The countdown is on: Is your Workday HR function ready for impending CCPA amendments affecting your employee data?
The California Consumer Privacy Act of 2018 (CCPA) was originally enacted to give California-based consumers more control over the personal information that businesses held on them. Since then, a new amendment extends the regulation to the information organisation’s hold on their employees. To ensure they are compliant with the new amendment, which takes effect on January 1, 2023, businesses should review how they protect their employee’s personal information. Are your security procedures sufficient?
Nick Stone, Head of Audit at Kainos, provides a background of the CCPA and reflects on how Workday fits within the framework of the latest changes to the legislation.
What is the CCPA?
The regulation was initially implemented to safeguard sensitive data relating to consumers. This meant consumers could ask businesses to disclose what personal information they held on them and what they do with the information. Consumers can also request that businesses stop selling their personal information through an ‘opt-out’ option.
While there are many similarities between the CCPA and the European Union’s General Data Protection Regulation (GDPR), the Californian legislation is more rigorous in certain aspects of data privacy.
In the context of the CCPA, personal information is classified as any information which identifies, relates to, or could be reasonably linked to a consumer or their household. This includes the individual’s full name, social security number, email address and even goes as far as their internet browsing history, geolocation and biometrics.
How the CCPA amendment impacts employee data
The new amendment, called the California Privacy Rights Act (CPRA), specifies that a notice must be provided to employees by employers, at or before the point of the collection of their personal information. This notice must include a list of the personal information that will be collected and the commercial or business purpose for the collection of the data.
Employers should also provide their employees with a copy of, or a relevant link to, the employer’s privacy policy.
The enforcement of the new amendment will be supported by the newly-established California Privacy Protection Agency, which is charged with ensuring that employers comply with the legislation by the approaching deadline.
CCPA non-compliance
Under the CCPA, consumers have the right to sue an organisation should they suffer a data breach as a result of the business’ failure to maintain reasonable security procedures to protect the consumer’s personally identifiable information (PII).
Should this happen, companies have 30 days once regulators have notified them of a potential violation to comply with the law. While this differs from the more stringent 72-hour window imposed under GDPR, businesses face a fine of up to $7,500 per record should they fail to resolve the issue within the stated timeframe.
This sum doesn’t reflect the additional costs associated with data breaches such as the IT response, legal notifications and personnel resources, which are more difficult to quantify. As there can be many records identified in a data breach, the costs associated with CCPA non-compliance can quickly build up, leading to significant unbudgeted fines.
Workday security and CCPA considerations
HR and payroll functions have access to employee PII such as employee names, governmental identification numbers, addresses and bank account details. Should there be a data breach relating to protected information managed by HR and payroll functions, employees would have the right to sue their employers under the latest CCPA amendment.
As the new employee data deadline draws nearer, the immediate task for HR teams is to proactively conduct an inventory of what information they hold on their employees, where the information is stored and, more importantly, assess how that sensitive data is protected.
An important part of this process is evaluating the sufficiency of security procedures and internal controls currently in place over employee data. Workday’s security framework and audit capabilities support effective data privacy controls. But HR organizations have to be intentional about how their internal controls leverage Workday capabilities. We recommend you consider the following as you evaluate your data privacy risk posture:
1. PII across multiple tenants. Your employee data is not limited to your production tenant. Employee data is replicated across multiple sandbox and implementation tenants where internal controls are less robust. In fact, many organizations intentionally leave non-production security open to streamline support and implementation efforts. When assessing your data privacy risk and adequacy of security procedures, ensure that you formally evaluate what data is stored in all of your tenants and validate who has access to the sensitive data in each tenant. Limit access to valid users, maintain tight controls over your contractors, and consider data masking options based on rulesets.
2. Preventive Security Controls. The easiest approach to data protection is preventing improper access. This can be accomplished in two ways: data masking and restricting privileged access.
- Data masking obfuscates Workday fields based on defined rule sets which allow organizations to control what information users can and cannot see. Data masking is generally an approach used to enforce data protection in non-production tenants to enable efficient support and implementation activities. Smart Shield is a good example of a Workday data masking solution.
- Restricting privileged access is a critical production tenant control. Access to privileged administrative capabilities, business processes, and tasks must be carefully provisioned, monitored, and managed as job responsibilities change. A Workday production tenant is subject to ongoing change. As a result, validating security configurations and security group membership at the pace of business change is increasingly important. Organizations should ensure that access to powerful security groups and security groups designed to govern employee data are properly designed and membership is appropriate.
3. Monitoring & Detection. CCPA and similar data privacy regulations stipulate that security procedures must be in place to monitor and detect potential security incidents. Workday is a highly auditable system, but organizations have to know what they are looking for first. Effective data protection programs prioritize data elements based on formal risk assessments, and subject higher risk fields (and business processes, tasks and configurations) to monitoring routines that flag risk events including data views. Due to the volume of audit logs in Workday (and the fact that many audit logs are purged weekly or monthly depending on the related tenant), leveraging security monitoring tools is likely needed monitoring sensitive data and timely detect data privacy risks.
If you have not formally evaluated these considerations in your security procedures, you may be at risk.
The role of control automation
With Workday control automation, HR teams can protect their workforce’s sensitive data by defining effective preventive controls and continuously monitoring potential security risk events. This involves limiting data access to the people that need it when they need it. It also involves deploying timely security monitoring to detect data access, misuse and possible fraudulent activity.
As a trusted Workday partner, Kainos deploys its Smart Audit solution to continuously monitor and detect security risks across production, sandbox and implementation tenants. This allows Smart Audit to identify who has access, or who did access, sensitive data within Workday. Smart Audit empowers the HR and IT functions to proactively prevent data risks before they happen – and detect them if they do.
Smart Audit can also help streamline audit and compliance efforts by evidencing security monitoring activities. This saves on time, effort and provides assurance that HR controls over protected information are designed and operating effectively as stipulated data privacy legislation like CCPA and GDPR.