March 20th, 2018 | Sterling

GDPR and Background Check Consideration for Employers

On 25 May 2018, the EU General Data Protection Regulation (GDPR) goes into full effect. This will cause drastic changes in the way personal data is protected in the European Union. The GDPR or General Data Protection Regulation is an EU law which regulates the collection, use, disclosure and processing of personal information of individuals in the EU.

The GDPR will replace existing European legislation, such as the UK Data Protection Act 1998, and introduces new requirements and additional burdens on European businesses. It also alters existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant. The GDPR will apply to:

  • EU companies that process personal data, regardless of whether the processing takes place in the EU
  • Non-EU companies which offer goods or services to individuals in the EU irrespective of whether payment is required
  • Non-EU companies who monitor individuals’ behaviour that takes place in the EU
  • Non-EU companies processing the data of EU citizens must appoint a representative in the EU

GDPR Impact on Employment Background Checks

Background checks can involve significant personal data processing, so complete adoption of GDPR compliance is crucial. It is important for businesses to raise awareness of the changes, review current privacy notices, background screening policies and consider the appointment of a Data Protection Officer (DPO) where needed. Failure to comply with the General Data Protection Regulation could result in fines of up to 2% annual worldwide turnover or €10 million, whichever is greater.

Sterling created the “GDPR and Background Checks: Considerations for Employers” checklist to help organisations prepare for the changes going into effect with the General Data Protection Regulation. The checklist highlights the key considerations to help ensure your background screening programme is GDPR compliant. A few of the items to consider are:

  • Consent & Legitimate Interest: Employers must identify the grounds on which they collect personal information for your background screening programme. If you use a consent model, determine whether consent is still appropriate or whether another ground for approval is more suitable. Companies need to conduct (and document) a balancing exercise when relying on legitimate interest and include this in a privacy notice displayed to employees and candidates.
  • Privacy Notices: Organisations must be transparent and provide accessible information to individuals about how they will use their personal Companies need to review existing privacy notices to determine if they need to be revised to comply with the GDPR and work with relevant third parties who may collect data on your organisation’s behalf.
  • Cross-border Data Transfers: A cross-border transfer of personal data occurs when data is accessed or accessible from another country. Ensure that the contractual framework is in place with your background screening provider. Where transfers to the US are necessary for your programme, make sure that your screening provider is certified under Privacy Shield.
  • Profiling and Automated decision-making: The GDPR introduces new rules in relation to certain kinds of automated decision-making and profiling which will affect employers. Organisations must make sure that there is a human being involved in the decision-making process for your background screening programme.
  • Candidate Rights Under the GDPR: The GDPR will strengthen the rights individuals have relating to their personal data and will introduce some new ones too. Employers should review their privacy notices to ensure they explicitly call out the rights candidates have and how they can exercise them. Also, make sure internal policies and procedures allow for pausing the screening process if a candidate exercises their right to restrict or object.
  • The Data Protection Officer, Human Resources and Data Protection Impact Assessments: From May 2018, companies will be required to appoint a Data Protection Officer (DPO). The position’s core activities require regular and systematic processing of data subjects on a large scale or if the core activities consist of processing a large scale of special categories of personal data relating to criminal convictions/offences.

Create a GDPR Compliant Background Screening Policy

For a company that relies on background screening information for its hiring process, it is recommended to have a background screening policy in place. Organisations need to engage with third-party companies who may collect data on their behalf to make sure they are following the GDPR guidelines and update privacy notices, policies and contracts accordingly. One way to stay up-to-date on the GDPR changes and make sure that your organisation is compliant is to sign up for the Sterling General Data Protection Regulation 10-part webinar series. The On-Demand webinars discuss the many aspects of the GDPR, from privacy notices to definitions of explaining what DPOs and DPIAs are and how the changes will affect the background screening industry. Download the complimentary “General Data Protection Regulation and Background Checks: Considerations for Employers” checklist today to help your company prepare for the GDPR.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.