Best Practices for Making Your Background Investigation Program GDPR-Compliant

In just a few weeks, on May 25, 2018, the General Data Protection Regulation (GDPR), goes into effect changing the rules around protection of Europeans’ personal data. The GDPR was introduced to harmonize existing data protection laws across Europe, to strengthen data protection rules in the digital age and ensure consistency for individuals and businesses.

Sterling Diligence (formerly Bishops®) has been working diligently since the law was first drafted to ensure we are GDPR-compliant. Our parent company, Sterling Talent Solutions prepared a 10-part series of webinars and a checklist to help educate readers about their obligations under the GDPR and to prepare their background investigation program.

What is the GDPR and Who Does It Impact?

GDPR will generally apply to any company that operates in the European Economic Area (EEA). It also applies to companies that collect personal information while selling or marketing their products or services to people in the EEA or conducting ongoing monitoring of the behavior of people in the EEA, wherever the company is established.

For an employment investigation program, GDPR will generally apply only to companies operating and hiring locally in the EEA. For a program to investigate people other than employees, the GDPR may apply to any data collection from the EEA, even if the company does not operate there. To understand whether GDPR applies to your investigation program, Sterling Diligence (formerly Bishops®) recommends that you consult your legal counsel.

What Do You Need to Do Now?

Under privacy laws around the world, any organization collecting and processing personal information must provide a privacy notice to individuals that explain how and why their personal information will be processed. While the requirement for a privacy notice is not new, the GDPR sets out a number of specific requirements for privacy notices. If your organization is impacted by the GDPR, there are measures that must be taken to ensure you are compliant with the changes.

Organizations must have a GDPR-compliant contract with their background investigation provider as well as a compliant privacy notice in place no later than 25 May 2018. Please note that U.S. FCRA disclosure and authorization forms will not change as a result of GDPR, as FCRA requirements and GDPR requirements are separate and require separate documentation.

How the GDPR Will Affect Employment Investigations

For a company that relies on background investigation information for its hiring process, it is recommended to have a background investigation policy in place. Organizations need to understand how third-party companies process data on their behalf to make sure their privacy notices, policies and contracts align with GDPR requirements. For an employment investigation program, the GDPR will generally apply only to companies operating and hiring locally in European countries subject to the GDPR. For programs that investigate people other than employees, the GDPR may apply to data collection from Europe, even if the company does not operate there. Failure to comply with the GDPR could result in fines of up to 4% annual worldwide turnover or €20 million, whichever is greater.

Any company whose investigation program is subject to GDPR should consider several important items to ensure readiness. Some best practices include:

  • Identifying the legal grounds for processing personal information and whether you rely on consent for background checks.
  • Ensure your privacy notices provide all the necessary information to individuals.
  • Ensure that any special categories of data (also known as sensitive personal data) are collected in accordance with the law.
  • Review local laws in the countries where you operate to ensure your program is GDPR-compliant.
  • Ensure that appropriate contractual documents are in place for data processing and cross-border transfers of data.
  • Determine whether any automated decision making is taking place and, wherever possible, ensure that background investigations are always subject to human review.
  • Understand how your organization and Sterling Diligence (formerly Bishops®) will cooperate to ensure your subjects’ rights under the law are respected.
  • Have your investigation program reviewed by legal counsel or your Data Protection Officer, if you have one.

Record Retention under the GDPR

The GPDR does not set specific retention periods but requires organizations to destroy or anonymize personal information that is no longer needed for business purposes or to satisfy legal obligations. Some European countries may also have regulatory guidance on how long to retain background investigation data. Your organization should determine both how long you need to keep data and whether you want your third-party investigation provider to keep that data on your behalf.

Right to Be Forgotten and Other Subject Rights Under the GDPR

A third-party investigation provider should be able to facilitate your candidates’ exercise of their rights under the GDPR and other privacy laws. These include, among others, the rights to access and correct personal information, object to its processing and in some cases, have it deleted entirely.

Sterling Diligence (formerly Bishops®) will be sending out client communications with further details that could require action if the GDPR applies to your investigation program. Some changes for Sterling Diligence (formerly Bishops®) clients could include signing a Data Processing Agreement (DPA) and reviewing a new sample privacy notice. Download the complimentary “General Data Protection Regulation and Background Checks: Considerations for Employers” checklist today to help your company prepare for the GDPR. For more information on how the GDPR will impact employers in the US and what they can do to help remain complaint register for Sterling’s webinar, “GDPR Compliance: What It Means for HR in the US”, today!

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.

*This blog originally appeared on our parent company Sterling Talent Solutions’ website.