New Data Protection Regulations for European Union will Elevate Privacy Rules for International Screening in 2018

ESR-Top-Ten-Background-Check-Trends-2018-Trend4

Written By ESR News Blog Editor Thomas Ahearn

On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect as the primary law regulating how companies protect the personal data of citizens in the European Union (EU). The need for U.S. companies to comply with GDPR privacy rules when performing international background screening in the EU in order to avoid stiff penalties is trend number 4 of the “ESR Top Ten Background Check Trends” for 2018 selected by global background check firm Employment Screening Resources (ESR).

The GDPR – which was approved by the EU Parliament on April 14, 2016 – has been called “the most important data privacy regulation in 20 years.” Some key privacy and data protection requirements of the GDPR include requiring the consent of subjects for data processing, anonymizing collected data to protect privacy, providing data breach notifications, safely handling the transfer of data across borders, and requiring some companies to appoint a Data Protection Officer (DPO) to oversee GDPR compliance.

The GDPR will replace the Data Protection Directive 95/46/ec established in 1995 and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations approach data privacy. A summary of key changes under the GDPR shows the aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.

Although key principles of data privacy are similar to the previous directive, many changes in the GDPR include increased territorial scope with extended jurisdiction, an maximum penalty for organizations in breach of the GDPR of up to four percent of annual global turnover or €20 million Euros (currently $23.6 million U.S. Dollars) – whichever is greater – and a clear and distinguishable request for consent in an intelligible and easily accessible form with the purpose for data processing attached to the consent.

Data subject rights under the GDPR will include a mandatory data breach notification within 72 hours of the discovery of the breach, the right to obtain confirmation if their personal data is being processed, the right to be forgotten (Data Erasure), data portability where a data subject can receive personal data concerning them, privacy by design that calls for the inclusion of data protection from the onset of the designing of systems, and new internal record keeping requirements and potential DPO appointments.

Research and advisory company Gartner predicts more than 50 percent of companies affected by the GDPR will not be in full compliance by the end of 2018. Gartner recommends organizations focus on five high-priority changes to help them to get up to speed with GDPR requirements: 1) Determine Role Under the GDPR; 2) Appoint a Data Protection Officer; 3) Demonstrate Accountability in All Processing Activities; 4) Check Cross-Border Data Flows; and 5) Prepare for Data Subjects Exercising Their Rights.

What organizations will the GDPR affect? According to a Frequently Asked Questions (FAQs) page on the EUGDPR.org website: “The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

The EU is an economic and political partnership between European countries that covers much of the continent of Europe. As of December 2017, the 28 member countries of the EU include (in alphabetical order) Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (More information on Brexit).

Compliance with EU GDPR will require even greater degree of data and privacy protection from U.S. companies and will enhance the EU-U.S. Privacy Shield Framework officially launched on August 1, 2016. The Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission (EC) to provide companies that transfer personal data from the EU to the U.S. with a mechanism to comply with EU data protection requirements in support of transatlantic commerce.

The EU-U.S. Privacy Shield Framework – which replaced the “Safe Harbor” data transfer agreement between the EU and U.S. invalidated by a European Court of Justice ruling on October 6, 2015 – includes seven commonly recognized privacy principles combined with 16 equally binding supplemental principles that explain and augment the first seven principles. The 23 Privacy Shield Principles lay out requirements for the use of personal data received from the EU by participating organizations.

In September of 2017, three companies agreed to settle Federal Trade Commission (FTC) charges that they misled consumers about their participation in the EU-U.S. Privacy Shield Framework. The actions against the three companies are the first cases the FTC brought to enforce the Privacy Shield framework. Companies joining Privacy Shield are subject to the jurisdiction of the FTC or the U.S. Department of Transportation (DOT), and must certify their compliance to the U.S. Department of Commerce.

On October 18, 2017, the EC published its report on the first annual review of the EU- U.S. Privacy Shield. The report found that the Privacy Shield ensured an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S. but also suggested a number of recommendations to ensure the continued successful functioning of the Privacy Shield. Over 2,400 companies have been certified for the EU- U.S. Privacy Shield Framework since it was launched.

Employment Screening Resources (ESR) has received notification from the U.S. Department of Commerce’s International Trade Administration (ITA) that its annual submission for self-certification of adherence to the EU-U.S. Privacy Shield Framework was finalized and effective as of September 22, 2017. Along with Microsoft and Salesforce, ESR was one of the first Privacy Shield adopters with an original certification date of August 12, 2016. The ESR page on the list of companies adopting the Privacy Shield is here.

Employment Screening Resources (ESR) – a leading global background check firm headquartered in the San Francisco, California area – will release the 11th annual “ESR Top Ten Background Check Trends” of 2018 via the ESR News Blog during December of 2017. The complete list of emerging and influential trends in the background screening industry for the coming year as chosen by ESR will be available in January of 2018 on the ESR website at http://www.esrcheck.com/Tools-Resources/ESR-Top-Ten-Background-Check-Trends/.

ESR Webinar on Top Ten Background Check Trends for 2018

Employment Screening Resources (ESR) founder and CEO Attorney Lester Rosen will host a live webinar entitled “ESR Top Ten Background Check Trends for 2018” that will take place on Wednesday, January 17, 2018, from 11:00 AM to 12:00 PM Noon Pacific Time. To register for the complimentary webinar from ESR, which will acquaint employers and Human Resources (HR) professionals with emerging and influential trends in the background screening industry, please visit https://attendee.gotowebinar.com/register/6841084769383752449.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2017 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.