Following the release of our GDPR White Paper and the GDPR implementation date (25th May 2018), we asked Steve Girdler, Managing Director for International Business at HireRight, and Caroline Smith, Associate General Counsel for EMEA and APAC at HireRight, “so what next?”
What are the biggest effects and implications of the GDPR on background screening? What do businesses want and need from a background screening provider following the GDPR? What does the future of background screening look like under the GDPR?
Over the next 5 weeks we will be answering these questions with a series of short videos from Steve and Caroline, each accompanied by a transcript, and some links to a host of GDPR materials.
- The GDPR affects the type of data that you can actually screen and process.
- Transparency around background screening allows candidates to really understand how their data is being handled and used.
- Companies may have previously known that data went from A to B, but didn’t quite know what happened in between. Under the GDPR, that isn’t good enough anymore.
- It’s also important to be able to easily describe to a candidate what an individual check is, what data is collected and where the data is gathered from.
Chapter 1 – Transparency Under the GDPR Video
This video is the first of 6 bite-sized snippets where HireRight’s Steve Girdler and Caroline Smith discuss background screening in the world post-GDPR, in particular, the impact that the GDPR has had/will have on the background screening industry.
Subscribe to our YouTube channel to get a notification when we upload the next video.
Transparency Under the GDPR Transcript
For those of you who’d prefer to read it, here is a full transcript of the video:
The real impact of the GDPR on background screening is that it changes the industry from something that may have been seen as being scary and not understood by candidates into something that is easily unpickable.
There is transparency, and it brings a candidate really into the background screening process, which will change how people view screening and the acceptability of screening.
When we look at the GDPR within our industry, there are a few areas that it touches upon:
The first of these is obviously our service offering – the type of data that you can actually screen and process. There have been quite a few changes made to Article 10, which talks about how you would deal with criminal background information. This is a big change for everybody. But also just in terms of how you are mapping all your processes and understanding where your data flows.
Secondly, I think there’s been a quite relaxed approach to data prior to the GDPR. Companies may know that it goes from A to B, but don’t quite know what happens in between. The GDPR really makes everybody step up and understand those data flows, have them mapped, and be able to explain everything.
The third thing is this transparency concept, allowing individuals to really understand how their data is being handled and used. People are making sure they’ve got robust information notices in place and that their consents are clear. They also need to understand their lawful processes, allowing an individual going through that process to be able to exercise their right easily.
Right, so it’s really coming down to this level playing field and transparency again. If I’m a candidate, I need to be able to know or demystify what the whole process is. I need to understand that background screening is just verifying people’s data, so that they’re able to work for the company they want to work for. Also, that companies themselves have a clear framework which they have to work within.
Yes, absolutely. It’s also important to be able to easily describe to an individual what a particular check is. In our industry, we use buzz words like ‘criminal checks’ and ‘credit checks’, but actually what does that mean in each country? It can vary widely.
One of the biggest things that we’ve done is really demystify that for our candidates. When they’re reading through information notices, they can fully understand what it is that somebody is trying to find out about them, which can help make somebody feel more comfortable.
It’s the mystery, the not knowing where your data is going and how it’s being handled that makes people uncomfortable. The GDPR in that respect, although it can feel quite onerous because it’s a lot of obligations to deal with, actually really helps with our processes, because it helps the candidate become more comfortable.
In terms of our framework, we’re trying to educate our candidates as possible up front, so they can feel comfortable about their personal data. When they read through the consent descriptions, if there is something that triggers something in their minds that they might want to disclose to their prospective employers before they go through the screening process, they’re able to do that before they’ve handed over their data to any third party. This is a really important part of they way we’ve built our framework.
Absolutely. One of the other really important parts of this, which we’ve always done but are now giving a little bit more transparency and visibility to, is around asking for people’s consent. We will not do a background check on anybody without their written consent. This is built into the GDPR as well, and is part of how we built our processes and how we built our approach to the regulations.
Upcoming GDPR Blogs/Videos
- Chapter 2 – What are companies looking for from background screening providers post-GDPR?
- Chapter 3 – How do we help businesses with their adherence to the GDPR?
- Chapter 4 – What do you think the future landscape of background screening looks like post-GDPR?
- Chapter 5 – What are the three biggest effects of the GDPR?
- Chapter 6 – What are the four biggest implications of the GDPR?
External GDPR Resources
Find out more about the GDPR and what it means for your business on the European Commission’s website.
You can also read more about the GDPR on the Information Commissioner’s Office (ICO) website.
HireRight GDPR Resources
Read more about HireRight’s preparations for the GDPR in our 12-part blog series below.