October 1st, 2024 | Sterling

The Impact of GDPR: What Businesses Need to Know 

The General Data Protection Regulation (GDPR) is a data privacy law that went into effect on May 25, 2018. Enacted by the European Parliament and Council of the European Union, the GDPR aims to harmonize data protection laws across Europe, strengthen data protection rules in the digital age, and ensure consistency for individuals and businesses. 

Employers with locations in the European Union or European Economic Area, those who hire European nationals, or those providing services in Europe may wonder whether the GDPR applies to them. In this article, Sterling Backcheck outlines the fundamental principles of the GDPR and offers best practices to help you ensure your hiring and background check programs comply with these regulations. Visit our Downloads page for more compliance resources. 

Who Does the GDPR Apply to? 

The GDPR applies to: 

  • EU companies processing personal data, regardless of where the processing occurs.  
  • Non-EU companies offering goods or services to individuals in the EU, regardless of whether payment is required.  
  • Non-EU companies monitoring the behavior of individuals within the EU. 

The GDPR generally applies to employee screening programs already subject to EU law.  It typically does not apply to the following screening activities: 

  • Screening EU citizens outside of the EU for work outside the EU. 
  • Screening employees or applicants who currently reside in the EU but will move to the US, Canada, or elsewhere for work. 

It’s a common misconception that the GDPR applies to data collected from all EU citizens regardless of their location. In reality, the GDPR’s application is limited to specific circumstances. These pertain when the company controlling or processing the data is in the EU, when the data is collected in the context of offering a good or service to someone in the EU, or when the behavior of an individual in the EU is monitored. If you’re unsure whether the GDPR applies to you, please consult your privacy office, or seek legal advice. 

Understanding the GDPR 

To understand the rules in the GDPR, it’s essential to grasp the concepts of “controller” and “processor.” An organization processing personal data or having personal data processed on its behalf may be either a controller or a processor: 

  • Data Controller: The data controller determines the purpose and means of processing.  In the context of background screening, the organization requesting the screening acts as the data controller.  
  • Data Processor: The data processor handles data on behalf of the controller. Private companies like Sterling Backcheck conducting the background check for their clients are data processors. 

The GDPR enshrines the concept of “Privacy by Design and Default” into law. This means that privacy should be integrated into all personal data processing from the outset, and that default settings should always prioritize privacy and limit the amount of information shared. The GDPR includes strict enforcement mechanisms, such as significant fines (up to €20 million or 4% of a corporate group’s global revenue). It also introduced the possibility of a “one-stop-shop,” where a single lead regulator handles a situation instead of involving regulators in every applicable country. 

Impact of GDPR on Background Screening 

Below are some key components of the GDPR that may impact employment background checks: 

  • Candidate Rights: Candidates have the right to basic information about the screening process. This includes receiving a privacy notice explaining how and why their personal information will be processed. Open and transparent communication with candidates is crucial. 
  • Consent: The GDPR grants individuals the right to withdraw consent at any time. It also presumes that consent will not be valid unless separate consents are obtained for different processing activities. In an employment context, obtaining consent can be challenging and is generally not relied upon for background checks. 
  • Object to Processing: Individuals have the right to restrict and/or object to the processing of their personal data in certain circumstances. They can also raise a general objection to the processing of their data, even if its accuracy is not disputed. When such an objection occurs, the processing of the personal data (or the background check) may need to be halted while the organization reviews and addresses the individual’s concerns. 
  • Data Portability: The GDPR codifies the right for individuals to request the transfer of their personal data from one organization to another under certain circumstances. 

Best Practices for GDPR Compliance 

Any company whose screening program is subject to GDPR should consider several important factors to ensure compliance. Some best practices include: 

  • Identifying the legal grounds for processing personal information and determining whether you rely on consent for background checks. 
  • Ensuring your privacy notices provide all necessary information to individuals. 
  • Ensuring that any special categories of data (also known as sensitive personal data) are collected in accordance with the law. 
  • Reviewing local laws in the countries where you operate to ensure your program is GDPR-compliant. 
  • Ensuring that appropriate contractual documents are in place for data processing and cross-border data transfers. 
  • Identifying any instances of automated decision-making and, whenever possible, ensuring that background checks are subject to human review. 
  • Understanding how your organization and Sterling Backcheck will collaborate to uphold your candidates’ rights under the law.  
  • Having your screening program reviewed by legal counsel or your Data Protection Officer, if applicable. 

Record Retention Under the GDPR 

The GDPR does not set specific retention periods, but requires organizations to destroy or anonymize personal information no longer needed for business purposes or to satisfy legal obligations. Some European countries may provide regulatory guidance on the retention duration for background check data. Your organization should determine both the necessary retention period and whether your third-party screening provider should retain the data on your behalf. You can learn more about Sterling Backcheck’s data retention policies in our privacy statement

Right to Be Forgotten and Other Subject Rights Under the GDPR 

An experienced third-party screening provider like Sterling Backcheck should enable your candidates to exercise their rights under the GDPR and other privacy laws. These include, among others, the right to access and correct personal information, to object to its processing, and, in some cases, to have it deleted entirely. For companies relying on background check information during their hiring process, it’s advisable to establish a thorough background check policy. Organizations must understand how third-party companies process data on their behalf to ensure their privacy notices, policies, and contracts comply with GDPR requirements. 

For employment screening programs, the GDPR typically applies only to companies operating and hiring within European countries subject to the regulation. However, for programs screening individuals other than employees, the GDPR may apply to data collection from Europe, even if the company does not operate there.  

To determine whether (and how) the GDPR applies to your screening program, Sterling Backcheck recommends consulting with your legal counsel or privacy officer.  

For additional compliance resources and best practices, visit our Resources page. To set up a background check program, contact us

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.