March 8th, 2018 | Sterling

What is a Data Protection Officer and Data Protection Impact Assessment under the GDPR?

Sterling has produced a 10-part webinar series about the changes to personal data protection in the European Union when the EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018. The webinars share key steps hiring managers, HR and legal personnel can take now to help ensure full compliance from day one. The first webinar in the series, “What You Need to Know with 12 Months to Go” introduced the changes to data privacy laws to come. The ninth webinar in the series, “Data Protection Officer, Human Resources and DPIAs” is now available on demand. Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher of Sterling, explains the importance of a Data Protection Officer and data protection impact assessments under the GDPR.

What is a Data Protection Officer?

A Data Protection Officer (DPO) is an individual responsible for overseeing compliance with the GDPR. You must appoint a DPO if your organisation is a public authority, carries out large-scale monitoring or processing of data or data relating to criminal convictions and offences. A single DPO can be appointed to act for a group of companies and they can be an internal employee or external third-party service provider.

The role of the DPO with regards to a background screening programme involves advising and training on compliance. The DPO would conduct data protection impact assessments (DPIAs) and maintain a record of processing activities. The DPO reports to the highest management level of your organisation while operating independently. They cannot be dismissed or penalised for performing their task.

The Article 29 Working Party including representatives from the data protection authorities of each EU member state adopted guidelines for DPOs.

What is a Data Protection Impact Assessment?

Data protection impact assessments (DPIAs) help organisations identify and mitigate privacy risks. They help companies comply with their data protection obligations and meet individuals’ privacy expectations. The Information Commissioner’s Office (ICO) promotes the use of DPIAs as an integral part of taking a privacy by design approach. The ICO also states that a company must carry out a DPIA when using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals. DPIAs are not always mandatory, but they are recommended.

Importantly, a DPIA is required for companies that perform background screening. DPIAs contain the following elements:

  • Description of Processing: For companies that perform background screening, a DPIA is required to describe what checks will be run as well as the basis for processing which states that screening is based on a legal requirement or an organisation’s legitimate interest.
  • Necessity and Proportionality: The DPIA shows the necessity for conducting background screening. This element describes how background checks are proportional to a company’s legal and organisational requirements.
  • Mitigation: Any risk mitigation efforts have an established timeline for completion.
  • Risks to Rights and Freedoms: A DPIA will be tailored to the particular activity (e.g., background screening)

Companies should reach out to their screening providers to assist them with their DPIA as it relates to the fulfillment of their background checks. A third-party provider should have all the materials and resources needed to assist organisations and their DPOs with technical details required for DPIAs.

Practical Tips for Working with A DPO

Oran and Beatriz shared a few practical tips about DPOs and DPIAs:

  • Determine whether your company requires a DPO
  • If you don’t already have a DPO assigned (and if you do need one), consider recruiting one sooner rather than later
  • Get the DPO involved in reviewing your screening programme, conducting a DPIA where necessary and reviewing relevant policies
  • Work with your background screening provider for assistance with DPIA

Please note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

Sterling has been planning since 2016 for the GDPR changes that go into full effect on 25 May 2018. One way to stay up-to-date on the provisions of the GDPR and make sure that your organisation is compliant is to sign-up for the Sterling GDPR 10-part webinar series. The On-Demand webinars tackle the many aspects of the GDPR, from privacy notices to definitions of automated decision-making and how the changes will impact the background screening industry. Sign up today for these informative webinars.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.