“Demonstrating Compliance with the GDPR” is the second in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes.
In this series, look for the 
icon which will highlight specific information regarding potential impact to First Advantage screening processes.
How is compliance demonstrated?
If you are located in the EU, offer goods or services to the individuals located in the EU, or monitor behaviour of the individuals who are located in the EU, your data processing activities involving personal data of EU residents must comply with the GDPR requirements and you must be able to demonstrate that compliance.
What are these requirements? We will cover seven of the GDPR’s key privacy principles below.
Principle 1 – Processing must be fair, lawful and transparent
You, as Data Controller, must have a lawful basis on which to process personal data. The GDPR identifies 6 lawful bases:
- Consent of the Data Subject
- Processing necessary for contract performance to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation of a Data Controller
- Processing is necessary to support legitimate interests of a Data Controller or third party except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a Data Controller;
- Processing is necessary to protect vital interests of the data subject or another natural person.
Relevant Lawful Basis for Background Screening Purposes
Not all of these legal bases will be relevant to or appropriate for your background screening processes. You may have reason to rely on the “legitimate interest” basis for processing personal data or another basis. This is a decision your organisation, as Data Controller, should make by way of collaboration between your HR and Legal functions in order to ensure that regardless of which basis is relevant, you are always processing data in compliance with the GDPR. Requirements relevant to lawful basis are discussed in greater detail in our “Lawful Basis of Processing” article.
Processing of special categories of personal data
The most sensitive personal data require extra care. GDPR identifies special category of data defined as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, data concerning health, or data concerning a person’s sex life or sexual orientation. Processing such data is generally prohibited unless certain exceptions occur, including explicit consent of the Data Subject or where processing is necessary for carrying out the obligations and exercising specific rights of the Data Controller or of the Data Subject in the field of employment law if authorized by the law. Similarly, processing data regarding criminal convictions and offences requires authorization by the local law. If the background screening includes such information, it is advised to consult your processing with legal counsel.
Transparency in Processing Data
Data Controllers must also perform processing activities in a manner that does not breach the law and is transparent to the Data Subject. This means generally that Data Controllers be honest and open about how a Data Subject’s personal data will be processed.
Think about how this transparency will be provided to your candidates and/or employees. Do you have a privacy notice that covers data processing for your employees or candidates? Do you use clear and easy-to-understand language? Do you provide your privacy notice to your candidates prior to conducting background screening that informs them of the “what, how, why, where” of the personal data processing? (First Advantage can host this document on your behalf for presentation to the candidate.) First Advantage provides transparency regarding its processing of personal data in the form of a statement which can be viewed at https://fadv.com/privacy-center/non-us-residents/privacy-policies-by-region/, which includes country-specific policies such as our Privacy Policy for the European Economic Area. This policy discusses our role as a Data Processor in greater detail.
Principle 2 – Purpose Limitation
Personal data should be processed for specified and limited purposes as clearly communicated to the Data Subject. This means the Data Controller must clearly identify its reasons for processing at the onset and state them in the privacy notice as well as reflecting them in its records of processing. The Data Controller cannot use the personal data for another purpose that is incompatible with the original purpose, unless it obtains the Data Subject’s consent, the new purpose is compatible with the initial one or if it has a clear legal obligation or function to do so.
Consider this requirement in terms of your privacy notice. Have you informed the individual what the purposes are for processing his or her personal data? GDPR requires that if a new, future purpose is determined, that a new, valid basis or condition for processing exists (e.g. an updated notice, consent or another otherwise valid basis for the new purpose/use).
Principle 3 – Data Minimisation (i.e. process only what is necessary)
Data Controllers must limit data processing activities to the extent that they may only process what is necessary to achieve their purpose. This requires Data Controllers to be thoughtful about what kinds of data and processing they need to have or do in order to sufficiently and appropriately screen each candidate according to position type and applicable legal requirements to which you as an employer may be subject. Because Data Controllers are given the authority to determine how much information is necessary for achieving the purpose of their processing activities, they are also responsible for demonstrating that activities are limited only to the personal data that is necessary. In other words, Data Controllers should collect, use, and retain only personal data that is relevant and necessary. Any personal data that is not needed should be deleted.
First Advantage’s background screening platforms are generally designed to standardise the type of personal data collected and limit the amount of data needed to perform the requested background screening (e.g., certain types of information are not requested unless and until it is required for a particular type of background search or verification and we are conscious not to request extraneous data that we do not need).
Principle 4 – Data Accuracy and Currency
Data Controllers are required to take “every reasonable step” to ensure personal data that they process is current and accurate. Where inaccuracies exist, Data Controllers are responsible for remedying errors as soon as possible by erasing or rectifying it. (A later blog post on the Data Subject’s rights as part of this Information Series will cover topics such as erasure and the “Right to be Forgotten”).
Consider the internal processes your organisation follows when candidates or employees tell you that information they have supplied to you or that was provided to you in a background screening report is inaccurate. As a Data Controller you have one month to comply with such request (unless there are circumstances which justify an extension). To support you in the event these types of requests are received, First Advantage has established policies and procedures for responding to Subject Access Requests, which may include requests for access, correction, or deletion. We will refer these requests to you for your instructions.
Principle 5 – Limiting Retention
Data Controllers and Data Processors may not retain personal data forever and retention principles apply, in that data may only be retained “for as long as is necessary.” No specific retention time period is prescribed in the GDPR itself, which means Data Controllers should consider how long data should be retained (in view of the purposes for keeping the data and local laws that set rules in these regards) and ensure that such limits are followed. When personal data is no longer needed, it ought to be erased or anonymised.
First Advantage’s platforms are designed with automated features to assist our customers with meeting data retention compliance requirements. Our default retention period in the EEA and UK is two years – however, customers may select their own limits for maintaining personal data within the First Advantage platform.
Principle 6 – Integrity and Confidentiality
The personal data shall be processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” Data Controller shall ensure that appropriate security measures are in place to guarantee the integrity and the confidentiality of the personal data. First Advantage has a comprehensive data security programme in place that implements appropriate technical and organisational measures in compliance with GDPR.
Principle 7 – Accountability
Data Controllers must be able to demonstrate compliance with the GDPR and this effectively means showing how the principles are adhered to on an ongoing basis. A meaningful way to showcase compliance is to have a holistic privacy management framework or programme that incorporates, among other measures, these various activities: taking a ‘data protection by design and default’ approach, having documented data protection policies and procedures as well as records of processing activities, implementing appropriate security measures, carrying out data protection impact assessments (DPIAs), and appointing a data protection officer. These activities are also often associated with the other principles described above.
First Advantage embeds the accountability principle by operationalising these various activities, as well as updating them from time to time, to build trust with its customers. For instance, it has in place a comprehensive set of processor and controller-related records of its processing activities and it aims for continuous improvements of its DPIA process to reflect its global footprint and strategic acquisitions. The cultural shift towards a privacy-centric organisation is complemented by the support of an external DPO, which you will learn more of in the next blog post.
Next in the GDPR Information Series…“The Data Protection Officer”
