Information security, risk and compliance are in focus and one of the core issues for many companies. For obvious reasons it has been early recognized that people are one of the key factors and often times the weakest link in organizational security. From this point of view, it was natural to conclude that by knowing more about your employees and future employees you mitigate, to a degree, risks arising from internal threats, and you are employing people with proven records and sufficient level of integrity and trustworthiness.

Over time, this has become one of the security controls and something expected by your business partners and clients when analyzing your security or defining security requirements for potential vendors. Initially, minimizing the collection of personal data was not considered a key factor in this process, and there was little research on effectiveness of the different techniques, methods and types of information being utilized.

What is the GDPR perspective and what are the key issues?

Obviously, as with any other data processing activity, it is with the Article 5 principles that everything starts.

It means, in practice, that any business needs to collect and process personal data, must be clearly defined, assessed and evaluated in the light of rights and freedoms of the data subjects. Based on that, the process is drafted, defined and adjusted beginning with data minimization and purpose limitation and then with fairness and lawfulness (before applying the rest of principles).

While the GDPR itself is sometimes very general, it often requires much granularity once it is being used in practice. 

Not surprisingly, the guidelines available from the European Data Protection Board and from individual data protection authorities do not offer any simple solutions to what might be a difficult balance to strike between right to privacy and business needs. And sometimes, they avoid some topics altogether.

Opinion 2/2017 on data processing at work, adopted in June 2017 by the Article 29 Data Protection Working Party, was still more or less clear in highlighting the limitations for using publicly available data, including from social media, considering what might be work-related and expected to be in scope of interest of potential employers by the candidates themselves, as well as about necessity to provide clear information to the candidates in advance and to observe retention periods.

The GDPR itself is also very definite in setting up high thresholds for processing of special categories of data and data related to criminal convictions and offenses. However, there would be many situations in which member state laws provide various exemptions to these rules.

Even though most of the GDPR would be one way or the other relevant to the background check process — including provisions on transfers, data subject rights and many more — it is with the GDPR principles and their relationship to local laws and regulations that the most dos and don'ts can be drafted.

The main dos and don'ts

The proportionality and relevance mean, first of all, that it is very important to have sufficient research on specific techniques, methods and types of information being used and what the business benefits would be. It is with such benefits only that the balance between the privacy risks and legitimate needs of the company can be reached.

As this will change depending on industry, types of activities, region and position (or categories of positions), so does the justification and necessity for verifying certain types of information and personal qualities.

When assessing what is fair and lawful, keep in mind local rules and regulations, including non-privacy laws, such as labor codes, as well as local traditions and data subject expectations, which make this process very country-specific.

For processing of special categories of data and data about criminal convictions and offenses, it would be a fair assumption to say that legal obligations under local laws (applicable usually for certain positions only, e.g., for teachers or some employees in financial sector) should be considered as a legal basis, whereas legitimate interests would be your legal basis in most other situations.

There is a general consensus that the candidate/future employee should be your first and primary point of contact for obtaining necessary documents and clarifications. Specific authorization from the data subject herself, which is not be interpreted necessarily as the GDPR consent, would be required for other institutions or companies to release or confirm any facts or opinions, except when they would only need to attest the veracity of the documents they have issued themselves before. 

Showcasing the documents would be a preferred and most privacy-friendly method to be used whenever there is no clear legal requirement or mandate for an employer to archive and store specific documents or their copies in its files.

In collecting the data, consider the guidelines and limitations for collecting employee data in general, such as from the European Data Protection Board and previously from the WP29, as well as from the data protection authorities.

Once you have a strong business case to go after the data you need, carefully assess the necessity to involve external vendors and what would be the relationship, especially with regard to controller-to-controller and controller-to-processor setup, as this will have some very important consequences.

Clearly defined retention periods would normally need to distinguish between the data to be deleted immediately after the process is finalized, such as any ancillary documents or information types, data to be archived based on strict legal obligations and any other types of data, like confirmation of the process or final report, which might need to be stored for yet another period of time (considering that there might be local rules or guidelines from the respective authorities which do provide specific terms for data to be deleted).

Except for the usual GDPR requirements, such as sufficient transparency and information, observing data subject rights, etcetera, the background check process has some of its own challenges and specific considerations. It's much more reliant on local laws and expectations than the recruitment process in general, and much more legal analysis would be needed. Starting with the GDPR principles and building a strong case for your data needs, based on verified research and type of position and industry, allows you to develop the core process before country customization is applied. With all this in place, confidence and business alignment are possible.