laptops should have strong passwords (or require biometric access), and you should be able to erase devices remotely. 
• Encrypt data: Use data encryption on servers and devices and when transferring data. 

You should be transparent with your employees about your data security. If they know what you’re collecting and how you’re keeping their data safe, it’ll help build trust in the long run.

3. Limit access only to necessary parties

Only people who absolutely need to access confidential data (for example, HR employees) should be able to have it. Enable protocols like multi-factor authentication and review your security procedures on a regular basis.

4. Screen employees with access to sensitive data

If you plan to give employees access to sensitive company data, screen them beforehand. Have them sign an agreement outlining their responsibilities and the penalties for mishandling data. Frequently review who has access and revoke the credentials of anyone who no longer needs it or has left the company. 

5. Provide training to employees

The methods criminals use are constantly changing. They don’t just rely on breaking into your network; they can go after your employees directly, tricking them into clicking on a link in an email (phishing) or revealing information over the phone. Routinely training everyone in the organization—not just those who work with sensitive data—can help strengthen data security.

6. Have a plan in place

Hacks happen. And if they do, you need to be prepared. Your company should have a plan in place detailing how to deal with the fallout. Like all security training, it should be revised frequently. Additionally, be sure to share the plan with relevant stakeholders across the organization. 

7. Choose the right software

The right software can aid in protecting sensitive data and securing employee devices. Choosing the right software for your company is paramount. It can manage access, help prevent security breaches, and ensure you comply with the necessary regulations that apply to your company.

When considering any software, ask yourself: Is it SOC 2 compliant? Does it automatically encrypt sensitive data like Social Security numbers and bank information? Does it have strict access controls? Is the data hosted on a secure infrastructure provider?

Securing your employee data with Rippling

How do you deal with the overwhelming amount of employee information scattered across your organization? 

Rippling can pull together every bit of employee data from HR, IT, Finance, and third-party systems into one secure platform. With Rippling, you can automatically generate and safely share reports and reporting privileges with anyone in or outside your company. Everyone can get all the data they need in one place—without compromising on data security. 

FAQs about employee data protection

What states have strict employee data privacy laws? 

Across the US, many states are strengthening their data privacy laws. California has the toughest regulations in the country. Other states with strict regulations include Colorado, Connecticut, Delaware, Utah, and Virginia.

What is GDPR?

GDPR is the European Union’s General Data Protection Regulation, the strictest privacy law in the world. If your organization targets or collects data from citizens or residents of the EU, GDPR compliance is a legal obligation. Violating the GDPR can result in fines of EUR 20,000,000 (USD 21,500,000) or more.

What is a Data Protection Impact Assessment (DPIA), and when is it required?

A Data Protection Impact Assessment (DPIA) is a security audit that identifies the risks of processing personal data to minimize them as early as possible. According to the GDPR, conducting a DPIA is mandatory when data processing is assumed to pose a significant threat to the rights of individuals.

What other data privacy laws apply to my business? 

If you’re based in the US, you’re subject to federal regulations, including HIPAA, ADA, FCRA, and FACT, in addition to your own state’s laws. If you’re processing data from EU citizens, you may have to comply with European regulations; the same goes for other states and countries.

Rippling and its affiliates do not provide tax, accounting, or legal advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for tax, legal, or accounting advice. You should consult your own tax, legal, and accounting advisors before engaging in any related activities or transactions.