By now you likely have heard of GDPR. This stands for the European Union’s General Data Protection Regulation, and it takes effect on May 25, 2018. If you interact with companies of any kind, you have probably received notifications asking you to review an update to their privacy policy. If you run a business, on the other hand, you are required to comply if you are dealing with customers in the EU.
According to the Guardian, GDPR will replace the “1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU. GDPR will significantly strengthen a number of rights: individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions will have real teeth, with the maximum fine now reaching the higher of €20m (£17.5m) or 4% of the company’s global turnover.” In other words, it’s critical that you follow this new regulation.
Believe it or not, GDPR will play a significant role in how background checks are conducted. It centers on the notion of consent. As you know, background checks require signed authorizations by the individual being investigated. This is considered proof of their consent. However, under GDPR, the way you must document consent is changing slightly.
Employers who wish to conduct or order a background check will be considered “data processors” under the EU’s new regulations. In order to demonstrate consent, they will need to prove that it is unambiguous. Whereas in the past, the definition of “consent” was “freely given, specific and informed,” it is now being defined as “freely given, specific, informed and unambiguous.” Going forward, consent must be provided by a statement or a clear affirmative action indicating that the subject agrees to the processing of their personal data.
In simpler terms, you actually need to receive something in writing from your background check subject stating that they agree to it. It is no longer enough to assume consent as a result of the candidate’s inaction. Similarly, you can no longer rely on pre-checked boxes or forms that do not require acknowledgment and signature by the candidate.
If you conduct background investigations or are situated in any EU countries, you will need to comply with the GDPR going forward. Talk with your background investigation provider if you haven’t already to be sure that you are on the same page and are in compliance. As noted above, penalties for failure to comply are stiff.
It shouldn’t be assumed that you won’t run into trouble if you don’t comply. In the United States, violations of the Fair Credit Reporting Act related to background investigations frequently evolve into lawsuits. Many times, the background check subject is able to successfully prove that their rights under the Act were violated. This can mean big financial losses for the employers involved. To read more about avoiding a lawsuit under the FCRA, click here.
If you’d like to learn more about background investigations and how you can ensure you’re compliant, Alliance Risk Group is ready to help! Contact us today for guidance and to set up background checks for your company.
Are you interested in reading more about background investigations? We invite you to explore our other blog posts and whitepapers here.