On May 25th, the EU’s new General Data Protection Regulation (GDPR) will go into effect, and any company working with the data of an EU citizen will need to be in compliance, including consumer reporting agencies who perform background checks on EU citizens.
If you qualify under this rule, there are four areas where these new regulations may touch on your processes, so review the following information to make sure you’re prepared. You should also consult with your legal counsel to find out what other implications there are for your organization and what actions you may need to take.
Disclosure forms and opt outs
Consent must be given in an intelligible and easily accessible form, with the purpose for the data processing attached to the consent.
Make sure consent in your forms is:
- Not assumed from inaction
- Not forced
- Easy to understand.
The data subject must also have the right to withdraw consent at any time and be informed of this right. It should be as easy to withdraw consent as it is to give it.
Similar to the FCRA, your disclosures should cover the following information:
- Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer,
- Purpose of the processing and the legal basis for the processing
- The legitimate interests of the controller or third party, where applicable
- Categories of personal data being checked (be specific)
- Retention period or criteria used to determine the retention period (defined with your end-user)
- The existence of each of data subject’s rights, right to a copy of the report and to correct inaccuracies
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority.
TazWorks has the ability to decline consent built directly into our products. You should also talk with your clients about an opt-out policy/process and consult with your legal counsel for any additional actions you should take or specific wording to include in your forms.
The definition of a data breach varies by state in the US but is generally defined as exposure of personal data, and the requirements for action can vary as well.
The GDPR broadens this scope to include notifying users within 72 hours of any accidental or unlawful destruction, loss, alteration or unauthorized disclosure of personal data.
Data erasure and portability
Data subjects have the right to request that their data be removed from your system, but this cannot conflict with your FCRA requirements, and US laws supersede user requests. This is an area that will be subject to interpretation over time and we will continue to keep an eye on any evolutions.
Follow your data retention policies, and work directly with your clients and legal counsel as needed.
Privacy impact assessments
Privacy impact assessments, or PIAs, are required under GDPR, and these are an organizational best practice anyways. When was the last time you conducted a risk assessment with how your employees are processing reports, how companies are sending you data, or how you communicate internally and externally about a subject’s data?
Written policies and procedures can help you identify potential problems, create awareness at your company, and comply with GDPR.
As with any compliance matter, you should consult with your legal counsel to figure out how this regulation applies directly to your organization and what specific steps you should take to conform. TazWorks is not a legal expert and this article is provided for informational purposes only.