How Will the GDPR Impact Your Background Investigations?

The European Union (EU) will soon have a new data privacy regime in place. On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect, changing the rules around protection of Europeans’ personal data. The GDPR was introduced to harmonize existing data protection laws across Europe, strengthen data protection rules in the digital age and ensure consistency for individuals and businesses.

What is the GDPR and Who Does It Impact?

The General Data Protection Regulation will replace existing national data protection legislation in the EU Member States, such as the UK Data Protection Act 1998, and introduce new requirements for European businesses as well as some that are outside of the EU. It also alters some existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant. The GDPR will apply to:

  • EU companies that process personal data, regardless of whether the processing takes place in the EU
  • Non-EU companies that offer goods or services to individuals in the EU irrespective of whether payment is required
  • Non-EU companies that monitor individuals’ behavior that takes place in the EU

The GDPR will generally only apply to employee screening programs that are already subject to EU law. The GDPR will generally not apply to the following investigation activities:

  • Investigating EU citizens outside of the EU for work outside of the EU
  • Investigating employees or applicants who currently reside in the EU but will move to the US, Canada or elsewhere to work

If you are not sure if the General Data Protection Regulation applies to you, please consult with your privacy office or seek legal advice.

Change to Data Privacy Considerations Under the GDPR

There are some notable changes that organizations will need to keep in mind when working with personal data subject to the General Data Protection Regulation. Below are just a few of the components of the GDPR that may impact employment background checks:

  • Candidate Rights: Candidates have the right to basic information about the screening process, including receiving a privacy notice providing the individual with insight on how and why their personal information will be processed. Open and transparent communication to candidates is crucial. This is not a new concept, but the GDPR introduces some new technical requirements.
  • Consent: The conditions for obtaining consent will ultimately become stricter than the current Data Protection Directive (95/46/EC). The GDPR allows an individual the right to withdraw consent at any time and as easily as they provide it, and presumes that consent will not be valid unless separate consents are obtained for different processing activities. As is currently the case, obtaining consent in an employment context is difficult and will generally not be relied upon for background investigation.
  • Object to Processing: An individual has the right to restrict and/or object to the processing of their personal data in some circumstances. It is also possible for an individual to have a general objection to the processing of personal data, even if its accuracy is not contested. When this objection occurs, the processing of the personal data (or background investigation) may need to be stopped while the organization reviews and response to the individual’s concerns.
  • Data Portability: The GDPR codifies a new right for individuals to request that their personal data be transferred from one organization to another in certain circumstances.

GDPR Impact on Employment Background Checks

For a company that relies on background investigation information for its hiring process, it is recommended to have a background investigation policy in place. Organizations need to understand how third-party companies process data on their behalf to make sure their privacy notices, policies and contracts align with GDPR requirements. For an employment investigation, the General Data Protection Regulation will generally apply only to companies operating and hiring locally in European countries subject to the GDPR. For programs that investigate people other than employees, the GDPR may apply to data collection from Europe, even if the company does not operate there. To understand whether and how the GDPR applies to your investigation projects, Sterling Diligence (formerly Bishops®) recommends that you consult your legal counsel or privacy officer.

Background investigations can involve significant personal data processing, so careful GDPR compliance is crucial. It is important for businesses to raise awareness of the changes, review current privacy notices, background investigation policies and consider the appointment of a Data Protection Officer (DPO) where needed. Failure to comply with the GDPR could result in fines of up to 4% annual worldwide turnover or €20 million, whichever is greater.

Sterling Diligence (formerly Bishops®) will be sending out client communications with further details that could require action if the General Data Protection Regulation applies to your projects. Some changes for Sterling Diligence (formerly Bishops®) clients could include signing a Data Processing Agreement (DPA) and reviewing a new sample privacy notice.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.

*This blog originally appeared on our parent company Sterling Talent Solutions’ website.