GDPR Compliance in the Background Screening Process

The General Data Protection Regulation (GDPR) will become enforceable on May 25, 2018.  Will your pre and post-employment background screening processes be GDPR compliant?

Join Cisive for a live webinar, “GDPR Compliance in the Background Screening Process” on Thursday, March 15 @ 1:00 pm EST.

Rob Jones, General Manager, Global Operations in London, will discuss the different areas of recruiting and hiring that GDPR impacts including background screening, candidate experience and sourcing.  He will also touch on compliance requirements for the extended Senior Manager’s Regime (SMR).

Both of these regulations will place additional burdens on employers and significantly increase the importance of compliance.

Don’t miss the exclusive event on GDPR compliance! Cisive can help you efficiently and effectively apply the new regulations.

Register today!

Robert Jones, VP and General Manager, Global Operations
Rob Jones joined Cisive in 2017 and leads their global operations and executive intelligence division from their London office. Prior to joining Cisive, Rob held a leadership position with a specialist global risk management consultancy. In this role, he developed and implemented risk assessment, due diligence, and compliance programs for Fortune 100 corporations operating internationally.

Rob Jones
VP and General Manager
Global Executive Intelligence Division

General Data Protection Regulation (GDPR) Compliance in Your Background Screening Process

GDPR ComplianceWhen it goes into effect on May 25, 2018, the EU’s General Data Protection Regulation (GDPR) will enforce a set of laws designed to protect European citizens’ personal data. It will affect all companies that deal with personal data — and even non-EU-based companies will still have to comply. GDPR will impact not just companies who are hiring in the EU but also those that are employing citizens of the EU who live in different areas of the world.

What is GDPR Really About?

So what exactly is GDPR about? It was designed as a replacement for the current Data Protection Directive 95/46/EC with the purpose of reconciling country-specific and sometimes conflicting European data privacy laws. Most importantly, it aims at changing the way organizations operating in the EU, or those collecting personal data from the EU’s citizens, approach data privacy. It also provides a harmonization of the data protection regulations throughout the EU, thereby (in theory) making it easier for American companies to comply.

Under GDPR it will be unlawful to use an EU citizen’s data without his or her explicit consent. This citizen data includes consumer information and more importantly, for talent acquisition leaders, candidate information. GDPR fundamentally changes the way recruiting teams can engage candidates who are citizens of EU countries in the areas of resume and application storage, candidate data collection, employment branding activities, and candidate sourcing strategies.

How GDPR Will Impact the Hiring Process

Recruiters will no longer be able to send emails to users who have not opted into their mailing list. Additionally, recruiters and HR staff must be aware of who is currently in their database. This means you may wish to consider grouping candidates in the EU into a different category than candidates elsewhere (who are not impacted by GDPR). You must obtain affirmative consent before collecting or sharing candidate data.

From the application process to background screening, companies recruiting or employing EU citizens must adhere to strict new regulations. Under GDPR, you are required to ask for explicit consent, clarify how you will use individual candidate’s data, and make sure that the data remains secure. This involves more than simply adding a clarification and a checkbox to data collection forms. Your vendors – such as your ATS, payroll, and recruiting software, must be GDPR compliant.

How to Ensure Vendor Compliance 

The impact of GDPR is broad, but it focuses on data collection. You’re likely using an ATS or other recruiting software, along with vendors that run background checks or candidate screens. It’s imperative that your vendors are aware of the GDPR constraints and fully compliant. Here are seven questions to ask your vendors:

(1) Do you have a clear privacy policy?

Even if you currently have one in place, companies will need to write a clear privacy policy that consumers will actually be able to read and understand. In that policy, companies must clearly indicate what personal information is being requested or collected. Candidates or applicants have to be given a choice of whether or not to provide their data and any data that is collected needs to be clearly marked for the specific purpose for which it was collected. NOTE: Any data that is collected for a stated purpose can only be used for that purpose and for which consent was obtained. This means that data collected for a job application can be used for background checks only if the applicant gives explicit consent.

(2) Do you have GDPR compliance for applications around the world or will you have separate policies for each country?

Your ATS and any other software you’re using to hold data will need to be GDPR compliant. If your ATS and other vendors are on their game, they’re already working on compliance or have compliance for GDPR in place.

(3) Opt-out or opt-in?

Most U.S. companies currently use an opt-out policy when collecting and sharing consumer data. The opt-out model requires consumers to specifically ask data collectors and aggregators not to share their data with third parties. Otherwise, consent is assumed by default. The GDPR will require organizations to do just the opposite. You must obtain affirmative consent before collecting or sharing candidate data. Make sure your vendor is prepared for this change.

