The General Data Protection Regulation (GDPR) is an EU law that regulates the collection, use, disclosure and processing of personal information of individuals in the EU. The GDPR will replace existing European legislation, such as the UK Data Protection Act 1998, and introduces new requirements and additional burdens on European businesses. It also alters existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant.
The GDPR was introduced to:
- Harmonize existing data protection rules across the EU,
- Strengthen data protection rules in the digital age as current laws didn’t factor in the internet, social media, technological advances and other changes that impact individuals’ privacy, and
- Ensure consistency for individuals and businesses.
One of the changes through the new regulation allows the EU Data Subject additional rights. These rights include:
- Withdraw consent
- Restriction of processing
- Objection to processing
What This Means for Background Screening
GDPR affects both employers and CRA’s, as both organizations handle the personal data of “Data Subjects”. It is important that your background screening organization has procedures and policies in place to protect personal data and is able to handle the various data subject access requests, as well as the strict retention period. The regulation requires each entity to have a purpose to process, and each organization should understand their roles and responsibilities, all of which would be described in a Data Protection Agreement.
We recommend employers review their agreements, perform an assessment on their internal procedures as it relates to this new regulation, and inquire with their CRA partners on their procedures to comply with this regulation.