January 5th, 2017 | Sterling
GDPR: Impact of New Process on Privacy and Personal Information in the UK
Every good company wants to progress and grow to provide better, more efficient services. It is vital to keep up with changes to technology and the law, but also to changes in customer demands and expectations. To do this, new processes must be adopted and existing ones adjusted. Standing still is never an option. There is always something to optimise and improve.
Impact of New Processes on Privacy and Personal Information
It’s important to consider the impact of new processes and systems on every level of the business before implementing them. Each time something new is introduced and each time an existing process is adjusted, a careful assessment of the impact of changes must be made. This is especially true when a new process or system will involve the use of personal information.
For example, something as simple as a new data storage location for personal information could provide a serious risk. If the new storage is located in another country, this would mean transferring the personal information internationally, which often requires a transfer mechanism that provides justification for the international transfer of data. If there was no intention for the information to be transferred internationally when it was collected, a valid transfer mechanism might not be available, and storing the information in the new system despite this could eventually lead to complaints and possibly fines, in addition to the costs of needing to adjust the system once again. Instead of resolving situations such as this after the fact, it is clearly better, cheaper and more efficient to prevent them from happening to begin with.
Privacy By Design
The General Data Protection Regulation (the GDPR) which is applicable from the 25th May 2018 recognises the concept of Privacy by Design. Privacy by Design requires that new processes and systems comply with data protection principles. The GDPR states that when a new activity may present a risk to personal information, organisations “should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.”
In practice, this means that from May 2018 a failure to anticipate new ways that personal information can be placed at risk may become a costly mistake. Failure to comply with the GDPR, could result in fines of up to 2% annual worldwide turnover or €10 million, whichever is greater.
Due to this, a tool or methodology to determine and eliminate these risks before a new system goes live or a new process is implemented is extremely important. This is where a data protection impact assessment (DPIA) or a privacy impact assessment (PIA) can be used, allowing privacy risks to be identified, understood and wherever possible mitigated before harm can be caused to an individual’s personal information.
Privacy and Background Screening Programmes
When you implement a background screening programme, working with large amounts of personal information is unavoidable. The changing requirements of the job market and the need to maintain a positive candidate experience, while attempting to complete background checks as efficiently and as quickly as possible, create a constant need to adjust service offerings and to strive for better, more efficient hiring solutions. Implementing a new background screening programme, or making changes to an existing one may place personal information at risk. When questioned about their background screening practices, 56% of organisations also stated that they wish to improve compliance. This can be achieved by including a PIA when you wish to implement a new programme or to expand your programme by adding new services which could impact the use of personal information.
Though this level of safeguarding is not yet required for personal information as a part of background screening under UK law, it will become a requirement in 2018 with the GDPR. Early adoption of the concept of Privacy by Design and PIAs, though not yet mandatory, will assist you in meeting future legal obligations and will position you as an employer who places the importance of privacy and data protection at your very core. Find more information about current background screening trends and compliance issues in our Background Screening Trends & Best Practices Report.
This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.