(4) How will you handle “Right to Erasure” 

Under the GDPR, candidates must be able to access and review their data anytime they like, ask for updates of their data, and even allow for full deletion upon request. Candidates will have the “right to be forgotten or right to erasure,” meaning that candidates can request for their data to be erased when it is no longer necessary for the original purpose.

This impacts your ATS and the hiring process because applicants can apply for a position, get rejected, then request their right to erasure. A few months later, the same job seeker could apply again, but you won’t know it because your ATS won’t show it. No data, no notes from previous interviews, no data on the job seeker at all. And not only will you have to remove data by request from your ATS, it also must be removed from the sourcing tools your ATS uses. The same goes for any data collected for the purpose of a background screen.

(5) What is your Breach Notification policy?

GDPR requires companies to inform consumers about data breaches impacting their personal information. While that requirement is not particularly new for American companies—most states mandate it currently—the breach reporting requirements under GDPR are strenuous. Notification must be made within 72 hours from the time the breach is discovered.

(6) Are you prepared for GDPR Reporting Requirements?

Under Section 3, Article 35 of the GDPR, a Data Protection Impact Assessment (“DPIA”, which is also commonly known as a Privacy Impact Assessment or “PIA”) is required for any processing that may result in “high risk.”  The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA. While official public lists from the Data Protection Authorities (“DPAs”) are forthcoming, your company and its vendors should begin identifying areas of high risk, such as data processing, email triggers, data collection, and portability of data (when erasure is requested).

(7) What is your company’s liability for failure to comply?

GDPR fundamentally changes the way recruiting teams engage candidates who are citizens of EU countries in the areas of resume and application storage, candidate data collection for background checks, employment branding, and candidate sourcing. Compliance is mandatory for all organizations that are processing the personal data of EU residents across the globe. Failing to comply could result in severe penalties of up to 4 percent of worldwide revenue of the prior financial year or €20 million euros, whichever is greater. If your vendor software isn’t compliant, who is responsible for penalties?

Compliance is as important to your vendors business as it is to yours. If you’re not sure, use the list above as a starting point for ensuring your vendors are compliant so that you’re not scrambling to do so in May.

When it comes to pre-employment and post-employment background screening, Cisive is prepared for the GDPR.  To learn more about Cisive’s commitment to GDPR compliance, contact us at 1-866-557-5984 or email

Rob Jones
VP and General Manager
Global Executive Intelligence Division

A Side-By-Side Comparison of Privacy Shield and Safe Harbor

  As you may know, the EU Safe Harbor was invalidated and the U.S. Department of Commerce and the EU have been working to develop a replacement program which would allow for the trans-border flow of personal data between the U.S. and the EU member states.

On July 12, 2016, they successfully passed the new program called the EU-U.S. Privacy Shield, which goes into effective on August 1st.

According to the EU-U.S. Privacy Shield Fact Sheet, the framework was designed to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the U.S. in support of transatlantic commerce. It also imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbor framework invalid.

The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities.  It includes, for the first time, written commitments and assurance regarding access to data by public authorities.

In order to best understand the difference between the old and new framework, Bryan Cave LLP, a global law firm that serves clients in key business and financial markets, has prepared a side-by-side comparison of the invalidated Safe Harbor and the new Privacy Shield. The key areas covered in the comparison are:

  • Privacy policy
  • Onward transfers to controllers
  • Onward transfers to service providers/sub processing
  • Security
  • Data integrity
  • Access
  • Data subject’s enforcement ability
  • Contracting party oversight
  • Regulatory oversight
  • Regulatory liability
  • Implementation
  • Costs

To view the full comparison, click here.

What you need to know about the new EU-U.S. Agreement for Transatlantic Data Flows: Privacy Shield

On February 2, 2016, the European Commission (EC) and United States Department of Commerce agreed on a new framework for the transfer of personal data from the European Union (EU) to the United States.  This new framework, named the EU-U.S. Privacy Shield, replaces the EU-U.S. Safe Harbor Framework that was invalidated by the European Court of Justice on October 6, 2015.   Key provisions of the Privacy Shield Framework are as follows:

  • Strong Obligations and Robust Enforcement: U.S. companies that commit to the Privacy Shield must commit to “robust obligations” on personal data collection and processing and guarantee individual rights.  These commitments will be published and enforced by the Federal Trade Commission (FTC).
  • Clear Safeguards and Transparency Obligations: The U.S. government has provided written assurances regarding protections from indiscriminate mass intelligence surveillance on the personal data transferred to the United States.  Additionally, any access to data must be necessary and proportionate to the need for such access.
  • Annual Joint Review: The EC and the Department of Commerce will conduct an annual review to monitor the functioning of the Privacy Shield.
  • Effective Protection of EU Citizens’ Rights: U.S. companies will have deadlines to reply to any complaints and European DPAs can refer complaints to the U.S. Department of Commerce and the FTC.  To address complaints of access by national intelligence authorities, the U.S. agreed to establish an ombudsperson position.  To ensure redress in U.S. courts, a recently passed Judicial Redress Act has been sent to the president for his signature that would allow EU citizens to sue the U.S. government as a final resort for an alleged privacy violation.

