All of a sudden, there seems to be a lot of interest in the GDPR—that is, the General Data Protection Regulation—the upcoming European Union data protection update. The due date is May 25, 2018. I see websites with countdown clocks.
Some people have asked me what they need to do in order to be complaint with the GDPR. What are the one or two things that need to be completed? The GDPR is something I have followed, studied, and prepared for for years. Trying to come up with the one or two mythical things a screening company needs to do in order to meet this monumental requirement is a bit daunting. But I’ll have a go at it.
- Read the GDPR—in its entirety. It’s pretty interesting, and you can choose among many different languages. The PDF is only 88 pages long. Here’s the website. Be sure to read the Recitals, as they will give the context for the Articles and also provide guidance on what is expected.
- Meet the GDPR requirements as stated.
Ok. Two points and we’re done. That was simple.
Of course, I realize it’s not that simple. Comparing when I first started studying the GDPR to now, I know and understand so much more about the requirements. And there are so many nuances to deal with. Here are my suggestions for starting points.
- Appoint someone for GDPR compliance. Give them the work time to devote to learning about it and coming up with compliance solutions for your company. Be prepared to give them a lot of uninterrupted quiet time and let it be their priority. This is not a half-day project; this is a half year project, if not longer.
- Determine for what functions you are a Controller and what functions you are a Processor. There are many good summaries on the Internet on GDPR. Most of them focus on the requirements of the “Controller”. The Controller is the entity that determines the processing and bears a good portion of the responsibility. Many background screeners try to stay in the role of the “Processor”. The Processor is the entity that takes direction from the Controller. The Processor has obligations under the GDPR, but they are different than those of the Controller. Many companies are both. For example, if you provide background screening data, you may be a Processor in that role. But in your accounting, customer service, or marketing roles for clients in the EU, you may be a Controller.
- Make changes to your Service Agreements with your clients and vendors. Article 28 of the GDPR lists the contractual requirements. It’s not too soon to get those out; you know how long it takes to get signed contracts back. If you are a service provider, be prepared for your clients to send you updated contracts.
- You may need to update your Privacy Notice.
- Complete the Records of Business Processing (Article 30). Different information is required from Processor functions than from Controller functions, so you may need to complete two different versions.
- Document your compliance.
- Train your staff (and document that).
There are exemptions for some requirements and only your company would know if you meet them.
Also make sure you are compliant with the international data transfer requirements.
Kevin Coy (AGG) and I gave a presentation on GDPR readiness at last year’s Professional Background Screening Association (PBSA, formerly NAPBS) Annual Conference. You can download the notes from the presentation (fully written out) from the Resources page of the NAPBS website. On the Resources tab, search under Conference Presentations. It is called “GDPR: Steps to Meet Key Requirements”. You can also search the title in the main search box on the website. It will give you the outline of the key areas that may pertain to you and what needs to be done.
|Kerstin Bagus – Director, Global Initiatives
Kerstin Bagus supports ClearStar’s Global Screening Program as its Director of Global Initiatives. She has more than 30 years of background screening industry experience, working for a variety of firms, large and small. Kerstin is one of the few individuals in the industry who is privacy-certified through the International Association of Privacy Professionals (IAPP) for Canada, the EU, and the U.S.
Kerstin is a passionate participant in the Professional Background Screening Association (PBSA, formerly NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy.
At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.