7 General Data Protection Regulation (GDPR) Considerations for Background Screening Compliance

7 General Data Protection Regulation (GDPR) Considerations for Background Screening Compliance
Senior Director of Marketing

The European Union’s (EU) General Data Protection Regulation (GDPR), which enforces a set of laws designed to protect European citizens’ personal data, went into effect on May 25, 2018. It affects all companies that deal with personal data, and even non-EU-based companies will still have to comply. GDPR impacts not just companies who are hiring in the EU but also those that are employing citizens of the EU who live in different areas of the world.

What is GDPR Really About?

So what exactly is GDPR about? It was designed as a replacement for the Data Protection Directive 95/46/EC with the purpose of reconciling country-specific and sometimes conflicting European data privacy laws. Most importantly, it aims at changing the way organizations operating in the EU, or those collecting personal data from the EU’s citizens, approach data privacy. It also provides a harmonization of the data protection regulations throughout the EU, thereby (in theory) making it easier for American companies to comply.

Under GDPR it is unlawful to use an EU citizen’s data without his or her explicit consent. This citizen data includes consumer information and more importantly, for talent acquisition leaders, candidate information. GDPR fundamentally changed the way recruiting teams can engage candidates who are citizens of EU countries in the areas of resume and application storage, candidate data collection, employment branding activities, and candidate sourcing strategies.

How GDPR Impacts the Hiring Process

Recruiters are no longer able to send emails to users who have not opted into their mailing list. Additionally, recruiters and HR staff must be aware of who is currently in their database. This means you may wish to consider grouping candidates in the EU into a different category than candidates elsewhere (who are not impacted by GDPR). You must obtain affirmative consent before collecting or sharing candidate data.

From the application process to background screening, companies recruiting or employing EU citizens must adhere to strict new regulations. Under GDPR, you are required to ask for explicit consent, clarify how you will use individual candidate’s data, and make sure that the data remains secure. This involves more than simply adding a clarification and a checkbox to data collection forms. Your vendors – such as your ATS, payroll, and recruiting software, must be GDPR compliant.

How to Ensure Vendor Compliance

The impact of GDPR is broad, but it focuses on data collection. You’re likely using an ATS or other recruiting software, along with vendors that run background checks or candidate screens. It’s imperative that your vendors are aware of the GDPR constraints and fully compliant. Here are seven questions to ask your vendors:

(1) Do you have a clear privacy policy?

Even if you currently have one in place, companies will need to write a clear privacy policy that consumers will actually be able to read and understand. In that policy, companies must clearly indicate what personal information is being requested or collected. Candidates or applicants have to be given a choice of whether or not to provide their data and any data that is collected needs to be clearly marked for the specific purpose for which it was collected.

NOTE: Any data that is collected for a stated purpose can only be used for that purpose and for which consent was obtained. This means that data collected for a job application can be used for background checks only if the applicant gives explicit consent.

(2) Do you have GDPR compliance for applications around the world or will you have separate policies for each country?

Your ATS and any other software you’re using to hold data will need to be GDPR compliant. If your ATS and other vendors are on their game, they’re already working on compliance or have compliance for GDPR in place.

(3) Opt-out or opt-in?

Most U.S. companies currently use an opt-out policy when collecting and sharing consumer data. The opt-out model requires consumers to specifically ask data collectors and aggregators not to share their data with third parties. Otherwise, consent is assumed by default. The GDPR requires organizations to do just the opposite. You must obtain affirmative consent before collecting or sharing candidate data. Make sure your vendor is prepared for this change.

(4) How will you handle “Right to Erasure”

Under the GDPR, candidates must be able to access and review their data anytime they like, ask for updates of their data, and even allow for full deletion upon request. Candidates will have the “right to be forgotten or right to erasure,” meaning that candidates can request for their data to be erased when it is no longer necessary for the original purpose.

This impacts your ATS and the hiring process because applicants can apply for a position, get rejected, then request their right to erasure. A few months later, the same job seeker could apply again, but you won’t know it because your ATS won’t show it. No data, no notes from previous interviews, no data on the job seeker at all. And not only will you have to remove data by request from your ATS, it also must be removed from the sourcing tools your ATS uses. The same goes for any data collected for the purpose of a background screen.

(5) What is your Breach Notification policy?

GDPR requires companies to inform consumers about data breaches impacting their personal information. While that requirement is not particularly new for American companies—most states mandate it currently—the breach reporting requirements under GDPR are strenuous. Notification must be made within 72 hours from the time the breach is discovered.

(6) Are you prepared for GDPR Reporting Requirements?

Under Section 3, Article 35 of the GDPR, a Data Protection Impact Assessment (“DPIA”, which is also commonly known as a Privacy Impact Assessment or “PIA”) is required for any processing that may result in “high risk.” The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA. While official public lists from the Data Protection Authorities (“DPAs”) are forthcoming, your company and its vendors should begin identifying areas of high risk, such as data processing, email triggers, data collection, and portability of data (when erasure is requested).

(7) What is your company’s liability for failure to comply?

GDPR fundamentally changes the way recruiting teams engage candidates who are citizens of EU countries in the areas of resume and application storage, candidate data collection for background checks, employment branding, and candidate sourcing. Compliance is mandatory for all organizations that are processing the personal data of EU residents across the globe. Failing to comply could result in severe penalties of up to 4 percent of worldwide revenue of the prior financial year or €20 million euros, whichever is greater. If your vendor software isn’t compliant, who is responsible for penalties?

Compliance is as important to your vendor’s business as it is to yours. If you’re not sure, use the list above as a starting point for ensuring your vendors are compliant as GDPR is a law that affects countries well beyond the EU.

When it comes to pre-employment and post-employment background screening, PreCheck, a Cisive company, is prepared for the GDPR. To learn more about PreCheck and Cisive’s commitment to GDPR compliance, contact us today.

Editorial note: This post originally appeared on the Cisive Blog.