What Happens Next?

The EC will draft an adequacy decision and will then send the decision to the Article 29 Working Party (WP29) for consideration.  The College of EU Commissioners will then need to adopt it, taking into consideration the opinion of the WP29 and consulting with a committee composed of representatives of the member states.  On the US side, the Judicial Redress Act needs to be signed by the president and an ombudsperson needs to be appointed.  All of this will likely take months.  In the meantime, it is the understanding of the Department of Commerce (DOC) that EU Data Privacy Authorities (DPAs) will suspend enforcement for Safe Harbor compliant companies until all the details are resolved and published.  The DOC recommends that currently Safe Harbor certified companies maintain their certification, renewing if necessary, until the final guidelines are published.  The DOC expects to send an email to all the currently certified Safe Harbor companies with detailed guidance about how the privacy policies need to be revised and how a company certifies EU-U.S. Privacy Shield compliant.  Those details are expected to be released the first week of March 2016.


On February 2nd, European Union (EU) Commission officials Andrus Ansip and Vera Jourova announced that the European Commission and the U.S. Department of Commerce have reached a new transatlantic data transfer agreement between the EU and the United States.

In October 2015, the European Court of Justice invalidated the Safe Harbor pact between the EU and the U.S., ruling that the U.S. did not adequately safeguard the data of EU citizens (previously reported). In his announcement of the agreement, Ansip said, “The EU and U.S. are the closest allies, and on a topic as important as this, we had to find common solutions. I believe this new arrangement… is what Europe needs. Both our citizens and our businesses will benefit from this.” Ansip also indicated that the new agreement, known as the “EU-U.S. Privacy Shield,” addresses the EU’s concerns about U.S. intelligence surveillance of European data, a major point of contention during the negotiations.

According to Ansip, “The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans.” However, the agreement does allow for a “national security exception” for surveillance .

Other provisions of Privacy Shield include a “redress scheme” that allows EU citizens who believe their data has been misused to seek redress with the Department of Commerce and the Federal Trade Commission, as well as the creation of an ombudsman within the State Department who will address complaints related to intelligence surveillance.

 Jourova announced that the agreement also includes an annual review process to allow “real-time adjustments” to Privacy Shield. The deal must now be approved by the 28 EU member states and the European Parliament, a process which could take three months.



EU Privacy Law Update

On December 15th, European Union (EU) officials reached an agreement on an EU-wide data privacy law that will supplant the existing 28 national laws. After nearly four years of negotiations and lobbying, the text of the proposed law has been finalized and will take effect two years after it is formally adopted by the European Parliament and EU governments. According to Vera Jourova, the EU Commissioner for Justice, Consumers, and Gender Equality, “Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market.”

One of the most notable provisions of the law will subject multinational companies to fines of up to 4 percent of their annual global revenue for violations. According to The Wall Street Journal, the law will “tightly restrict how analytics and advertising companies can re-use data harvested from individuals, for example after they purchased a product or signed up for a service.”

While the agreement has been praised by privacy advocates as a model for the rest of the world, technology executives have expressed concern that the law will stifle innovation and burden their business operations in Europe.

On the other hand, EU officials maintain that the new law will give companies “legal certainty by creating one common data protection standard.”

European Privacy Group Gives U.S. and EU a Deadline for New Safe Harbor Agreement

Safe Harbor logo  The European Court of Justice invalidated the Safe Harbor agreement that let American companies store the personal data of European citizens outside the EU. The agreement, as it stood, was binding on the activities of companies but imposed no restraints on the behavior of U.S. law enforcers or intelligence agencies.


The Article 29 Working Party (WP) watchdog group has since given the U.S. and the European Commission until January 2016 to negotiate a new agreement that will protect the personal data of European citizens, in a way which is compatible with EU law. The two sides have been notified that if they cannot come up with an agreement by then, the EU data protection authorities will take “necessary and appropriate actions” against U.S. companies that store personal data outside of European jurisdiction.


The ruling was triggered by a case brought by Austrian privacy activist Max Schrems following his unsuccessful attempt to get European privacy regulators to stop Facebook from moving its users’ data to the U.S.  Schrems argued that the data would be subject to mass surveillance under the National Security Agency’s PRISM program as revealed by Edward Snowden.  In the wake of Snowden’s revelations, the Commission had already begun negotiating with the U.S. to provide sufficient protection, which could form the basis of a new agreement.


According to the WP, U.S. companies still relying on the old Safe Harbor agreement are not acting lawfully and should consider alternative steps available regarding their data transfer options.