Much work remains to prepare recognition programs for new privacy regulations despite stiff penalties for non-compliance.
By Larry Basinait
Over the last two years, an increasing number of countries and U.S. states have enacted privacy laws designed to protect individuals. Privacy laws are legal frameworks that set guidelines for the collection, storage, and processing of personal information.
One prominent privacy law, enforced in May 2019, is the General Data Protection Regulation (GDPR), which regulates data protection and privacy and addresses the transfer of personal data for all individual citizens of the European Union and the European Economic Area.
Another is the California Consumer Privacy Act (CCPA). The CCPA gives consumers in California additional rights and protections regarding how businesses may use their personal information. Starting January 1, 2021, the CCPA will extend its requirements to employee data. Like California, Nevada and Oregon have expanded their data privacy laws, with other states planning to soon follow.
These changes in privacy laws will have significant implications for the business world. One of the industries most impacted is the employee reward and recognition industry, or organizations that develop programs to reward performance and motivate employees on individual and group levels. Privacy laws often fly in the face of the use of public recognition to engage workers, and so employers need to understand them to adhere to legal requirements and keep their workforce engaged.
To determine the impact of recent and impending privacy laws on employee recognition programs, HRO Today partnered with Madison to conduct a survey of 75 HR professionals. Survey respondents were invited to participate in the study via an email invitation between January 28 and April 6, 2020.
Results indicate that employers are vulnerable to privacy law violations. Just over one half (59.3 percent) of study respondents considered themselves at least familiar with privacy regulations, though only about a quarter are very familiar (see Figure 1). Privacy laws are complex and evolving and the penalties for failure to adhere to them are substantial, so the implications of not knowing regulation details are enormous.
Employers understand these implications, with over three-quarters (78.0 percent) of respondents indicating they feel impacted by privacy laws. Those who are most familiar with the privacy laws feel the greatest impact.
However, the impact of privacy law on social employee recognition remains a mystery to many. Nearly one-half (49.0 percent) of employers with recognition programs are not sure about the laws’ impact, despite many being generally familiar with the laws. This may greatly inhibit the planning and execution of employee social recognition plans.
And the penalties for non-compliance are high. According to CCPA regulations, companies face a risk of being fined up to $7,500 per violation. If the CCPA-guaranteed rights of 1,000 users are violated, the fine could be up to $7,500,000.
Complete compliance is a long way away. Only one-half of study participants feel they are completely compliant with GDPR and CCPA requirements. Among those not currently compliant, nearly one-half indicated it will be at least one year until they are fully compliant, while over one-quarter felt they were more than two years away. Global expansion of GDPR and CCPA leaves most (54.5 percent) unprepared (see Figure 2).
There are three main ways employers are educating employees about privacy rights (see Figure 3).
- providing education to current employees about the impact of regulations on their privacy and rights;
- integrating training during the employee onboarding process; and
- appointing a data protection officer or data controller who is in charge of privacy.
The most common approach to adjusting social recognition programs is completely reactive. Deleting data upon request was indicated by nearly two-thirds (63.6 percent) of respondents (see Figure 4). Essentially, the company waits for the employee to initiate the change, and assumes they know they can make the request and there is a convenient and effective way for that request to be made.
The full report also details how organizations with top-tier recognition programs distinguish themselves with privacy law practices. It examines existing practices alongside attitudes about privacy regulation’s impact, and contrasts the level of compliance the best recognition programs have achieved with those that lag behind.
The role recognition program providers have with respect to working with their clients to ensure privacy law compliance is examined in the report as well. Findings include how effective recognition providers are in alleviating concern, achieving a higher level of compliance, and increasing speed with which compliance is achieved.