GDPR: Everything You Need to Know About the New EU Privacy Law
On May 25 2018, the EU General Data Protection Regulation (GDPR) goes into full effect. What does this mean for you and your company’s due diligence and pre-employment screening needs? Well, when it comes to international candidates with work or personal history in the European Union (EU) this new regulation will cause drastic changes in the way their personal data is protected in the EU. This could potentially impact what information you as a global employer and company can collect when screening a high-level candidate from the EU.
Would you like a quick crash-course refresher on the major points of the new GDPR law and frequently asked questions about its effect on due diligence and pre-employment screening here in the USA? We’ve got all the essential information you, your organization, and your employees need to know to stay informed below.
What is the GDPR and why was it introduced?
The GDPR or General Data Protection Regulation is an EU law which regulates the collection, use, disclosure and processing of personal information of individuals in the EU.
The GDPR will replace existing European legislation, such as the UK Data Protection Act 1998, and introduces new requirements and additional burdens on European businesses. It also alters existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant. The GDPR was introduced to:
- Harmonize existing data protection rules across the EU
- Strengthen data protection rules in the digital age as current laws didn’t factor in the internet, social media, technological advances and other changes that impact individuals’ privacy
- Ensure consistency for individuals and businesses. The introduction of the “One-Stop Shop” under the GDPR means that businesses will only have to deal with one regulator. This role will be based in the country of the company’s EU headquarters.)
Who is impacted by the GDPR?
One of the key changes for the GDPR is territorial scope. It is important to understand who is impacted by the GDPR from a geographic perspective. The GDPR will apply to:
- EU companies that process personal data, regardless of whether the processing takes place in the EU
- Non-EU companies, who offer goods or services to individuals in the EU irrespective of whether payment is required
- Non-EU companies who monitor individuals’ behavior that takes place in the EU
- Non-EU companies processing the data of EU citizens must appoint a representative in the EU
What does the GDPR cover? What is meant by personal data?
Personal data as defined by the GDPR is “any information relating to an identified or identifiable natural person.” This is a pretty broad definition as information could be anything about an individual that is identified or identifiable natural persons. Business names and business addresses do not count as personal data. However, business contact information can sometimes constitute personal data if an individual can be identified.
How will Brexit affect the GDPR?
In principle, there is a commitment by the UK to implement the GDPR in May 2018, even with Brexit procedures being officially launched on 29 March 2017. But, the full impact of the changes will not be known until after the UK breaks off from the EU in two years. A possible post-Brexit GDPR scenario is that while it is now confirmed that the GDPR will be directly applicable in the UK in May 2018, the UK may move to a lighter touch regime than the one under the GDPR after its exit from the EU in order to places a lesser burden on businesses. The amount of change will depend on the need for the UK to maintain its data protection regime essentially equivalent to that of the EU, in order to avoid restrictions being imposed on the transfers of personal data from the EU to the UK.
How will the GDPR affect your background screening program?
Background screening under the GDPR, just like under the current Data Protection Act of 1998, can be tricky. It involves a lot of personal data processing, so compliance is crucial. Background screening reports contain a lot of personal data, often involves international transfers and processing in the employment context has particular rules about consent and national derogations.
Key Impacts of the GDPR on background screening:
- Transparency with data processing activities
- Regulated data for sensitive personal data and criminal record information
- National derogations for processing data in the employment context
- Enhanced candidate rights
- One-Stop Shop and Fines
Organizations should start preparing their background screening programs now for the GDPR. It is vital for businesses to raise awareness of the changes, review current privacy notices and background screening policies and make an appointment for the Data Protection Officer (DPO) if one is needed.
Important GDPR and Background Screening Questions
We have a few of the most frequently asked questions from clients below. Please Note: Sterling Diligence (formerly Bishops®) is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.
- How will the US-EU Privacy Shield currently in place in an organization align with the GDPR?The GDPR is a wide-ranging regulation with a much wider scope than Privacy Shield. Although there is some overlap, companies should consider GDPR-readiness separately to Privacy Shield readiness.
- If we are acting as an intermediary and providing cloud storage to our customers, which we rent out from the likes of IBM or Microsoft and our customer processes personal data using our software, does GDPR apply to us?Insofar as you have access to your clients’ personal information (even if such access is ancillary to the services you offer), you would be subject to the GDPR. Even if you do not have access to such data, your clients may require specific organizational, technical and security measures to be in place. You may also be subject to the GDPR based on any personal data processing for other purposes (e.g. HR administration).
- Would outsourcing background checks to a third party reduce obligations on a company or simply add an additional layer of checks?Whenever you have control/responsibility over personal information (such as for HR administration) purposes, you will always have obligations under the GDPR, whether you outsource or not. Also, where you decide to use a third party that has access to your personal information, you have an obligation under the GDPR to ensure that the third party is reliable and that a suitable contract is in place that explicitly discusses data protection. That being said, the benefits of outsourcing to a reliable third party could mean that the third party can help you meet your data protection obligations, particularly by ensuring a stronger and more secure technical environment.
- What data can be shared with auditors?This really does depend on what the auditors are auditing, whether it is your own data or customer data, and in case it is the latter, what contractual restrictions you may have.
- Where recruitment consultancies are concerned, how does it work if a candidate asks for their information to be removed but they have been put forward to companies, so data needs to be retained for a certain amount of time?A recruitment consultancy would be responsible for the data of candidates rather than the company they are put forward to (who may have separate obligations). General rules on data retention allow companies to keep the data for as long as necessary to fulfill the purposes it was originally collected for. However, where are candidate objects to the use of their information in a particular way, or otherwise requests that the data is deleted, whether that request is actioned straight away depends on your legal and contractual obligations. However, as part of a balancing exercise, the candidate’s rights must be taken into consideration.
- You briefly mentioned employees giving consent for retaining their data – how do you deal with this and what if they refuse?Reliance on consent is not always the best way when collecting, disclosing and retaining personal data – particularly employee data given the regulators’ stance on employee consent not always being valid. Just like the Data Protection Act 1998, the GDPR allows companies to consider other legal grounds for processing personal information, such as legal necessity, legitimate interest, etc. These other grounds may be more suitable for processing employee data for HR administration purposes. If, however, you intend to use employee data in a way that is unrelated to general HR administration, other grounds may be more suitable.
- Can you recommend a certified course on this subject, please?The International Association of Privacy Professionals (IAPP) has great resources for privacy professionals to learn more about data protection and privacy in Europe and the rest of the world. The IAPP also has courses that are designed for non-privacy professionals as well.
- Are there a minimum number of people that the GDPR covers? e.g. an independent consultant with customer database or an SME – what size would the company have to be?Any company that processes personal in Europe or about Europeans will need to comply with the GDPR.*
With all these new compliance laws soon to go into effect and the complexities that naturally follow now’s the time to make sure you are partnered with an executive due diligence and pre-employment screening partner that is prepared. Major changes in the compliance landscape are an opportune time to reassess your current screening partner’s capabilities. Don’t be intimidated from hiring the best and brightest candidate from Europe because of these stringent regulations, make sure you partner with an expert in the screening industry to minimize your risk and ensure you hire with peace of mind.
*This blog post originally appeared on Sterling Talent Solution’s UK website. You can view the original posting here.