On May 25, the General Data Protection Regulation, or GDPR, goes into effect in the European Union. This landmark change updates the current privacy legislation, which was crafted in the 1990s.
Who must comply with GDPR?
Any company which processes data about European Union citizens, regardless of whether the company is located in the EU.
What is the goal of the legislation?
GDPR is meant to give EU citizens greater control over how their personal data is collected and used. The legislation routinely refers to the “rights and freedoms” of the individual, which is consistent with the EU perspective of privacy as a fundamental right of its citizens.
What is GIS doing to comply?
We have formed an internal working group which has representation from Legal, Compliance, International and Technology; this group’s charter is to ensure we are prepared for the GDPR deadline.
Because we are governed by the U.S.’s FCRA and have been working within current EU privacy principles, we believe we have a solid start in GDPR compliance. For example, we already satisfy certain GDPR requirements related to transparency because our international authorization form declares the reason for collecting data, and we request the candidate to consent.
What are key terms needed to understand the legislation?
- Data subject: The individual whose personal data is being collected, processed or transferred. This is the EU equivalent of a “consumer” or a “candidate.”
- Data controller: The individual or company requesting the collection, processing or transfer of a data subject’s personal information. In the pre-employment screening world, the data controller is our client, who requests data collection for pre-employment screening.
- Data processor: The individual or company which receives and uses information from the data controller. For screening, GIS would be the data processor, as we use the personal information to conduct verifications or criminal checks the client has ordered.
What are the key principles of GDPR?
- Fairness and transparency: It should be clear to the individual that data is being collected – and for what reason.
- Purpose limitation: The reason for collection should be easily understood and not overly broad.
- Data minimization: Organizations should only collect as much data as is required to fulfill the purpose; e.g. do not collect National Insurance Number if it is not needed to process a criminal check.
- Accuracy: Data should be accurate and, where necessary, up to date.
- Data deletion: Data must be kept only as long as is required to satisfy the intended purpose.
- Security: Measures must be in place to protect data from unauthorized access.
- Accountability: The data controller (our clients) must ensure compliance with GDPR, including putting measures in place to ensure their processors also comply. For us, that usually means the client will request contractual assurances.
A version of this article originally appeared in GIS’ quarterly newsletter. Sign up for the newsletter here.