August 21st, 2017 | Sterling

GDPR and Privacy Notices

Sterling is offering a 10 part webinar series about the changes to the way personal data is protected in the European Union when the EU General Data Protection Regulation (GDPR) applies on 25 May 2018. The first webinar in the series, “What You Need to Know with 12 Months to Go” introduces the changes to come. The second webinar in the series, “Consent & Legitimate Interest,” available on demand, was presented by Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher.

The GDPR is an EU law which regulates the collection, use, disclosure and processing of personal information of individuals in the EU. The GDPR will replace existing European legislation, such as the UK Data Protection Act 1998, and introduces new requirements and additional burdens on European businesses. It also alters existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant.

What is Meant By “Privacy Notice”?

A privacy notice is the information provided to an individual about “how” and “why” their personal information will be processed. As part of the background screening process, a company (or third-party screening provider) would provide information to a candidate about how and why screening is taking place as well as other information to ensure that the processing of that candidate’s data is transparent and fair. Under the GDPR, the information must be provided in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.”

What are the Content Requirements for Privacy Notices under the GDPR?

The GDPR provides a detailed list of different components of a privacy notice when collecting data directly from an individual or a third party. These components can be categorized into the following areas:

  • Who: The GDPR requires the privacy notice to include the identity and contact details of the data controller – typically this is the company that orders the background check – or their EU representative (if that’s required). You’ll also need to include the contact details of the data protection officer (DPO) (again, where you have one), as well as the categories of recipients of the individual’s data.
  • Why: The purpose or purposes for processing the individual’s personal information will need to be identified. For example, this could be to conduct a background check on a candidate as part of the application process, or on existing employees in connection with a particular identified activity, which is detailed in our background screening policy. An organisation will also need to identify the legal basis for the processing.
  • What: Companies should include the categories of personal data they will be processing. If you utilize a screening provider, they can supply you with the information required to complete a particular background check. Organisations should also identify which data points are mandatory and what the consequences are for not providing the data.
  • How: The method of processing is important – and explaining the background screening process might be helpful but, it is not something which is legally required by the GDPR. What is legally required, however, is detailing any cross-border data transfers and how such transfers are safeguarded, such as by EU standard contractual clauses or the use of binding corporate rules. Companies will also need to indicate how the individual can obtain a copy of those safeguards.
  • When: Employers must identify how long the data will be kept for or, where a specific time frame cannot be identified, what factors are considered for determining retention. Retention periods will typically vary from country to country.
  • Other: Businesses will need to indicate how an individual can exercise their data protection rights, such as the right to access their information, correct or delete inaccurate information, restrict its processing, object or port it over to another company. If a company relies on candidate consent, they will need to indicate how the candidate can withdraw their consent or complain to their local supervisory authority. If an organisation’s processing activity includes automated decision making, they will need to indicate if this happens, the logic involved, as well as the significance and consequences of the processing for the individual. A company should also indicate the source of the data, but they will only need to do so if they do not collect the data directly from the individual.

The “Layered” Approach

A layered approach allows a company to split a privacy notice into one or more layers which increasingly reveals more and more information about the processing the deeper it goes. It allows a company to be clear and concise, while still being transparent. This approach is recommended by regulators both in Europe and further afield. The first layer is simple and provides a basic overview of the intended processing, without going into too much detail. For those individuals who wish to understand more about the processing, they can go to the next layer which will typically contain more technical information.

Top Tips When Drafting Your Privacy Notices

Please note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

With that in mind, Oran and Beatriz offered their top five tips for drafting privacy notices:

  1. Avoid Legalize- Simplicity is the key. It is important to be clear and concise. Citing any applicable laws, regulations and standards in the privacy notices are not always required.
  2. Consider a Layered Approach– As mentioned above, a layered approach supports a concise but transparent privacy notice. A company can leverage their screening provider’s expertise to help communicate the more technical elements of the screening process.
  3. Think Locally, Act Globally- A global approach, with local requirements factored in, means a unified approach in all of a company’s locations.
  4. Engage with Your Stakeholders- Think about who else might use the background screening data and if the data would be used for any other purposes. Companies should have their Legal/Compliance/Privacy teams review the process.
  5. Update Privacy Notices- Organisations need to update their privacy notices to reflect any changes in their background screening activities.

Sterling has been planning for the GDPR changes that will affect the background screening industry since 2016. One way to stay up-to-date on the GDPR changes and make sure that your organisation is compliant is to sign-up for the Sterling webinar series. We are offering 10 On-Demand webinars this summer to tackle the many aspects of the GDPR, from privacy notices to candidate rights. Sign up today for our next webinar about GDPR: Processing “Sensitive Personal Data.”

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.