Month: April 2018

A-Check Global and GDPR

What is GDPR?

For companies—including A-Check—who conduct international research using personal data, it’s critical to both understand and comply with regional legislative regulations. Even though we reside in the United States, we do business in compliance with evolving international data regulations.

GDPR, the European Union’s General Data Protection Regulation, takes effect May 25, 2018, and is designed to strengthen data protection in the European Union (EU) by regulating the collection, use, and processing of personal information for citizens of the EU. This new law expands its impact and scope to now include:

  • EU companies that process personal data
  • Non-EU companies offering services to EU individuals
  • Non-EU companies researching EU individuals in the EU (A-Check Global background screening, for example)

Personal Data includes any information relating to an identified person. For A-Check, this includes information like name, address, date of birth, and other data regularly collected during the background screening process.

A-Check Global’s focus on meeting upcoming GDPR requirements

The GDPR sets a number of rules into place for   – Data Controllers: entities that collect data directly from an individual   – Data Processors: entities that processes data on behalf of a Data Controller

As both a controller and processor, here’s how we will meet requirements of the regulation:

  • Responsibility and Accountability – We will inform data subjects (EU Individuals) exactly who is responsible for their data, and provide adequate levels of data protection for all information we maintain.
  • Lawful Basis for Processing – A-Check will obtain consent to process from the data subject, provide an explicit purpose for collecting their information (background screening), and allow them to withdraw consent at any time.
  • Data Protection Officer – A-Check has internal resources assigned to GDPR efforts and ongoing compliance.
  • Anonymization – A-Check encrypts personal data to ensure information cannot be tied back to the data subject without authorization.
  • Data Breach Notification – While a number of security measures are in place, and we do not anticipate an information breach, A-Check has policies and procedures to notify GDPR Supervisory Authority within 72 hours of a known data breach. Procedures are also in place to notify affected data subject(s).
  • Right of Access – A-Check allows applicants to request a copy of their report, and to be provided detailed information regarding the reasons we are collecting each piece of data we request.
  • Right to Erasure – Data subjects will have the right to request that any personal data stored by a controller be deleted.

 

Will A-Check Global be GDPR certified?

GDPR is not a certification program, so A-Check Global will not maintain any sort of GDPR Certification. GDPR is a law, and similar to how we are FCRA compliant in the United States, we maintain compliance with the GDPR.

We do hold a Privacy Shield certification, which demonstrates to EU entities that our data security processes and commitment to data transfer protection meet EU standards. We invite you to visit us online to learn more about Privacy Shield.

Questions?

If you have questions about the information contained in this document please feel free to reach out to our compliance team: compliancedept@acheckglobal.com.

 

Background Checks, Part One: The Law, Best Practices, and Your Organization

Best Practices

When performing pre-employment background screens, there are a growing number of related laws that companies must comply with. So many, in fact, that we’ve decided to dedicate this topic to a three part blog series. We’re here to help keep you as compliant as possible.

Your First Focus—Implementing a Lawful Background Screening Policy

A background screening policy should be tailored to the unique needs of your company, and detail what background checks your company will run (e.g., criminal, credit, employment verification, education verification, driving records, etc.). Specific types of checks should be based on the relevant position, the relatedness of the check to the person’s ability to perform that job, and applicable legal limitations.

Obtaining criminal records is a great example to discuss further. When asking about or considering criminal records, the greatest pitfall to avoid is having a blanket policy automatically prohibiting your company from hiring an individual convicted of any offense at any time. In fact, some jurisdictions make such bright-line disqualification standards unlawful. Employers should consider the following factors when determining whether or not an exclusion is job-related:

  • The nature and gravity of the offense
  • The nature of the job
  • The time elapsed since the conviction or the completion of a sentence

In fact, there are many states and local jurisdictions that have addressed this very issue, and now require an employer to determine and exhibit whether or not the screening decision is a job related exclusion.

What about arrest-related inquiries? Employers should not ask about non-pending arrest records. If a candidate has an arrest pending, an employer may ask the candidate about the underlying conduct that led to the arrest and then assess accordingly. In some states, even asking about pending arrests is risky (e.g. California and Illinois). If a charge has been dismissed, however, it is risky to give any weight to that case and is unlawful to do so in some jurisdictions. Similarly, if a case has a deferred adjudication, or adjudication withheld, and the candidate has completed the terms of any condition placed by the court, companies should avoid taking any adverse action.

When to ask about criminal history: Your company should determine when to ask a candidate about his or her criminal background. Certain state and local “Ban the Box” laws prohibit including the question on an application, and the later in the hiring process your company asks the question, the less likely that the EEOC would be successful in pursuing a civil rights violation under Title VII. (Read our blog – a Fair Chance for Applicants-the Rise of Ban the Box Legislation to learn more).

Conduct an individualized assessment: Companies should allow candidates an “opportunity to be heard” to establish why their background should not bar their employment. The person(s) who conduct this assessment should be familiar with Title VII, EEOC guidance, FCRA, and any state or local employment laws.

Should you conduct a credit-related background check? Currently there is no EEOC guidance on how to properly conduct a credit-related background check. However, a company should consider conducting a similar analysis as that performed regarding criminal histories—analyzing the nature of the job, the nature of the negative information, and the time elapsed since the negative information arose, to determine whether a hiring prohibition is job related.

Mention the Fair Credit Reporting Act and how you comply: Your company policy should mention that you are familiar with the FCRA and outline how you comply.

Stay tuned for part two of this blog series to learn more about background screening best practices.

Reference

Devata, P. & Mora, J. (2018) Background Checks: A Primer for Staffing Firms on Complying With Federal, State, and Local Laws. [Issue Paper]. American Staffing Association