Updated June 8, 2021
“Demonstrating Compliance with the GDPR” is the second in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the icon which will highlight specific information regarding potential impact to First Advantage screening processes.
How is compliance demonstrated?
If you are located in the EU, offer goods or services to the individuals located in the EU, or monitor behaviour of the individuals who are located in the EU, your data processing activities involving personal data of EU residents must comply with the GDPR requirements and you must be able to demonstrate that compliance. What are these requirements? We will cover five of the GDPR’s key privacy principles below.
Principle 1 – Processing must be fair, lawful and transparent
You, as Data Controller, must have a lawful basis on which to process personal data. The GDPR identifies 6 lawful bases:
- Consent of the Data Subject
- Processing necessary for contract performance or in order to take steps at the request of the Data Subject prior to entering into a contract
- Processing is part of a legal obligation of a Data Controller
- Processing is necessary to support your legitimate interests as a Data Controller
- Processing is in the public interest
- Processing is necessary to protect vital interests of the data subject or another natural person.
Not all of these legal bases will be relevant to or appropriate for your background screening processes. You may have reason to rely on the “legitimate interest” basis for processing personal data or another basis. This is a decision your organisation, as Data Controller, should make by way of collaboration between your HR and Legal functions in order to ensure that regardless of which basis is relevant, you are always processing data in compliance with the GDPR. Requirements relevant to lawful basis are discussed in greater detail in our “Lawful Basis of Processing” article.
Data Controllers must also perform processing activities in a manner that does not breach the law and is transparent to the Data Subject. This means generally that Data Controllers be honest and open about how a Data Subject’s personal data will be processed.
Principle 2 – Purpose Limitation
Personal data should be processed for specified and limited purposes as clearly communicated to the Data Subject. This means the Data Controller must clearly identify its reasons for processing at the onset and state them in the privacy notice as well as reflecting them in its records of processing. It cannot use the personal data for another purpose that is incompatible with the original purpose, unless it obtains the Data Subject’s consent or if it has a clear legal obligation or function to do so.
Consider this requirement in terms of your privacy notice. Have you informed the individual what the purposes are for processing his or her personal data? GDPR requires that if a new, future purpose is determined, that a new, valid basis or condition for processing exists (e.g. an updated notice, consent or another otherwise valid basis for the new purpose/use).
Principle 3 – Data Minimisation (i.e. process only what is necessary)
Data Controllers must limit data processing activities to the extent that they may only process what is necessary to achieve their purpose. This requires Data Controllers to be thoughtful about what kinds of data and processing they need to have or do in order to sufficiently and appropriately screen each candidate according to position type and applicable legal requirements to which you as an employer may be subject. Because Data Controllers are given the authority to determine how much information is necessary for achieving the purpose of their processing activities, they are also responsible for demonstrating that activities are limited only to the personal data that is necessary. In other words, Data Controllers should collect, use, and retain only that personal data which is relevant and necessary. Any personal data that is not needed is deleted.
First Advantage’s background screening platforms are generally designed to standardise the type of personal data collected and limit the amount of data needed to perform the requested background screening (e.g. certain types of information are not requested unless and until such time as it is required for a particular type of background search or verification and we are conscious not to request extraneous data that we do not need).
Principle 4 – Data Accuracy and Currency
Data Controllers are required to take “every reasonable step” to ensure personal data that they process is current and accurate. Where inaccuracies exist, Data Controllers are responsible for remedying errors as soon as possible by erasing or rectifying it. (A later blog post on the Data Subject’s rights as part of this Information Series will cover topics such as erasure and the “Right to be Forgotten”).
Consider internal processes your organisation follows when candidates or employees tell you that information they have supplied to you or that was provided to you in a background screening report is inaccurate. As a Data Controller you have one month to comply with such request (unless there are circumstances which justify an extension). To support you in the event these types of requests are received, First Advantage has established policies and procedures for responding to Subject Access Requests, which may include requests for access, correction, or deletion. We will refer these requests to you for your instructions.
Principle 5 – Limiting Retention
Data Controllers and Data Processors may not retain personal data forever and retention principles apply, in that data may only be retained “for as long as is necessary.” No specific retention time period is prescribed in the GDPR itself, which means Data Controllers should consider how long data should be retained (in view of the purposes for keeping the data) and ensure that such limits are followed. When the personal data is no longer needed, it ought to be erased or anonymised.
First Advantage’s platforms are designed with automated features to assist our customers with meeting data retention compliance requirements. Our default retention period in the EU is two years – however, customers may select their own limits for maintaining personal data within the First Advantage platform.
Principle 6 – Integrity and Confidentiality
The personal data shall be processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” Data Controller shall ensure that appropriate security measures are in place to guarantee the integrity and the confidentiality of the personal data. First Advantage has a comprehensive data security programme in place that implements appropriate technical and organisational measures in compliance with GDPR.
Principle 7 – Accountability
Data Controllers must be able to demonstrate compliance with the GDPR and this effectively means showing how the principles are adhered to on an ongoing basis. A meaningful way to showcase compliance is to have a holistic privacy management framework or programme that incorporates, among other measures, these various activities: taking a ‘data protection by design and default’ approach, having documented data protection policies and procedures as well as records of processing activities, implementing appropriate security measures, carrying out data protection impact assessments (DPIAs), and appointing a data protection officer. These activities are also often associated with the other principles described above.
First Advantage embeds the accountability principle by operationalising these various activities, as well as updating them from time to time, to build trust with its customers. For instance, it has in place a comprehensive set of processor and controller-related records of its processing activities and it aims for continuous improvements of its DPIA process to reflect its global footprint and strategic acquisitions. The cultural shift towards a privacy-centric organisation is complemented by the support of an external DPO, which you will learn more of in the next blog post.
Next in the GDPR Information Series…“The Data Protection Officer”