April 30th, 2018 | Sterling
Best Practices for Making Your Background Screening Program GDPR-Compliant
In just a few weeks, on May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect, changing the rules around protection of Europeans’ personal data. The GDPR was introduced to harmonize existing data protection laws across Europe, to strengthen data protection rules in the digital age and ensure consistency for individuals and businesses.
Sterling Talent Solutions has been working diligently since the law was first drafted to ensure we are GDPR-compliant. We have prepared a 10-part series of webinars, a checklist, FAQs with common GDPR questions, and blog posts to help educate our readers about their obligations under the GDPR and to prepare their background screening program.
What is the GDPR and Who Does It Impact?
GDPR will generally apply to any company that operates in the European Economic Area (EEA). It also applies to companies that collect personal information while selling or marketing their products or services to people in the EEA or conducting ongoing monitoring of the behaviour of people in the EEA, wherever the company is established.
For an employment screening program, GDPR will generally apply only to companies operating and hiring locally in the EEA. For a program to screen people other than employees, the GDPR may apply to any data collection from the EEA, even if the company does not operate there. To understand whether GDPR applies to your screening program, Sterling recommends that you consult your legal counsel.
What Do You Need to Do Now?
Under privacy laws around the world, any organization collecting and processing personal information must provide a privacy notice to individuals that explains how and why their personal information will be processed. While the requirement for a privacy notice is not new, the GDPR sets out a number of specific requirements for privacy notices. If your organization is impacted by the GDPR, there are measures that must be taken to ensure you are compliant with the changes.
Organizations must have a GDPR-compliant contract with their background screening provider as well as a compliant privacy notice in place no later than 25 May 2018. Please note that U.S. FCRA disclosure and authorization forms will not change as a result of GDPR, as FCRA requirements and GDPR requirements are separate and require separate documentation.
How the GDPR Will Affect Employment Background Checks
For a company that relies on background screening information for its hiring process, it is recommended to have a background screening policy in place. Organizations need to understand how third-party companies process data on their behalf to make sure their privacy notices, policies and contracts align with GDPR requirements. For an employment screening program, the GDPR will generally apply only to companies operating and hiring locally in European countries subject to the GDPR. For programs that screen people other than employees, the GDPR may apply to data collection from Europe, even if the company does not operate there. Failure to comply with the GDPR could result in fines of up to 4% annual worldwide turnover or €20 million, whichever is greater.
Any company whose screening program is subject to GDPR should consider several important items to ensure readiness. Some best practices include:
- Identifying the legal grounds for processing personal information and whether you rely on consent for background checks.
- Ensure your privacy notices provide all the necessary information to individuals.
- Ensure that any special categories of data (also known as sensitive personal data) are collected in accordance with the law.
- Review local laws in the countries where you operate to ensure your program is GDPR-compliant.
- Ensure that appropriate contractual documents are in place for data processing and cross-border transfers of data.
- Determine whether any automated decision-making is taking place and, wherever possible, ensure that background checks are always subject to human review.
- Understand how your organization and Sterling will cooperate to ensure your candidates’ rights under the law are respected.
- Have your screening program reviewed by legal counsel or your Data Protection Officer, if you have one.
Record Retention under the GDPR
The GPDR does not set specific retention periods but requires organizations to destroy or anonymize personal information that is no longer needed for business purposes or to satisfy legal obligations. Some European countries may also have regulatory guidance on how long to retain background screening data. Your organization should determine both how long you need to keep data and whether you want your third-party screening provider to keep that data on your behalf.
Right to Be Forgotten and Other Subject Rights Under the GDPR
A third-party screening provider should be able to facilitate your candidates’ exercise of their rights under the GDPR and other privacy laws. These include, among others, the rights to access and correct personal information, object to its processing and in some cases, have it deleted entirely.
Sterling will be sending out client communications with further details that could require action if the GDPR applies to your screening program. Some changes for Sterling clients include signing a Data Processing Agreement (DPA) and reviewing a new sample privacy notice. Download the complimentary “General Data Protection Regulation and Background Checks: Considerations for Employers” checklist today to help your company prepare for the GDPR.For more information on how the GDPR will impact employers in the US and what they can do to help remain complaint register for our webinar, “GDPR Compliance: What It Means for HR in the US”, today!
This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.