What is the GDPR?
In an effort to update, unify and modernise the principles set forth in existing data privacy law to guarantee privacy rights, the GDPR is Europe’s General Data Protection Regulation which focuses on:
- Reinforcing individuals’ privacy rights
- Ensuring stronger enforcement of privacy principles and rules
- Streamlining international transfers of personal data
- Setting global data protection standards for businesses to follow
The changes because of the GDPR are meant to give people more control over their personal data and make it easier to access and use such data based on trust, transparency and fairness. While the GDPR was made effective in 2016, its enforcement date was delayed until 25 May 2018.
First Advantage recognises that the GDPR has a direct impact on many of our valued customers, both in the EU/EEA and abroad. As your key partner, First Advantage offers this Information Series to highlight key provisions of the GDPR and obligations that should be considered with respect to your background screening processes.
This GDPR BASICS introduction is the first in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes, including such topics as:
- The Role of the Data Protection Officer
- Demonstrating Compliance with the GDPR
- Understanding Lawful Basis
- Data Subject Rights, and
- Data Transfers
In this series, look for the icon which will highlight specific information regarding potential impact to First Advantage screening processes.
Who is impacted?
Generally, businesses that operate in the EU are impacted, although if you are not established in the EU but target or monitor individuals located in the EU, you may find yourself subject to the requirements as well.
The GDPR governs three classifications of subjects:
- Data Subjects
- Data Controllers
- Data Processors
Data Subjects:
Individuals (natural persons) who have privacy rights under the GDPR and whose personal data is being processed.
In background screening, Data Subjects include your candidates who pursue employment with your organization or your employees who may already be employed with your organization.
Data Controllers:
This is the individual or the entity that determines the purpose and the means of processing, i.e. why and how personal data is used.
You, the First Advantage customer, are the Data Controller because you determine the purpose for which the data is collected from your candidates and employees and how the data is used. The personal data is what you collect when evaluating an individual for purposes of making a hiring decision as well as data you store or otherwise process about your employees for purposes of performing employment contract and meeting your statutory obligations as an employer.
Data Processors and Data Controllers are subject to different obligations under the GDPR.
Data Processors:
The separate individual or the entity that processes data on behalf of the Data Controller, as directed by the Data Controller. “Processing” includes collecting, recording, storing, etc.
We, First Advantage, are your Data Processor. We serve to process the data you control and instruct us to process as part of your background screening program objectives.
What is covered by the GDPR?
Data Processing: This is quite broad and could encompass almost any activity that involves or affects the personal data of an individual and must be performed in compliance with the GDPR. It includes collection, use, recording, storage, organisation, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination, erasure and destruction.
Specific to your background screening processes, the activity of collecting information from candidates when they apply for a position with your organisation or submitting that data to First Advantage via our system or your applicant tracking system (ATS) in order to request a background check, qualifies as data processing.
Personal Data: This broadly means any information related to a particular living person – referred to as the ‘Data Subject’ – where that information can be used to directly or indirectly identify the person. Unlike the U.S. definition of PII (“Personally Identifiable Information”) which, under state law can vary and generally refers to very specific types of personal information (e.g. a SSN or Driver’s License number), the GDPR’s definition is, by comparison, extremely broad. Examples of personal data are not limited to the obvious, such as name, date or birth or home address. Personal data can include an IP address, fingerprint or e-mail address if it allows the identification of an individual or is reasonably possible to find out. It does not have to be in written form or considered private information (business contact information still is personal data). Specific kinds of sensitive personal data, known as ‘special categories’, are subject to additional protection under the GDPR too.
As this relates to background screening, almost every item of information you collect from candidates (or that First Advantage collects on your behalf) would fall within the definition of personal data under the GDPR. In First Advantage systems, candidate personal data and other sensitive information is classified, labelled and handled as Confidential Data. When our customers access this data via our customer facing web applications (such as Enterprise Advantage), Secure Sockets Layer (SSL) encryption protects all confidential data across the public network, reducing the risk of exposure. In addition, data is encrypted while at rest when it is stored in our data centres, further protecting the data from unauthorised access or loss. We leverage data loss prevention technologies to help prevent sensitive data from being disclosed to unauthorised individuals.
Next in the GDPR Information Series… “Demonstrating Compliance with the GDPR”