HR Trends in 2023: Data Protection in the Great Workplace Transformation

In a post-pandemic world, the workplace is undergoing far-reaching change. Companies are adapting as needed—often at breakneck speed—while modifying their core infrastructure (policies, procedures, training, and technology) to effectively support their employees and business.

Years from now, when we look back on this era, we’ll see that we were living through the “Great Workplace Evolution” of our time.

This article is an excerpt from our HR Trends in 2023 Guide, in which our experts break down HR trends expected to unfold in 2023 and best practices that can help your company evolve (and thrive) during your own workplace evolution. (Read the full HR Trends in 2023 guide here.)

In 2023, new data protection laws and regulations go into effect in California, Colorado, Connecticut, Utah, and Virginia, and more than half of U.S. states have active data privacy-related bills making their way through the legislative process.

These laws address a broad range of data protection rights for consumers and employees. Businesses (and HR teams) should be poised to take required compliance action and pay close attention to the impact laws in other states have on the workplace.

Of note, California is the first state to provide expansive privacy rights to employees. Under the California Privacy Rights Act (CPRA) employees have the right to:

• Know about the personal information that the business collects about them.
• Delete personal information collected from them.
• Opt out of an employer’s sale or sharing of their personal information.
• Opt out of a business’s use of automated decision-making technology.
• Correct personal information that is inaccurate.
• Limit the use and disclosure of sensitive personal information, such as racial or ethnic origin, union membership, and biometric information, which includes a person’s DNA, fingerprints, face, hand, retina or ear features, and odor.

According to the National Conference of State Legislatures, in 2022, 24 states introduced legislation to regulate the collection and use of biometric information. Many are based on Illinois’ foundational Biometric Information Privacy Act (BIPA) enacted in 2008, which prohibits companies from collecting or storing biometric data without providing notice, obtaining written consent, and making certain disclosures to consumers or employees.

In addition, 50 different state data breach notification laws in the U.S. require companies to notify consumers—and some state officials and agencies—when sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

On the federal level, significant attention is focused on the American Data Privacy and Protection Act (ADPPA) (H.R. 8152), which proposes creating a comprehensive federal consumer privacy framework. It has not been voted into law, but the version sent to the U.S. House of Representatives by the House Energy & Commerce Committee (E&C) in mid-2022 has garnered strong bipartisan support.

In tandem with solidifying state, and possibly federal, data privacy laws, the public (and employees) increasingly demand proof that businesses are protecting their information. These emerging expectations mean organizations must continually implement strategies and cybersecurity tools that track and protect company data from cyberattacks, malware, ransomware, and data breaches. It also means businesses need to safeguard and track employee data and promptly fulfill requests to revise, delete or limit use of that information in the workplace.

Biometric data privacy is a subset of the data privacy equation, and regulators are taking notice as businesses increasingly use employees’ biometric information for various reasons such as:

• Time management (biometric time clocks)
• Security access (fingerprint readers)
• Health plans (risk profiles)

How HR Can Help Your Business Bolster Data Privacy Policies and Practices in 2023

HR professionals can help companies comply with applicable data protection, privacy, and breach laws and monitor pending legislation. In addition, they can facilitate cross-functional teams that work together to implement data protection and encryption measures and develop comprehensive company policies and procedures that target cybersecurity risks and protect employee privacy.

Six Data Privacy Best Practices Recommended by G&A Partners

1. Audit and assess your needs. For employee data, identify what personal information and documents you have, where it is stored, how long you’ve had it, and what retention rules apply. It’s not necessary to keep documents longer than required, so consider purging what you no longer need. Then assess your current technology to determine if what you have is adequate to fulfill your needs.

2. Organize a team from various departments– Legal, IT, HR, for example – to discuss current and upcoming laws and how to address them based on your company’s needs.

3. Employees are your main line of defense in protecting your company data. Consider creating a data protection campaign that will engage employees and build a culture that emphasizes their role in data protection.

4. Roll out regular education and training for employees and managers that begins with onboarding new hires. Weekly emails alerting employees to potential spams, simulated phishing attacks, and online courses will keep data protection front and center in employees’ minds.

5. Once your employees have the knowledge of their role in protecting the company’s data, create policies that hold employees accountable for their actions. Provide additional training for employees who need it, and don’t be afraid to enforce the policies so employees will take your policies seriously.

6. If you’re utilizing an HR outsourcing service/software, do a proper evaluation to ensure it can accommodate your new data privacy and protection requirements.