GDPR may have an impact on your background check procedures
The European Union's General Data Protection Regulation (GDPR) framework is expected to bring about the biggest change to European data security in 20 years, a decision potentially impacting U.S. companies that collect personal data or other information from someone in an EU country. Alteration of the rules protecting Europeans' personal information also means that some employers must re-think how they will screen potential hires to ensure compliance with the GDPR.
The new regulation replaces the Data Protective Directive, established in 1995 to control the processing of personal data within the EU. The GDPR went into effect on May 25, 2018, and is designed to strengthen data protection rules and guarantee consistency for individuals and businesses.
In terms of employment screening, the rules will generally apply only to companies hiring locally in those European countries subject to the regulation. Screening EU citizens outside of the region for work will not be impacted by the GDPR, nor will running a background check on EU-based candidates moving outside of the EU for employment.
Organizations should be especially careful when working with screening-related data subject to GDPR mandates. Companies must clearly explain to job candidates how their personal data is being handled, carefully following new requirements in candidate consent that are currently available on The Information Commission's Office (ICO) website.
During a normal background check, for example, an applicant may make a subject access request, or SAR, to obtain a copy of their background report. Under the GDPR, business must respond to the request within 30 days rather than the 40 allowed by the previous regulation.
Conditions for obtaining consent are anticipated to become stricter than the previous Data Protection Directive as well. Per the GDPR, individuals may withdraw consent at any time, and consent will not be valid without obtaining separate consents for different processing activities. The GDPR also allows applicants to request their personal information be transferred from one organization to another in certain circumstances.
Ultimately, businesses would be wise to review their background check procedures and privacy notices in light of the amount of personal data involved in most job screenings. Failure to follow the updated rules could result in massive financial penalties of 20 million euros or 4% of a company's global revenue.
OPENonline is a trusted source for comprehensive background screenings. For more information, visit our website.