June 21st, 2018 | Sterling

Answers to Your Questions About GDPR Compliance in the US and Canada

Answers to Your Questions About GDPR Compliance in the US and Canada

It’s been a few weeks since the General Data Protection Regulation (GDPR) went into effect on May 25, 2018. I am still receiving pop-ups for privacy updates and emails for new privacy agreements from websites and social platforms. It will take a bit of time to see the full impact of the data privacy requirements on companies around the world. Sterling Talent Solutions hosted a webinar entitled “GDPR Compliance: What It Means for HR in the US and Canada” just before the launch of the changes. Sterling’s Assistant Vice President of Global Privacy, Mark Sward, explained how the updated data privacy laws might impact US and Canadian companies with offices, employees, vendors or other activities in the European Union (EU).

Answers to Your GDPR Compliance Questions

Mark took the time to answer some of the attendee GDPR compliance questions that he was not able to answer during the webinar below:

  1. As a sourcing recruiter—if data is deleted based on the “right to be forgotten” how do you avoid adding them to your system again? You are not required to avoid adding someone to your system again once they have had their data deleted, provided you have a lawful basis to add their data again in the future (presumably in the context of a new interaction with that person). 
  2. We run international criminal background checks on potential employees if they have lived in Europe. The potential employee will live in the US while they work for us. Does the GDPR apply? The GDPR will generally only apply to employment screening if the company requesting (or ultimately using) the screening is established in the European Economic Area (EEA). Screening based on someone’s past residence in Europe will not necessarily cause the GDPR to apply.
  3. Even though we do not provide any services in Europe, is it safe to sign a data processing agreement (DPA)? And, if so, how does one obtain a DPA? Sterling is happy to sign a DPA with any of its customers. The DPA is global in scope.
  4. As there is no certification for the GDPR, how can you determine compliance? Is there a resource that can conduct a review? Third-party consultants can carry out audits for your compliance. Sterling has internal privacy resources that carry out these activities.
  5. Does the GDPR apply to unpaid volunteers/interns? The GDPR does not distinguish between paid and unpaid interactions.
  6. Where does the UK fit in before/after Brexit? This remains to be seen, but likely the UK will continue to apply the GDPR after Brexit.
  7. What if our company is registered in the EU and we hire locals? Does the GDPR apply to us? The GDPR applies to companies that are established in the EU. It sounds like you are established there, so it would apply to those activities.
  8. Does the GDPR apply to European citizens that are permanent US residents? The GDPR applies to companies that are established in the EU, companies that offer goods or services to people in the EU (regardless of whether money is exchanged), and companies that monitor the behaviour of people in the EU. It does not apply based on citizenship or residence status, but based on actual location.

Will the GDPR Affect My Company’s Background Screening Program?

One of the most asked questions during the webinar was how the GDPR will impact background screening programs. It is important to remember that the GDPR will generally only apply to employee screening programs that are already subject to EU law and that are operating and hiring locally in the EEA. For a program to screen people other than employees, the GDPR may apply to any data collection from the EEA, even if the company does not operate there, so you should check with your privacy office or legal counsel for advice. The GDPR will generally not apply to the following screening activities:

  • Screening people who hold EU citizenship, but are located outside of the EU and will work outside of the EU
  • Screening employees or applicants who have applied remotely to positions posted from the US, Canada or elsewhere outside of the EEA
  • Domestic screening in the US or Canada

Companies need to determine whether the GDPR applies to their background screening program. If it doesn’t, then no action is needed. If it does, organizations should review their background screening program and policy for compliance. Organizations need to understand how third-party companies process data on their behalf to make sure their privacy notices, policies and contracts align with applicable requirements, so it is important to understand which laws apply to your program. The Sterling GDPR Checklist is also a handy reference guide for companies. Check with your background screening company for updated privacy notices and data processing agreements that might require updated signatures.

For more information about how the GDPR will impact background screening programs in the US and Canada, download the OnDemand version of “GDPR Compliance: What It Means for HR in the US and Canada.”

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.