August 5th, 2022 | Sterling

Navigating International Compliance in Hiring

With over 11 million job openings in the US currently, it’s clear that the ongoing war for talent is a major challenge for many organizations. It’s no surprise that businesses are reflecting on their current hiring programs and, in many instances, searching further afield for candidates. However, recruiting internationally comes with added compliance complexity, whether HR teams are part of established global enterprises or those now considering extending their programs to meet current hiring demand. Within each region are specific legal obligations which must all be adhered to, such as the General Data Protection Regulation (GDPR) within Europe.

In a recent global webinar, Sterling’s international compliance experts provided the latest regulatory updates and guidance, which you can watch on-demand here. Keeping up with the ever-evolving pace of international, national, and local changes can be intimidating, but it’s critically important that employers understand the legal requirements in every country in which they operate. With this in mind, let’s touch on some of the key discussion points from the webinar.

While there haven’t been any significant legislation changes in relation to the GDPR, a notable development occurred in recent months whereby the first GDPR fine was handed out due to the unlawful processing of criminal conviction data. In February 2022, a major global retailer was fined €2M for processing the criminal convictions of its delivery drivers in Spain. We previously documented this case in detail where we also highlighted a number of helpful resources such as our GDPR checklist.

In comparison, in the UK there are many legal bases for employers to process employees’ criminal convictions. For example, employers may seek to help prevent or detect unlawful acts, help protect the public against dishonesty, and to help prevent fraud. Criminal records checks are also commonly codified in laws regulating the financial and healthcare industries. However, some other European countries have taken Spain’s lead and proceeded similarly, meaning that in some countries a criminal record check must be mandated in law before it can be undertaken. Additionally, in certain countries, the onus is placed firmly on the employer to determine whether this check can be conducted. For example, in Germany, employers must determine if personal integrity is indispensable to the specific role before they can then conduct the criminal record check.

When recruiting in European countries, a “works council” can have an influential voice in decisions, similar to that of trade unions — the latter of which reported the global retailer mentioned above. Therefore, when designing a global screening program, it’s essential for organizations to address any existing cultural expectations in addition to what’s legally permitted. A trusted screening partner can work with you to customize the checks you require for each of your job roles.

The Essentials of a Data Processing Agreement

A data processing agreement (DPA) can be a standalone document or can be integrated within a contract. DPAs may also be specific to a certain jurisdiction or role. Again using the example of a US company recruiting in Europe, the GDPR outlines what is required of a DPA, and organizations can adopt models based upon either European guidance or standard contractual clauses (SCCs). Note that this doesn’t necessarily mean they’ll meet the requirements of the US or other non-EU locations. For global businesses, when drafting a DPA, it’s important that you consider all the requirements of every jurisdiction involved, making sure that the core functions establish details such as:

  • Instructions and limitations for processing personal data
  • Responsibility for compliance with the law
  • Who carries out specific compliance activities, and how (e.g., notice to customers, responses to customers)
  • Which party (or parties) determines why and how data is processed, and has grounds under data protection law to process the data. This is the “data controller” in GDPR terms.
  • Types of personal data and defining all data which is subject
  • Subject matter, duration, nature, purpose of processing
  • Data retention, return, and deletion
  • Cross-border transfers
  • Whether sub-processors are permitted
  • Commits the processor to participate in Data Protection Impact Assessments (DPIAs)
  • Sets out data breach response activities and timelines
  • Liability for data breach costs and data subject compensation claims
  • Appropriate security measures
  • Right of audit and inspection
  • Commitment to confidentiality

Ensuring Safe and Secure Data Transfers

Data transfers are an important requirement of global commerce, and as such, Sterling goes to great lengths to ensure that our clients’ data transfers are safe and effective. This starts with robust information security and privacy policies which help to ensure that any risks arising from cross-border transfers are minimized. While data transfers have become increasingly more complex in nature, particularly within the EU, trusted global screening partners should be well-equipped to support employers with the necessary documentation (e.g., SCCs, transfer impact assessments). It’s also vital for organizations to ensure that their provider has met all the required protocols and meets all best-practice standards required by the business.

How Does Sterling Help Employers with Global Compliance?

Sterling has a wealth of resources to help clients understand the different compliance considerations in each country. These include our “Country Fact” sheets, which communicate compliance guidance in specific countries and what services are available. From Sterling’s service offerings to the sources and the scope of these searches, our fact sheets go into more detail, including the data requirements for each check. You can also document these compliance considerations within our fact sheets at the individual country level and also at a search level. In addition to these fact sheets, Sterling also provides employers with the latest trends, guidance, and best practice considerations covering relevant global topics including Brexit, identity verification in the US, EMEA, Canada and other regions, and the GDPR via our checklist. If you’d like to watch the on-demand global compliance webinar, you can access the recording here.

Sterling is not a law firm. This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.