April 4th, 2018 | Sterling
How Will the GDPR Impact Your Background Screening Program?
The European Union (EU) will soon have a new data privacy regime in place. On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect, changing the rules around protection of Europeans’ personal data. The GDPR was introduced to harmonize existing data protection laws across Europe, strengthen data protection rules in the digital age, and ensure consistency for individuals and businesses.
Sterling Talent Solutions has been working diligently since the law was first drafted to ensure we are GDPR compliant. We have prepared a 10-part series of webinars, a checklist, FAQs with common GDPR questions, and blog posts to help educate our readers about their obligations under the GDPR and to prepare their background screening program.
What Is the GDPR and Who Does It Impact?
The General Data Protection Regulation will replace existing national data protection legislation in the EU Member States, such as the UK Data Protection Act 1998, and introduce new requirements for European businesses as well as some that are outside of the EU. It also alters some existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant. The GDPR will apply to:
- EU companies that process personal data, regardless of whether the processing takes place in the EU
- Non-EU companies that offer goods or services to individuals in the EU irrespective of whether payment is required
- Non-EU companies that monitor individuals’ behaviour that takes place in the EU
The GDPR will generally only apply to employee screening programs that are already subject to EU law. The General Data Protection Regulation will generally not apply to the following screening activities:
- Screening EU citizens outside of the EU for work outside of the EU
- Screening employees or applicants who currently reside in the EU but will move to the US, Canada, or elsewhere to work.
If you are not sure if the GDPR applies to you, please consult with your privacy office or seek legal advice.
Change to Data Privacy Considerations under the GDPR
There are some notable changes that organizations will need to keep in mind when working with personal data subject to the General Data Protection Regulation. Below are just a few of the components of the GDPR that may impact employment background checks:
- Candidate Rights: Candidates have the right to basic information about the screening process, including receiving a privacy notice providing the individual with insight on how and why their personal information will be processed. Open and transparent communication to candidates is crucial. This is not a new concept, but the GDPR introduces some new technical requirements.
- Consent: The conditions for obtaining consent will ultimately become stricter than the current Data Protection Directive (95/46/EC). The General Data Protection Regulation allows an individual the right to withdraw consent at any time and as easily as they provide it, and presumes that consent will not be valid unless separate consents are obtained for different processing activities. As is currently the case, obtaining consent in an employment context is difficult and will generally not be relied upon for background screening.
- Object to Processing: An individual has the right to restrict and/or object to the processing of their personal data in some circumstances. It is also possible for an individual to have a general objection to the processing of personal data, even if its accuracy is not contested. When this objection occurs, the processing of the personal data (or background screening) may need to be stopped while the organization reviews and responds to the individual’s concerns.
- Data Portability: The General Data Protection Regulation codifies a new right for individuals to request that their personal data be transferred from one organization to another in certain circumstances.
GDPR Impact on Employment Background Checks
For a company that relies on background screening information for its hiring process, it is recommended to have a background screening policy in place. Organizations need to understand how third-party companies process data on their behalf to make sure their privacy notices, policies and contracts align with General Data Protection Regulation requirements. For an employment screening program, the GDPR will generally apply only to companies operating and hiring locally in European countries subject to the GDPR. For programs that screen people other than employees, the GDPR may apply to data collection from Europe, even if the company does not operate there. To understand whether and how the GDPR applies to your screening program, Sterling recommends that you consult your legal counsel or privacy officer.
Background checks can involve significant personal data processing, so careful GDPR compliance is crucial. It is important for businesses to raise awareness of the changes, review current privacy notices and background screening policies, and consider the appointment of a Data Protection Officer (DPO) where needed. Failure to comply with the GDPR could result in fines of up to 4% annual worldwide turnover or €20 million, whichever is greater.
Sterling will be sending out client communications with further details that could require action if the GDPR applies to your screening program. Some changes for Sterling clients include signing a Data Processing Agreement (DPA) and reviewing a new sample privacy notice. Download the complimentary “General Data Protection Regulation and Background Checks: Considerations for Employers” checklist today to help your company prepare for the GDPR.
This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.