June 14th, 2017 | Sterling

GDPR: What You Need to Know with 12 Months to Go

On 25 May 2018, the EU General Data Protection Regulation (GDPR) goes into full effect. This will cause drastic changes in the way personal data is protected in the European Union. Sterling recently launched a ten part webinar series about the GDPR. The first webinar entitled GDPR: “What You Need to Know with 12 Months to Go” was presented by Sterling’s Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher. The webinar was an introduction of what is to come with the GDPR and how you can help to ensure your organisation is fully compliant from day one.

What is the GDPR and why was it introduced?

The GDPR or General Data Protection Regulation is an EU law which regulates the collection, use, disclosure and processing of personal information of individuals in the EU.

The GDPR will replace existing European legislation, such as the UK Data Protection Act 1998, and introduces new requirements and additional burdens on European businesses. It also alters existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant. The GDPR was introduced to:

• Harmonize existing data protection rules across the EU
• Strengthen data protection rules in the digital age as current laws didn’t factor in the internet, social media, technological advances and other changes that impact individuals’ privacy
• Ensure consistency for individuals and businesses. The introduction of the “One-Stop Shop” under the GDPR means that businesses will only have to deal with one regulator. This role will be based in the country of the company’s EU headquarters.)

Who is impacted by the GDPR?

One of the key changes for the GDPR is territorial scope. It is important to understand who is impacted by the GDPR from a geographic perspective. The GDPR will apply to:

• EU companies that process personal data, regardless of whether the processing takes place in the EU
• Non-EU companies, who offer goods or services to individuals in the EU irrespective of whether payment is required
• Non-EU companies who monitor individuals’ behaviour that takes place in the EU
• Non-EU companies processing the data of UE citizens must appoint a representative in the EU

What does the GDPR cover? What is meant by personal data?

Personal data as defined by the GDPR is “any information relating to an identified or identifiable natural person.” This is a pretty broad definition as information could be anything about an individual that is identified or identifiable natural persons. Business names and business addresses do not count as personal data. However, business contact information can sometimes constitute personal data if an individual can be identified.

How will Brexit affect the GDPR?

In principle, there is a commitment by the UK to implement the GDPR in May 2018, even with Brexit procedures being officially launched on 29 March 2017. But, the full impact of the changes will not be known until after the UK breaks off from the EU in two years. A possible post-Brexit GDPR scenario is that while it is now confirmed that the GDPR will be directly applicable in the UK in May 2018, the UK may move to a lighter touch regime than the one under the GDPR after its exit from the EU in order to places a lesser burden on businesses. The amount of change will depend on the need for the UK to maintain its data protection regime essentially equivalent to that of the EU, in order to avoid restrictions being imposed on the transfers of personal data from the EU to the UK.

How will the GDPR affect your background screening programme?

Background screening under the GDPR, just like under the current Data Protection Act of 1998, can be tricky. It involves a lot of personal data processing, so compliance is crucial. Background screening reports contain a lot of personal data, often involves international transfers and processing in the employment context has particular rules about consent and national derogations.

Key Impacts of the GDPR on background screening:

• Consent
• Transparency with data processing activities
• Regulated data for sensitive personal data and criminal record information
• National derogations for processing data in the employment context
• Enhanced candidate rights
• One-Stop Shop and Fines

Organisations should start preparing their background screening programmes now for the GDPR. It is vital for businesses to raise awareness of the changes, review current privacy notices and background screening policies and make an appointment for the Data Protection Officer (DPO) if one is needed.

Important GDPR and Background Screening Questions

We received many attendee questions during the webinar, which Oran Kiazim was happy to answer. We have a few of these questions below. Please Note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

1. How will the US-EU Privacy Shield currently in place in an organisation align with the GDPR?The GDPR is a wide-ranging regulation with a much wider scope than Privacy Shield. Although there is some overlap, companies should consider GDPR-readiness separately to Privacy Shield readiness.
2. If we are acting as an intermediary and providing cloud storage to our customers, which we rent out from the likes of IBM or Microsoft and our customer processes personal data using our software, does GDPR apply to us?Insofar as you have access to your clients’ personal information (even if such access is ancillary to the services you offer), you would be subject to the GDPR. Even if you do not have access to such data, your clients may require specific organisational, technical and security measures to be in place. You may also be subject to the GDPR based on any personal data processing for other purposes (e.g. HR administration).
3. Would outsourcing background checks to a third party reduce obligations on a company or simply add an additional layer of checks?Whenever you have control/responsibility over personal information (such as for HR administration) purposes, you will always have obligations under the GDPR, whether you outsource or not. Also, where you decide to use a third party that has access to your personal information, you have an obligation under the GDPR to ensure that the third party is reliable and that a suitable contract is in place that explicitly discusses data protection. That being said, the benefits of outsourcing to a reliable third party could mean that the third party can help you meet your data protection obligations, particularly by ensuring a stronger and more secure technical environment.
4. What data can be shared with auditors?This really does depend on what the auditors are auditing, whether it is your own data or customer data, and in case it is the latter, what contractual restrictions you may have.
5. Where recruitment consultancies are concerned, how does it work if a candidate asks for their information to be removed but they have been put forward to companies,, so data needs to be retained for a certain amount of time?A recruitment consultancy would be responsible for the data of candidates rather than the company they are put forward to (who may have separate obligations). General rules on data retention allow companies to keep the data for as long as necessary to fulfill the purposes it was originally collected for. However, where are candidate objects to the use of their information in a particular way, or otherwise requests that the data is deleted, whether that request is actioned straight away depends on your legal and contractual obligations. However, as part of a balancing exercise, the candidate’s rights must be taken into consideration.
6. You briefly mentioned employees giving consent for retaining their data – how do you deal with this and what if they refuse?Reliance on consent is not always the best way when collecting, disclosing and retaining personal data – particularly employee data given the regulators’ stance on employee consent not always being valid. Just like the Data Protection Act 1998, the GDPR allows companies to consider other legal grounds for processing personal information, such as legal necessity, legitimate interest, etc. These other grounds may be more suitable for processing employee data for HR administration purposes. If, however, you intend to use employee data in a way that is unrelated to general HR administration, other grounds may be more suitable.
7. Can you recommend a certified course on this subject, please?The International Association of Privacy Professionals (IAPP) has great resources for privacy professionals to learn more about data protection and privacy in Europe and the rest of the world. The IAPP also has courses that are designed for non-privacy professionals as well.
8. Are there a minimum number of people that the GDPR covers?  e.g. an independent consultant with customer database or an SME – what size would the company have to be?Any company that processes personal in Europe or about Europeans will need to comply with the GDPR.

Forward Thinking for Your Background Screening Program

Sterling has been planning for the GDPR changes that will affect the background screening industry. Sterling recently was Privacy Shield certified, which allows U.S business to receive data originating from the European Economic Area with greater speed and safety. One way to stay up-to-date on the GDPR changes and make sure that your organization is compliant is to sign-up for the Sterling webinar series. We are offering 10 On-Demand webinars this summer to tackle the many aspects of the GDPR from privacy notices to candidate rights. Sign up today for our next webinar about GDPR and Consent.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.