Written By ESR News Blog Editor Thomas Ahearn
On May 25, 2018, enforcement of the General Data Protection Regulation (GDPR) will begin and the GDPR will become the primary law regulating the protection of personal data of European Union (EU) citizens. U.S. companies need to comply with the GDPR when performing international background screening in the EU in order to avoid stiff penalties of up to four percent of annual global turnover or €20 million Euros (approximately $24 million U.S. Dollars as of April 2018). The EU GDPR Portal is at www.eugdpr.org.
The GDPR – which was approved by the EU Parliament on April 14, 2016 – has been called “the most important data privacy regulation in 20 years.” Some key privacy and data protection requirements of the GDPR include requiring the consent of subjects for data processing, anonymizing collected data to protect privacy, providing data breach notifications, safely handling the transfer of data across borders, and requiring some companies to appoint a Data Protection Officer (DPO) to oversee GDPR compliance.
The GDPR will replace the Data Protection Directive 95/46/ec established in 1995 and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations approach data privacy. A summary of key changes under the GDPR shows the aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
Although key principles of data privacy are similar to the previous directive, changes in the GDPR include increased territorial scope with extended jurisdiction, a maximum penalty for organizations in breach of the GDPR of up to four percent of annual global turnover or €20 million Euros (approximately $24 million U.S. Dollars as of April 2018) – whichever is greater – and a clear and distinguishable request for consent in an intelligible and easily accessible form with the purpose for data processing attached to the consent.
Data subject rights under the GDPR will include a mandatory data breach notification within 72 hours of the discovery of the breach, the right to obtain confirmation if their personal data is being processed, the right to be forgotten (Data Erasure), data portability where a data subject can receive personal data concerning them, privacy by design that calls for the inclusion of data protection from the onset of the designing of systems, and new internal record keeping requirements and potential DPO appointments.
What organizations will the GDPR affect? According to a Frequently Asked Questions (FAQs) page on the EUGDPR.org website: “The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” The final text of the GDPR is here.
The EU is an economic and political partnership between European countries that covers much of the continent of Europe. The 28 member countries of the EU include (in alphabetical order) Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (more information about “Brexit” is here).
The fact that the GDPR will elevate privacy levels for international background checks in the EU and that U.S. companies will need to comply with GDPR rules when screening in EU citizens to avoid stiff penalties is one of the “ESR Top Ten Background Check Trends” for 2018 selected by global background check firm Employment Screening Resources (ESR). ESR founder and CEO Attorney Lester Rosen hosted a webinar entitled “ESR Top Ten Background Check Trends for 2018” that included a brief explanation of the GDPR.
Compliance with EU GDPR will require even greater degree of data and privacy protection from U.S. companies and will enhance the EU-U.S. Privacy Shield Framework officially launched on August 1, 2016. The Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission (EC) to provide companies that transfer personal data from the EU to the U.S. with a mechanism to comply with EU data protection requirements in support of transatlantic commerce.
The Privacy Shield Framework – which replaced the “Safe Harbor” data transfer agreement between the EU and U.S. invalidated by a European Court of Justice ruling on October 6, 2015 – includes seven privacy principles combined with 16 equally binding supplemental principles that explain and augment the first seven principles. The 23 Privacy Shield Principles lay out requirements for the use of personal data received from the EU by participating organizations. To learn more, visit www.privacyshield.gov.
ESR received notification from the U.S. Department of Commerce’s International Trade Administration (ITA) that its annual re-submission for self-certification of adherence to the EU-U.S. Privacy Shield Framework was effective on September 22, 2017. Along with Microsoft and Salesforce, ESR was one of the first Privacy Shield adopters with an original certification date of August 12, 2016. ESR’s self-certification of adherence to the Swiss-U.S. Privacy Shield Framework was effective on March 5, 2018.
ESR Can Help Employers Comply with GDPR when Screening
Employment Screening Resources (ESR) – a leading global background check firm – has international screening capabilities in more than 240 countries and territories. ESR is executing its EU GDPR Preparedness Plan in order to have required policies, processes, procedures, and technologies in place in advance of the enforcement date of May 25, 2018. To learn more, visit the ESR Global Solutions page at www.esrcheck.com/Background-Checks/ESR-Global-Solutions/.
NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.
© 2018 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.
The post Enforcement of European Union (EU) General Data Protection Regulation (GDPR) Begins May 25 appeared first on Employment Screening Resources.