What is the General Data Protection Regulation (GDPR)?
The GDPR is a new regulation involving personal data security for EU citizens which takes effect on May 25th 2018. The GDPR replaces the Data Protection Directive and expands personal data protection worldwide for EU citizens.
What is considered “personal data” by the GDPR?
Personal data is loosely defined as any information relating to an identifiable person. Information such as a name, identification number, location data, an online identifier or a subset of factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
What factors constitute compliance with GDPR for a Consumer Reporting Agency (background screening provider)?
- A lawful basis for processing (Employment Screening, Tenant Screening, Due Diligence)
- Contract
- Legal obligation
- The vital interest of the data subject
- Public interest
- Consent (Authorization and Disclosure) must…
- Be clear as to what the consent is allowing. The purpose of collecting the data.
- Be optional and without detriment for declining.
- Be transparent in regards to what data is being collected and not collecting more data than needed.
- State the rights of the data subject, including the right to obtain a copy of the report correct inaccuracies.
- Include the right to lodge a complaint with the supervisory authority.
- Be revocable at any time, where relevant…
- Appointment of a Data Protection Officer
- A designated DPO will be appointed to oversee compliance with the GDPR.
- Breach Notifications
- Notifications of a sensitive data breach must occur within 72 hours. The notice must be sent to the data subjects affected by compromised data..
- Data Erasure and Portability
- Data subjects have the right to request that their data be removed from our system but not in conflict with requirements of the Fair Credit Reporting Act.
- US laws supersede user requests at this time. (This is an area that will be subject to interpretation over time and we will continue to keep an eye on any evolutions.)
- Documentation must be created and maintained regarding…
- Data protection policies
- Breaches that occur as well as investigations into the cause, depth, and response
- Data Security Obligations (Privacy Impact Assessments)
- Security measures must be adequate enough to offset the risk of data breach.
Is SafeScreener affected by the GDPR?
Yes. When our clients employ citizens of the EU, we are required to follow the regulations set forth by GDPR.
Is SafeScreener able to comply with GDPR?
Yes. While the GDPR will almost certainly adopt more specific guidelines and auditing methods over time, SafeScreener has actively researched the GDPR and scenarios that could affect our processes when dealing with the data of EU citizens. We’ve found that our current processes pose no violations of GDPR, however, we are actively working to stay ahead of the curve by implementing additional procedures and documentation specifically focused on the GDPR.