“Consent” is the fourth in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the icon which will highlight specific information regarding potential impact to First Advantage screening processes.
Why is consent important under GDPR?
Consent has been, and still is, one of the valid bases for processing personal data. As discussed in our prior article “Demonstrating Compliance under GDPR,” there are other valid bases for processing personal data under the GDPR and supplemental Member State laws where applicable, such as where the processing is necessary based on the legitimate interests of the Controller, where the processing is necessary pursuant to applicable law, and so on.
Consent is not being eliminated as a valid basis for processing personal data under EU data protection law and most requirements relative to consent are unchanged – however, there are a few new conditions of which you should be aware as a Data Controller.
Recall that in our GDPR Basics article, employers who want to run a background check on a prospective employee (aka a ‘Data Subject’) will qualify as ‘Data Controllers’ under GDPR. Controllers must determine what the basis for processing personal data is. If the basis is ‘pursuant to the consent of the Data Subject,’ then it is the responsibility of the employer to obtain a valid consent from the candidate. You may elect to have First Advantage, acting as a ‘Data Processor’ pursuant to your instructions, assist in collecting that consent on your behalf via our screening platforms, using a form that you provide (using your own form or our sample template) that has been approved by your legal and/or compliance team.
How will consent change with GDPR?
The definition of “consent” has changed from “freely given, specific and informed” to “freely given, specific, informed and unambiguous.” What does this mean in practice? The practical effect of the changes means that consent must now be given by a statement OR a clear affirmative action indicating that the data subject agrees to the processing of his/her personal data.
In practice, if you choose to rely on consent as your valid basis for processing your candidate’s data, you must now be able to demonstrate that your candidates have affirmatively consented to the processing of their personal data for employment screening purposes. Controllers may not assume consent by the candidate as a result of their inaction, or rely on pre-checked boxes or forms that do not require acknowledgment and signature by the candidate.
What about processing ‘Sensitive Data’?
Under GDPR, sensitive personal data is personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. In cases where sensitive personal data is processed, the consent must also be explicit.
With respect to background screening, it is generally not necessary to process sensitive personal data. If your organization has need to process this kind of data for background screening purpose, proceed carefully and ensure local counsel reviews your consent templates to ensure applicable Member State law divergences are taken into consideration.
Tips for Consent Forms
- Is your consent form as specific as possible regarding the types of personal data you plan to process and the purpose for the processing?
- Is it clearly worded in simple, easy to understand language?
- Does it notify the Data Subject of who the Controller is?
- Controllers must be able to demonstrate consent – therefore, relying on oral consents for example may be difficult, although they are still technically valid under GDPR. Electronic and paper forms are both still acceptable methods for capturing consent, subject to any applicable e-signature requirements.
- The GDPR requires that consent language must be intelligible and easily accessible – consider whether you should separate your consent from other notices and unrelated documents and whether your candidates are able to retain or easily retrieve a copy of that consent.
- Data subjects should be informed of the right to withdraw consent and it should be as easy to withdraw consent as it is to give consent. Consider whether you have a process in place to facilitate this withdrawal if a candidate wishes to do so.
First Advantage, as a Processor, will offer mechanisms to make it easy for customers to relay candidate preferences and pause or cancel a background check, such as pursuant to a candidate’s withdrawal of consent.
Proceed with caution in these situations:
- Data Transfers: Where transfer outside the EEA is required, data subjects must explicitly consent to the proposed transfer, after having been informed of the possible risks of such transfer. Data Transfer will be covered in greater detail in an upcoming installment in this series.
- Automated Decision-making and Profiling: If automated processing is used in your screening process and you make hiring decisions based solely upon that automated process, data subjects must explicitly consent to the use of such processes.
Pre-ticked boxes, silence, or inactivity are no longer valid options as evidence of consent.
How we can help you
First Advantage will be making one or more sample consent templates available for our clients. Clients may use this document as a starting point for conversations with their internal legal and compliance teams.
Next in the GDPR Information Series…“Data Subject Rights”
About First Advantage
First Advantage provides comprehensive background screening, identity and information solutions that give employers access to actionable information that results in faster, more accurate people decisions. With an advanced global technology platform and superior customer service delivered by experts who understand local markets, First Advantage helps customers around the world build fully scalable, configurable screening programs that meet their unique needs. Headquartered in Atlanta, Georgia, First Advantage has offices throughout North America, Europe, Asia and the Middle East.
Information Content Notice
Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorized to provide your organization with legal advice because First Advantage is not a law firm.
The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with GDPR.
Please share this document with legal counsel familiar with your organization and who has expertise in GDPR compliance. Given the substantial financial penalties associated with GDPR compliance and their possible impact on your revenue, legal review is an essential part of your organization’s preparation for GDPR compliance.
Current as of February 2018
© 2018 First Advantage Corporation