12 Steps to GDPR Compliance – Step 2

Posted · Add Comment

Step 2 – Follow the yellow brick road a.k.a. data mapping

Why data map

Data mapping should be a key element in any organisation’s compliance strategy, including any pre-employment screening policy.

The prospective employer (data controller) can face questions from its candidate base about where their personal data is being sent and how it is used. When a data mapping exercise is successfully undertaken, the prospective employer can answer questions with confidence and provide the right level of comfort to candidates during what can be a stressful time. Knowing where data is being sent and how it is used, and being transparent in respect to data mapping, also reduces the risk of any claims of unauthorised handling of personal information. 

How to data map

What are some of the key questions that the prospective employer should ask itself?

  • What type of data is collected? Is any data sensitive personal information?
  • Who is collecting or using that data and is that data sent to any third party?
  • If data is sent to a third party, where is that third party located? Is the data normally hosted in that country?
  • When and how is the data collected and used, and for how long is that data retained?
  • For what purpose is the data collected and used?
How does HireRight support a data controller’s data mapping efforts?

In order to support and align with the prospective employer, a service provider should itself have gone through a data mapping exercise, in particular in respect to its vendor networks that assist in delivering local pre-employment checks. 

Type of data: HireRight’s clients choose the level of screening performed by HireRight, and thus, the type of data collected, as set out in the relevant contract schedule of fees.

Who collects data, and third parties: the HireRight system has transparency at its heart. Supporting documents such as consent forms (discussed in detail in Step 1) set out who collects candidate data, on behalf of whom, and where that data may be sent.

Location of third parties: the global nature of the candidate market place requires global screening support via a network of third party sources and vendors. HireRight maintains a network of such third party sources and vendors, who are subject to HireRight’s data mapping exercise so that HireRight can understand where data is sent, to whom, and how it is stored. Vendor management in preparation for GDPR compliance will be a topic of future blogs, so watch this space.

When, how, and how long: this information is available to the candidate via information notices. Collection and processing occurs only once consent is obtained by, or on behalf of, the prospective employer, and data is retained in accordance with specific client instructions.

What purpose: pre-employment screening only – this information is again available and clearly set out for the candidate, and it is made clear that data is not used, stored or processed for any other purpose than to fulfil the services.

Other benefits of data mapping

Whilst data mapping can be a significant undertaking for many organisations and requires the buy in of key stakeholders, there are other benefits to data mapping, beyond candidate care:

GDPR: data mapping will help with compliance with a number of key elements of the GDPR such as:

  • Maintaining detailed records of data processing activities.
  • Having available records to present to any supervisory authority.
  • Showing accountability i.e. demonstrating that processing activities are performed in compliance with the GDPR.
  • Evidence that an organisation considers data protection by design and by default.

General: 

  • Potential for improved efficiencies of business processes and IT systems by streamlining data flows.
  • Mitigation of risk of data breach (as mentioned above).
  • Maintaining records allows an organisation to respond quickly to discovery requests and consequently reduces related costs.
  • Assists with record retention requirements/policies.
Conclusion

Data mapping is an essential piece of any organisation’s compliance programme and assists in supporting pre-employment screening policies and candidate engagement. On top of this, there are added benefits relating to GDPR compliance and general efficiencies.

In other words, a commitment to data mapping really could result in finding the Emerald City at the end of the yellow brick road!

 

Get notified with the next step to GDPR compliance – subscribe today.

 

Caroline Smith

Caroline is a UK qualified lawyer with over 17 years’ experience and currently serves as HireRight’s Associate General Counsel for the EMEA and APAC region. When not “lawyering” or writing blogs, Caroline can be found striking yoga poses in remote locations such as Mongolia and Bhutan.

More Posts


The HireRight Blog is provided for informational purposes only and should not be construed as legal advice. Any statutes or laws cited in this article should be read in their entirety. If you or your customers have questions concerning compliance and obligations under United States or International laws or regulations, we suggest that you address these directly with your legal department or outside counsel.

Comments are closed.