June 5th, 2018 | Debbie Lamb, Sterling Talent Solutions
What Does the GDPR Mean for HR in the US and Canada?
Have you been inundated with emails about updated privacy agreements from banks, digital and email providers, search engines and social platforms? Companies in the US and Canada have been updating their privacy agreements to be more in line with the European Union’s GDPR changes. On May 25, 2018, the General Data Protection Regulation (GDPR), a new data privacy law in the European Union, went into effect, changing the rules around protection of Europeans’ personal data. What does the change matter to companies in the US and Canada? In the recent webinar, “GDPR Compliance: What It Means for HR in the US and Canada”, Sterling’s Assistant Vice President of Global Privacy, Mark Sward, explained how the updated data privacy laws might impact companies with offices, employees, vendors or other activities in the European Union.
Sterling has been preparing for the GDPR since January 2016 by systematically reviewing our policies, systems and processes and updating them where necessary to ensure compliance. We produced a 10-part series of webinars, a checklist, FAQs with common GDPR questions, and blog posts to help educate our readers about their obligations under the GDPR and to prepare their background screening program.
What is the GDPR
The GDPR was introduced to harmonize existing data protection rules across the EU, strengthen data protection rules in the digital age and ensure consistency for individuals and businesses. It refreshes and consolidates existing European privacy legislation and introduces some new concepts and technical obligations on companies that process personal information. The GDPR replaces each EU member states’ existing privacy laws. The GDPR defines personal data as: “Any information relating to an identified or identifiable national person.”
Who is and Who is Not Impacted by the GDPR?
Extraterritorial application of the GDPR is perhaps the biggest change from existing EU data protection law. The GDPR will apply to:
- EU companies that process personal data, regardless of whether the processing takes place in the EU
- Non-EU companies that offer goods or services to individuals in the EU irrespective of whether payment is required
- Non-EU companies that monitor individuals’ behavior that takes place in the EU
There are many myths and questions swirling around the GDPR. To dispel one of the myths: “The GDPR does NOT apply to data collected from all EU citizens, even if they are not present in Europe!” Its application is limited to circumstances where the company that controls or processes the data is in the EU, the data is collected in the context of the offer of a good or service to a person in the EU, or the behavior of a person in the EU is monitored.
What are the Changes under the GDPR?
To understand the rules in the GDPR, one must understand the concepts of “controller” and “processor.” An organization that processes personal data or has personal data processed on its behalf may be a controller or a processor:
- Data Controller: The data controller determines the purpose and means of processing. When conducting background screening, the organization requesting the screening is the data controller.
- Data Processor: The data processor will process data on the controller’s behalf. The company that that carries out a background check on behalf of its client is a data processor.
The GDPR enshrines the Privacy by Design and Default concepts in law, which say that Privacy should be built into all processing of personal data from the beginning, and that the default setting should always be to protect privacy and limit the amount of information that is shared. Additionally, there are newly codified data subject rights under the GDPR including the “Right to be Forgotten” and the right to data portability. Stricter enforcement mechanisms are a part of the GDPR, including significant fines (up to 20M Euros or 4% of a corporate group’s global revenue), and the GDPR introduces the possibility of a “one-stop-shop” with a single lead regulator handling a situation rather than one in every country.
How Will the GDPR Affect Your Background Screening Program?
The GDPR will generally only apply to employee screening programs that are already subject to EU law and who are operating and hiring locally in the EEA. For a program to screen people other than employees, the GDPR may apply to any data collection from the EEA, even if the company does not operate there, so you should check with your privacy office or legal counsel for advice. The GDPR will generally not apply to the following screening activities:
- Screening people who hold EU citizenship, but are located outside of the EU and will work outside of the EU
- Screening employees or applicants who currently reside in the EU but will move to the US, Canada or elsewhere to work for a local employer
- Domestic screening in the US or Canada
For a company that relies on background screening information for its hiring process, it is recommended to have a background screening policy in place. Organizations need to understand how third-party companies process data on their behalf to make sure their privacy notices, policies and contracts align with applicable requirements, so it is important to understand which laws apply to your program.
Best Practices to Be GDPR Compliant
Companies need to determine whether the GDPR applies to their background screening program. If it doesn’t, then no action is needed. If it does, organizations should review their background screening program and policy for compliance. The Sterling GDPR Checklist is a handy reference guide for companies. Check with your background screening company for updated privacy notices and data processing agreements. For more information about how the GDPR will impact background screening programs in the US and Canada, download the OnDemand version of our webinar.
PLEASE NOTE: Sterling is not a law firm. The material available in this presentation/publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs
This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.