What is the GDPR?
In an effort to update and modernise the principles set forth in existing data privacy law to guarantee privacy rights, the GDPR is Europe’s General Data Protection Regulation which focuses on:
- Reinforcing individuals’ privacy rights
- Ensuring stronger enforcement of privacy principles and rules
- Streamlining international transfers of personal data
- Setting global data protection standards for businesses to follow
The changes in the GDPR are meant to give people more control over their personal data and make it easier to access. While the GDPR was made effective in 2016, its enforcement date was delayed until 25 May 2018.
First Advantage recognises that the GDPR has a direct impact on many of our valued customers, both in the EU/EEA and abroad. As your partner in EU data privacy, First Advantage offers this Information Series to highlight key provisions of the GDPR and obligations that should be considered with respect to your background screening processes.
This GDPR BASICS introduction is the first in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes, including such topics as:
- The Role of the Data Protection Officer
- Demonstrating Compliance with the GDPR
- Understanding Lawful Basis
- Data Subject Rights, and
- Data Transfers
In this series, look for the icon which will highlight specific information regarding potential impact to First Advantage screening processes.
Who is impacted?
Generally, businesses that operate in the EU are impacted, although if you are not established in the EU but target or monitor individuals located in the EU, you may find yourself subject to the requirements as well.
The GDPR governs three classifications of people and entities:
- Data Subjects
- Data Controllers
- Data Processors
In background screening, Data Subjects are your candidates who pursue employment with your organization or your employees who may already be employed with your organization
You, the First Advantage customer, are the Data Controller because you determine the purpose, the reason, and the type of data collected from your candidates and employees. The personal data is what you collect when evaluating an individual for purposes of making a hiring decision
We, First Advantage, are your Data Processor. We serve to process the data you control and instruct us to process as part of your background screening program objectives
Data Processors and Data Controllers are subject to different obligations under GDPR.
What is covered by the GDPR?
Data Processing: This is quite broad and could encompass almost any activity that involves or affects the personal data of an individual and must be performed in compliance with GDPR. It includes collection, use, recording, storage, organisation, etc.
Specific to your background screening processes, the activity of collecting information from candidates when they apply for a position with your organisation, or submitting that data to First Advantage via our system or your applicant tracking system (ATS) in order to request a background check, qualifies as data processing.
Personal Data: This is broadly defined as “any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person.” Unlike the U.S. definition of PII (“Personally Identifiable Information”) which, under state law can vary and generally refers to very specific types of personal information (e.g. a SSN or Driver’s License number), the GDPR’s definition is, by comparison, extremely broad.
As this relates to background screening, almost every item of information you collect from candidates (or that First Advantage collects on your behalf) would fall within the definition of personal data under GDPR. In First Advantage systems, candidate personal data and other sensitive information is classified, labeled and handled as Confidential Data. When our clients access this data via our customer facing web applications (such as Enterprise Advantage), Secure Sockets Layer (SSL) encryption protects all confidential data across the public network, reducing the risk of exposure. In addition, data is encrypted while at rest when it is stored in our data centers, further protecting the data from unauthorised access or loss. We leverage data loss prevention technologies to help prevent sensitive data from being disclosed to unauthorised individuals.
Next in the GDPR Information Series…“Demonstrating Compliance with the GDPR”
About First Advantage
First Advantage provides comprehensive background screening, identity and information solutions that give employers access to actionable information that results in faster, more accurate people decisions. With an advanced global technology platform and superior customer service delivered by experts who understand local markets, First Advantage helps customers around the world build fully scalable, configurable screening programs that meet their unique needs. Headquartered in Atlanta, Georgia, First Advantage has offices throughout North America, the United Kingdom, Asia and the Middle East.
Information Content Notice
Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorised to provide your organisation with legal advice because First Advantage is not a law firm.
The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with GDPR.
Please share this document with legal counsel familiar with your organisation and who has expertise in GDPR compliance. Given the substantial financial penalties associated with GDPR compliance and their possible impact on your revenue, legal review is an essential part of your organisation’s preparation for GDPR compliance.
Current as of June 2020
© 2020 First Advantage Corporation