What is the GDPR?
In an effort to update and modernize the principles set forth in existing data privacy law to guarantee privacy rights, the GDPR is Europe’s new General Data Protection Regulation which focuses on:
- reinforcing individuals’ privacy rights,
- ensuring stronger enforcement of privacy principles and rules,
- streamlining international transfers of personal data, and
- setting global data protection standards for businesses to follow.
The changes in the GDPR are meant to give people more control over their personal data and make it easier to access. While the GDPR was made effective in 2016, its enforcement date was delayed until 25 May 2018.
First Advantage recognizes that the GDPR will have a direct impact on many of our valued customers, both in the EU/EEA and abroad. As your partner in EU data privacy, First Advantage offers this Information Series to highlight key provisions of the GDPR and obligations that should be considered with respect to your background screening processes.
This GDPR BASICS introduction is the first in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes, including such topics as:
- The Role of the Data Protection Officer
- Demonstrating Compliance with the GDPR
- Understanding Consent
- Data Subject Rights, and
- Controller Obligations vs. Processor Obligations
Who is impacted?
Generally, businesses that operate in the EU are impacted, although if you are not established in the EU but target or monitor individuals located in the EU, you may find yourself subject to the requirements as well.
The GDPR governs three classifications of people and entities:
- Data Subjects
- Data Controllers
- Data Processors
Individuals (natural persons) who have privacy rights under GDPR and supply their personal data for a transaction
|Data Controllers: This is the entity that determines what type of personal data is required, in addition to why and how personal data is used||Data Processors: The entity that processes data on behalf of a Controller, as directed by the Controller. “Processing” includes collecting, recording, storing, etc.|
|In background screening, Data Subjects are your candidates who pursue employment with your organization or your employees who may already be employed with your organization||You, the First Advantage customer, are the Data Controller because you determine the purpose, the reason, and the type of data collected from your candidates and employees. The personal data is what you collect when evaluating an individual for purposes of making a hiring decision||We, First Advantage, are your Data Processor. We serve to process the data you control and instruct us to process as part of your background screening program objectives|
Data Processors and Data Controllers are subject to different obligations under GDPR, which we will cover in more detail later in our Information Series.
What is covered by the GDPR?
Data Processing: This is quite broad and could encompass almost any activity that involves or affects the personal data of an individual and must be performed in compliance with GDPR. It includes collection, use, recording, storage, organization, etc.
Specific to your background screening processes, the activity of collecting information from candidates when they apply for a position with your organization, or submitting that data to First Advantage via our system or your applicant tracking system (ATS) in order to request a background check, qualifies as data processing.
Personal Data: This is broadly defined as “any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person.” Unlike the U.S. definition of PII (“Personally Identifiable Information”) which, under state law can vary and generally refers to very specific types of personal information (e.g. a SSN or Driver’s License number), the GDPR’s definition is, by comparison, extremely broad.
As this relates to background screening, almost every item of information you collect from candidates (or that First Advantage collects on your behalf) would fall within the definition of personal data under GDPR. In First Advantage systems, candidate personal data and other sensitive information is classified, labeled and handled as Confidential Data. When our clients access this data via our customer facing web applications (such as Enterprise Advantage), Secure Sockets Layer (SSL) encryption protects all confidential data across the public network, reducing the risk of exposure. In addition, data is encrypted while at rest when it is stored in our data centers, further protecting the data from unauthorized access or loss. We leverage data loss prevention technologies to help prevent sensitive data from being disclosed to unauthorized individuals.
Information Content Notice
Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorized to provide your organization with legal advice because First Advantage is not a law firm.
The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with GDPR.
Please share this document with legal counsel familiar with your organization and who has expertise in GDPR compliance. Given the substantial financial penalties associated with GDPR compliance and their possible impact on your revenue, legal review is an essential part of your organization’s preparation for GDPR compliance.
Current as of February 2018
© 2018 First Advantage Corporation