Welcome to our second video about the effects of the GDPR on the background screening industry. The first video – Chapter 1 – Transparency – talked about the importance of transparency in the background screening industry under the GDPR.
In this video, Steve Girdler, Managing Director for EMEA & APAC, and Caroline Smith, Associate General Counsel for EMEA and APAC, discuss what companies are looking for from their background screening provider when it comes to the GDPR.
- Companies are predominantly looking for a partner who understands the legislation and has embedded it within the organisation.
- HireRight has agreements in place with its customers that set out all of our obligations in respect to the GDPR.
- Customers are really looking for partners that understand that the GDPR, if used correctly, can be a good thing.
- Article 28 Obligations mean that a data processor is required to inform a data controller if they’re doing something they shouldn’t be, for example if they’re in breach of the GDPR.
- We often think of GDPR as a legislation regulation for Europe, but of course, it is extra-territorial.
- The GDPR essentially means that if you’re processing data anywhere in the world, but it belongs to an EU resident, you must comply with the GDPR.
- Screening under the GDPR must still meet other regulation requirements, for example, the Fair Credit Reporting Act (FCRA) in the US.
- There are many regulations around the world that may have an impact on your business. Having a partner that understands that and has embedded them into the process is critical.
Chapter 2 – Background Screening Partners Video
This video is the second of four bite-sized snippets where HireRight’s Steve Girdler and Caroline Smith discuss background screening in the world post-GDPR, in particular, the impact that the GDPR has and will have on the background screening industry.
Subscribe to our YouTube channel to get a notification when we upload the next video.
Background Screening Partners Under the GDPR Transcript
“What are companies looking for from background screening partners when it comes to the GDPR?”
Predominantly, companies are looking for a partner who understands the legislation and has embedded it within the organisation. Now, what does that mean?
- we’ve got robust policies in place
- we manage our vendors and understand what our vendors are doing with data
- we know where data is flowing to
- we’ve done our data maps
- we’ve agreements in place with those customers that set out all of our obligations in respect to the GDPR.
On top of that, customers are really looking for partners that understand that the GDPR, if you use it in the right way, can be a good thing. It can bring screening to a place where candidates are no longer fearful of their backgrounds being checked, enabling candidates to really fully understand what the process is.
So it’s really reassurance and confidence that a company they’re partnering with not only has all the policies and procedures in place, but actually has it at the heart of what they do and are genuinely able to be partners not just with them as organisations, but with their candidates.
Yes, that’s right. One of the biggest changes under the GDPR is that processes have specific obligations, called Article 28 obligations. Talking about partnership, one of those articles under Article 28 talks about a data processor letting a data controller know if they’re doing something they shouldn’t be, for example if they’re in breach of the GDPR.
Now, for us, that means that we have to let our clients know if what they’re asking us to do is not lawful. However, it starts way before we get into the actual process: it starts at the point of sale.
We partner with all of our customers to make sure that they understand
- the products that are being sold
- the products that are available
- how they can be used in different jurisdictions
- how they should be used in respect to different candidate pools
In this way, we can really support our customers with their GDPR compliance in a way that might not necessarily have been envisaged to start with. It’s certainly not black letter law, but it is that partnership and really helping people unravel what they need to do.
You make a really interesting point there about the global nature of data. We often think of GDPR as a legislation regulation for Europe, but of course, it is extra-territorial. Every country has different laws and regulations, as well as legal structures around what you can and can’t do, and what you can and can’t source for the purposes of recruitment or screening. So being able to understand and have a partner like HireRight that understands what all of those complexities are and feeds that into the process is critical.
The GDPR essentially means that if you’re processing data anywhere in the world, but it belongs to an EU resident, you must comply with the GDPR.
One of the big areas of this partnership for us is where we have customers that are located outside of Europe. That could be in the US, it could be APAC, where actually, you’re hiring expats, people from countries like the UK, France or Germany. Helping those customers understand what their GDPR compliance obligations are and having them embedded within our platforms is really important. It means that you can feel like you’ve got a safe pair of hands making sure that you’re not going to fall foul of those laws because you’re going to have your own local obligations as well.
In the US, for example, we have the Fair Credit Reporting Act (FCRA). You have to comply with that, but as well, you need to make sure that if your candidate is an EU resident, you’re screening them to GDPR standards.
There are so many regulations around the world. Having a partner that understands that and has embedded them into the process is critical.
Upcoming GDPR Blogs/Videos
- Chapter 3 – How do we help businesses with their adherence to the GDPR?
- Chapter 4 – What do you think the future landscape of background screening looks like post-GDPR?
External GDPR Resources
Find out more about the GDPR and what it means for your business on the European Commission’s website.
You can also read more about the GDPR on the Information Commissioner’s Office (ICO) website.
HireRight GDPR Resources
Read more about HireRight’s preparations for the GDPR in our 12-part blog series below.