The people data compliance checklist

Catherine TanseyApr 17th, 2024

Learn the 6 steps—and one bonus step—that every people team should take to ensure compliant use, collection, and storage of people data.

A three-row checklist reads "The People Data Compliance Checklist"

Compliance is about reducing risk — for your company and employees. Especially when it comes to sensitive employee information, non-compliant, inappropriately secured data makes companies and people vulnerable.

While a slew of consumer data protection laws have gone into effect in recent years, it’s important to remember that these almost universally apply to employees as well. 

For example, the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA) govern employee data. Among other requirements, these mandate that companies must secure permission to collect employee data, share transparently how the data is used, and have systems in place in case employees revoke their permission. 

These regulations make for a complex compliance landscape but ultimately are net positive as they help protect the highly personal data employees share with their employers. Without the data employees share in voluntary self-ID campaigns, it would be near impossible to drive meaningful change in the workplace. But it’s imperative this data is securely collected, stored, and ethically used

Keep reading to learn how people teams can ensure the compliant use, collection, and storage of people data.

Step 1: Understand your compliance obligations

Businesses have serious responsibilities when it comes to data compliance. Regulations exist across state, federal, and international jurisdictions, and vary across industries. Companies that fail to comply with data protection laws face hefty fines and risk reputational damage. 

At most orgs, it’s up to HR professionals to uphold these standards in order to protect employee data and avoid costly non-compliance fees. From an HR perspective, some of the most important laws include GDPR, CCPA, some specific EEOC reporting requirements, and HIPAA.

  • General Data Protection Regulation (GDPR): GDPR was signed into law in the EU in 2016 and companies were required to be fully compliant by 2018. Businesses that have or hold data belonging to any EU citizen are subject to GDPR data protection requirements. The maximum penalties are 4% of worldwide revenue or €20 million, whichever is greater.

  • California Consumer Privacy Act (CCPA): After going into effect on January 1, 2020, CCPA became the strictest data privacy law the United States has seen yet. CCPA requires that all businesses with more than $25 million in annual revenue must explicitly disclose what information they collect and that consumers have a right to data deletion. Businesses must comply with CCPA if they collect data belonging to California residents.

  • EEOC: The EEOC requires that most private employers and federal contractors submit workplace demographic reports under EEO-1 Component 1 data collection. With the United States government poised to change how it collects race and ethnicity data, it’s possible that EEO reporting requirements may shift as well. 

  • HIPAA: If as a company, you pay for a portion of employees’ health care plans, you may be subject to HIPAA. Employee health records, whether obtained as part of workers comp or another workplace injury, are also subject to HIPAA data protection laws.

It is essential that any data effort, and any data vendor or partner, operates within the applicable bounds of these regulatory guidelines.

Step 2: Gain employee consent for data collection and processing 

Data was once hailed as a cure-all solution to our society’s challenges, and many companies adopted a “more is more” mentality. However, attitudes have shifted significantly, and arbitrary data collection poses significant compliance risks to companies.

It’s crucial for companies to ensure employee consent for data and implement data minimization strategies. Employees should know what information you’re collecting, how long you’re retaining it, what you’re using it for, and how they can find out what data of theirs you have. Employee consent for data is not only a requirement for ethical data collection in HR, regulations require it. 

When it comes to data minimization, accumulating unnecessary employee data heightens the risk of breaches and non-compliance penalties under GDPR and CCPA regulations.

GDPR requires that companies only collect the data that’s absolutely necessary for their purposes. The EU’s law also states that companies cannot use consumer data as they wish, but rather it must only be used for the purposes they communicated to consumers.

Step 3: Ensure secure data storage and access

When it comes to HR data storage solutions, companies have a lot of boxes to tick. Data encryption and cloud storage for HR data are table-stakes, and features like enterprise-grade data access controls help businesses strike the right balance between privacy and progress.

Secure storage solutions and protecting data from unauthorized access are the cornerstones of data protection. Companies need solutions that ensure highly sensitive employee data remains encrypted, both in transit and at rest. 

HR data storage solutions come as cloud or on-premise solutions. Cloud storage offers scalability, flexibility, and stringent security measures provided by reputable service providers. Conversely, on-premises storage grants organizations direct control over their data but requires significant investments in infrastructure and maintenance and are increasingly obsolete in our cloud-run world.

Step 4: Implement a data retention policy

A clear HR data retention policy helps with compliance, risk management, privacy protection, and can lower data storage costs. Policies should outline data retention periods, highlight approaches for identifying outdated or unnecessary data, and share procedures for secure data disposal in HR. 

A data retention period refers to the duration for which data must be kept based on both internal policies and external regulations, and these periods typically differ across organizations and industries. Once the data has served its purpose, it should be either archived, anonymized, or permanently deleted.

Companies need procedures for regularly reviewing and securely disposing of outdated or unnecessary data to support ethical data collection in HR and remain compliant. 

HR teams should establish a systematic approach to ensure that data is continually assessed to determine its relevance. Regular reviews will help identify obsolete or redundant information, reducing storage costs and minimizing the risk of unauthorized access or breaches. 

What’s more, securely disposing of unnecessary data helps mitigate potential privacy concerns and legal liabilities. By implementing robust procedures, organizations can streamline data management processes, ensure compliance with regulations such as GDPR and CCPA, and effectively safeguard highly sensitive employee information.

Step 5: Prioritize training and clear communications

Educating employees about your company's data collection and privacy policies is crucial. Help employees recognize their responsibility in handling data with care by creating a culture of compliance and mandating training. 

When possible, give employees a TL;DR option alongside official data policies as traditional company-wide emails with dense text are often overlooked. 

Additionally, make training mandatory for all employees, with more detailed offerings for those dealing extensively with sensitive data. Training should include data security best practices and information on compliance, as well as how to identify a breach and what to do about it, among other best practices and the various requirements of specific regulations.

Step 6: Commit to continuous monitoring and improvement

It’s not enough to just set policies and educate staff on them. Rather, to remain HR data compliance companies need processes for ongoing monitoring and continuous improvement.

Regular HR compliance audits are crucial to ensure the company is still properly adhering to regulations, and keeping up with the pace of change in the compliance landscape requires HR professionals remain nimble to adapt to legislative changes and evolving best practices. 

By prioritizing HR compliance audits and adapting to data protection laws, businesses can mitigate risks, uphold standards, and foster a culture of continual enhancement in their HR processes.

Bonus step: Find the right partners for your HR data journey

HR and DEI professionals play a critical role in ensuring companies meet the requirements of HR compliance. They serve as guardians of employee data protection, ensuring proper handling of data while adhering to a patchwork of state, federal, and international regulations.

This can be challenging work. But you don’t have to navigate alone. 

With Dandi, best-in-class data protection, enterprise-grade access controls, and GDPR-compliant storage are built right into the platform. We're a partner to every people team looking to do more with data, while ensuring that all security and compliance needs are met.