“Demonstrating Compliance with the GDPR” is the second in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the icon which will highlight specific information regarding potential impact to First Advantage screening processes.
How is compliance demonstrated?
If you are located in the EU or otherwise conduct business in the EU, or if you monitor individuals who are located in the EU, your data processing activities involving personal data of EU residents must comply with GDPR requirements and you must be able to demonstrate that compliance. What are these requirements? We will cover five of the GDPR’s key privacy principles below.
Principle 1 – Processing must be fair, lawful and transparent
You must have a lawful basis or condition on which to process personal data. Some examples of this include:
- Consent of the Data Subject
- Processing necessary for contract performance
- Processing is part of a legal obligation
- Processing is necessary to support your legitimate interests as a Data Controller
- Processing is in the public interest
Not all of these conditions will be relevant to your background screening processes. You may have reason to rely on the “legitimate interest” basis for processing personal data or another basis. This is a decision your organisation should make by way of collaboration between your HR and Legal functions in order to ensure that regardless of which basis is relevant, you are always processing data in compliance with the GDPR. Requirements relevant to lawful basis are discussed in greater detail in our “Lawful Basis of Processing” article.
Controllers must also perform processing activities in a manner that is transparent to the Data Subject. This means generally that the Data Subject should know about how his/her personal data will be processed.
Principle 2 – Purpose Limitation
Personal data should be processed for specified and limited purposes as clearly communicated to the Data Subject.
Consider this requirement in terms of your privacy notice. Have you informed the individual what the purposes are for processing his or her personal data? GDPR requires that if a new, future purpose is determined, that a new, valid basis or condition for processing exist (e.g. an updated notice, consent or another otherwise valid basis for the new purpose/use).
Principle 3 – Data Minimisation (i.e. process only what is necessary)
Controllers must limit data processing activities to the extent that they may only process what is necessary to achieve their purpose. This requires Controllers to be thoughtful about what kinds of processing they need to do in order to sufficiently and appropriately screen each candidate according to position type and applicable legal requirements to which you as an employer may be subject. Because Controllers are given the authority to determine how much information is necessary for achieving the purpose of their processing activities, they are also responsible for demonstrating that activities are limited only to the personal data that is necessary.
First Advantage’s background screening platforms are generally designed to standardise the type of personal data collected and limit the amount of data needed to perform the requested background screening (e.g. certain types of information are not requested unless and until such time as it is required for a particular type of background search or verification and we are conscious not to request extraneous data that we do not need).
Principle 4 – Data Accuracy and Currency
Controllers are required to take “every reasonable step” to ensure personal data that they process is current and accurate. Where inaccuracies exist, Controllers are responsible for remedying errors immediately and either erase or rectify such data based on applicable GDPR requirements (this Information Series will cover topics such as erasure and the “Right to be Forgotten” in the “Data Subject Rights” article).
Consider internal processes your organisation follows when candidates or employees tell you that information they have supplied to you or that was provided to you in a background screening report is inaccurate. To support you in the event these types of requests are received, First Advantage has established policies and procedures for responding to Subject Access Requests, which may include requests for access, correction, or deletion. We will refer these requests to you for your instructions.
Principle 5 – Limiting Retention
Controllers and Processors may not retain personal data forever and retention principles apply. Similarly to existing requirements in the EU, data may only be retained “for as long as is necessary.” No specific retention time period is established, likely to allow for the various types of processing activity that may occur and differing industry requirements regarding data retention. You should consider how long data should be retained and ensure that such limits are followed.
First Advantage’s platforms are designed with automated features to assist our customers with meeting data retention compliance requirements. Our default retention period in the EU is two years – however, customers may select their own limits for maintaining personal data within the First Advantage platform.
Next in the GDPR Information Series…“The Data Protection Officer”
About First Advantage
First Advantage provides comprehensive background screening, identity and information solutions that give employers access to actionable information that results in faster, more accurate people decisions. With an advanced global technology platform and superior customer service delivered by experts who understand local markets, First Advantage helps customers around the world build fully scalable, configurable screening programs that meet their unique needs. Headquartered in Atlanta, Georgia, First Advantage has offices throughout North America, the United Kingdom, Asia and the Middle East.
Information Content Notice
Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorised to provide your organisation with legal advice because First Advantage is not a law firm.
The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with GDPR.
Please share this document with legal counsel familiar with your organisation and who has expertise in GDPR compliance. Given the substantial financial penalties associated with GDPR compliance and their possible impact on your revenue, legal review is an essential part of your organisation’s preparation for GDPR compliance.
Current as of June 2020
© 2020 First Advantage Corporation