By Shraddha Deshpande and Srishti Sawant, 11 June 2018
Being shown a red-card by an audit-firm deeming an organization as “NON-COMPLIANT” to a specific law or regulation causes a ripple effect across the length and breadth of the organization. Background screening is a process whose governing regulations can vary from one country to another and non-compliance with these regulations could result in serious repercussions. Last year, based on a survey done on Background Screening Trends & Best Practices, it was found that one-fourth of the participating organizations have ranked “being compliant with all screening laws” as their number one challenge. One of the examples witnessed last year in December was when The Financial Industry Regulatory Authority levied a fine of $1.25 million to J.P. Morgan Chase & Co. for lapses in background checks. Non-compliance to screening laws can cost the company more than just dollars, but can further result in considerable damage to the brand and its reputation especially when the organization hails from industries that are more sensitive than some others.
GDPR (having come into effect late last week) has left several companies scrambling for support and assistance to ensure that they stay compliant with regulations created to safeguard an individual’s personal and professional information. So how will this affect an organization’s background screening process?
GDPR applies to companies if,
- They are processing personal data that originates in EU, regardless of whether the company is based in EU or not
- If the data processed by the company crosses EU border, i.e. either comes in or goes out, regardless of whether billed for or not
Six essential checkpoints
1) Your Privacy Notice: The Data Privacy act has stated that employers have to process personal data fairly and lawfully. In the background screening process, it is now important that the employee receives the “privacy notice” or “fair processing notice” which explicitly talks about protecting an individual’s interest. This is to enhance transparency in the process which is now crucial based on the GDPR – this is however not a new concept as organizations have always been advised to maintain transparency with employees in the verification process.
2) Consent & Legitimate Interest: An employer has to ensure that they satisfy at least one of the 2 conditions mentioned in the new Data Protection act to perform background screening on an employee. These are:
- Obtaining an individual’s consent to screen using an employee’s personal data – The GDPR, however, permits individuals to withdraw consent at any given time during the background screening process and also warrants that blanket consent across processes will no longer be considered valid.
- Check if processing is in accordance with the legitimate interest: Legitimate interests is one of the six lawful bases for processing personal data and this should be in line with the ‘lawfulness, fairness and transparency’ principle. Companies need to conduct (and document) a balancing exercise when relying on legitimate interest and include this in the privacy notice displayed to employees and candidates. For instance, organizations who employ individuals for roles that involves them to work with kids, elderly citizens, people with special needs etc., can justify the need to perform screening citing legitimate interest.
3) Object to screening: The new regulation allows employees to object to background screening at any given point of time – even if it’s accuracy is not contested. If an employee objects to screening – the organization will be required to stop the screening process and review the reason for objection and provide responses to the employee as required.
4) Transfer of data outside European Economic Area: Under the GDPR companies would not be allowed to transfer personal data to a country or territory outside the EEA (European Economic Area) unless the country or territory qualifies the adequate level of protection. However, the screening company will not face challenges if the applicant gives explicit consent to his/her data being transferred to these regions. US based organizations using a background screening vendor should ensure that the provider is certified under the Privacy Shield.
5) Appointing a Data Protection Officer: The DPO is liable for administering compliance with the GDPR and will be held accountable for regular and systematic monitoring of data. The GDPR further permits a group of companies to appoint a single DPO who could be its employee or third party service provider
6) Porting of Data: Employees/Applicants in the EU will now have the right to receive personal data provided to one employer and transfer this personal data another employer. One also shall have the right to have the personal data transmitted directly from one employer to another, where technically feasible.
Technically, GDPR was passed a year ago and organizations were given a buffer period to lay-out necessary measures and enforce policy changes as required. Non-compliance with GDPR can cost millions – The maximum fine to the failure of compliance is up to 4% of annual global turnover or €20 Million (whichever is greater).
Organizations using screening providers should, therefore, ensure their partners have taken the necessary steps alongside their respective organizations in order to comply with the GDPR. The new regulations have a huge bearing on the flow of information in the screening process and therefore it is essential that your internal team responsible for org-level compliance and your screening partner stay abreast to satisfy the requirements set-forth by the GDPR.