Most folk working for entities affected by the General Data Protection Regulation (GDPR) probably feel that they need a couple of aspirin right about now. May 2018 is fast approaching, and there still seems to be a mountain to climb to get compliant.
Over the next 12 months, HireRight will continue to be reviewing its services to prepare for GDPR compliance, and via this blog will share some thoughts on those issues most closely affecting those services.
Step 1 – Candidate Consent and Information Notices
Consent is a cornerstone of the HireRight service. But what does this mean in the context of the GDPR?
How to obtain consent
The GDPR states that consent must be:
- Not be assumed from inaction
- Can be withdrawn at any time
- Forced consent will be “invalid”
- Genuine and “granular”
This all looks relatively straightforward, but “unambiguous” consent and “assumed” consent have caused some debate in legal circles as to what this might mean: for example, it is clear that a signature or ticking a box noting consent will be both unambiguous and show active consent. But what if someone reads a notice and then takes an affirmative action such as entering their personal details on a form without then completing a tick box to note consent? Such is the complexity of the issue that in March the UK data privacy regulator, the ICO, issued a guidance document and commenced consultation.
HireRight will be monitoring the outcome of this consultation.
What information should consent/notices contain?
Once the ICO (or other regulators) provide clarification on the issue of obtaining consent, entities will need to turn their attention to how to communicate consents and notices. The list of items to be included in notices and consents runs to around six pages in the GDPR, which is difficult to reconcile against the GDPR mantra of making such consents and notices “concise, transparent, intelligible and accessible”.
When evaluating and drafting any new sample forms of consents or notices that can be made available to our clients for informational reference purposes, HireRight will be reviewing the questions that candidates ask with greatest frequency to help ensure the right level of information is included in documentation: in particular, with candidate footprints becoming increasingly global, it will be important to set out clearly where, by whom, and how their personal data is processed. Of course, candidate rights, data retention periods and the right to withdraw consent will need to be clear. We recommend that all employers regularly review their consent forms and notices to be sure the forms meet their compliance needs and requirements.
Consent in the context of employment
The GDPR states that consent is not to be relied upon where there is a clear imbalance between data subject and controller. There has been a long running debate as to exactly what this means when analysing the relationship between the employer and employee (or prospective employee).
Rather serendipitously, under the GDPR, Member States are allowed to come up with their own rules on (i) how employee data can be processed; (ii) what can be processed; and (iii) when consent can be deemed valid. HireRight will be closely monitoring what Member States have to say on this topic.
In the event that Member States, or some Member States, do not permit consent, does this mean that consent will fail or should not be used? We think that this is unlikely and suggest:
- Consent and notices be used to evidence “affirmative action” by a candidate and transparency
- Notices can make it clear that consent is only one of the items relied on for processing data: consider reliance on processing being a requirement to fulfilment of a (employment) contract
- Hiring entities consider having policies in place for those instances where a candidate does not wish to proceed with all or part of a verification
Where are we now? The HireRight systems already offer options to support employers in their efforts to ensure the delivery and collection of information notices and consents.
HireRight will continue to monitor developments and guidance relating to consent as we march down the path together towards GDPR compliance.
Learn more about how to prepare your screening programme for the GDPR
Be the first to hear about GDPR updates and the latest background screening industry news – Sign up to our newsletter today.