Much work remains to prepare recognition programs for new privacyÂ regulations despite stiff penalties for non-compliance.
By Larry Basinait
Over the last two years, an increasing number of countriesÂ and U.S. states have enacted privacy laws designed toÂ protect individuals. Privacy laws are legal frameworks thatÂ set guidelines for the collection, storage, and processing ofÂ personal information.
One prominent privacy law, enforced in May 2019, isÂ the General Data Protection Regulation (GDPR), whichÂ regulates data protection and privacy and addresses theÂ transfer of personal data for all individual citizens of theÂ European Union and the European Economic Area.
Another is the California Consumer Privacy Act (CCPA).Â The CCPA gives consumers in California additional rightsÂ and protections regarding how businesses may use theirÂ personal information. Starting January 1, 2021, the CCPAÂ will extend its requirements to employee data. LikeÂ California, Nevada and Oregon have expanded their dataÂ privacy laws, with other states planning to soon follow.
These changes in privacy laws will have significantÂ implications for the business world. One of the industriesÂ most impacted is the employee reward and recognitionÂ industry, or organizations that develop programsÂ to reward performance and motivate employees onÂ individual and group levels. Privacy laws often fly in theÂ face of the use of public recognition to engage workers,Â and so employers need to understand them to adhere toÂ legal requirements and keep their workforce engaged.
To determine the impact of recent and impendingÂ privacy laws on employee recognition programs, HROÂ Today partnered with Madison to conduct a survey ofÂ 75 HR professionals. Survey respondents were invited toÂ participate in the study via an email invitation betweenÂ January 28 and April 6, 2020.
Results indicate that employers are vulnerable to privacyÂ law violations. Just over one half (59.3 percent) of studyÂ respondents considered themselves at least familiar withÂ privacy regulations, though only about a quarter are veryÂ familiar (see Figure 1). Privacy laws are complexÂ and evolving and the penalties for failure to adhere toÂ them are substantial, so the implications of not knowingÂ regulation details are enormous.
Employers understand these implications, with over three-quartersÂ (78.0 percent) of respondents indicating they feelÂ impacted by privacy laws. Those who are most familiarÂ with the privacy laws feel the greatest impact.
However, the impact of privacy law on social employeeÂ recognition remains a mystery to many. Nearly one-halfÂ (49.0 percent) of employers with recognition programsÂ are not sure about the lawsâ impact, despite many beingÂ generally familiar with the laws. This may greatly inhibitÂ the planning and execution of employee social recognitionÂ plans.
And the penalties for non-compliance are high. AccordingÂ to CCPA regulations, companies face a risk of beingÂ fined up to $7,500 per violation. If the CCPA-guaranteedÂ rights of 1,000 users are violated, the fine could be up toÂ $7,500,000.
Complete compliance is a long way away. Only one-half ofÂ study participants feel they are completely compliant withÂ GDPR and CCPA requirements. Among those not currentlyÂ compliant, nearly one-half indicated it will be at leastÂ one year until they are fully compliant, while over one-quarterÂ felt they were more than two years away. GlobalÂ expansion of GDPR and CCPA leaves most (54.5 percent)Â unprepared (see Figure 2).
There are three main ways employers are educatingÂ employees about privacy rights (see Figure 3).
- providing education to current employees about theÂ impact of regulations on their privacy and rights;
- integrating training during the employee onboardingÂ process; and
- appointing a data protection officer or data controllerÂ who is in charge of privacy.
The most common approach to adjusting socialÂ recognition programs is completely reactive. Deleting dataÂ upon request was indicated by nearly two-thirds (63.6Â percent) of respondents (see Figure 4). Essentially, theÂ company waits for the employee to initiate the change,Â and assumes they know they can make the request andÂ there is a convenient and effective way for that request toÂ be made.
The full report also details how organizations with top-tierÂ recognition programs distinguish themselves with privacyÂ law practices. It examines existing practices alongsideÂ attitudes about privacy regulationâs impact, and contrastsÂ the level of compliance the best recognition programsÂ have achieved with those that lag behind.
The role recognition program providers have with respectÂ to working with their clients to ensure privacy lawÂ compliance is examined in the report as well. FindingsÂ include how effective recognition providers are inÂ alleviating concern, achieving a higher level of compliance,Â and increasing speed with which compliance is achieved.