In 2018, the European Union's General Data Protection Regulation, or GDPR, came into force. The law established sweeping changes to how companies manage, safeguard, and dispose of private information supplied by or collected about customers and web users. Although the long-term effectiveness and impact of the GDPR is still a matter of study, its existence is the product of a trend or belief that individuals should have much broader rights over their data. Inspired by the GDPR, numerous states across the US have begun to draft and pass similar legislation—and there could be issues concerning background check compliance with these privacy laws.
In 2023 alone, California, Virginia, Connecticut, Colorado, and Utah will put new privacy laws into effect. Businesses in these states will need to review these new regulations carefully and examine how they will impact their customer data collection efforts. A popular example is a new requirement to allow any customer to opt out from data collection—which could be a big blow to businesses reliant on internet marketing and email outreach.
However, there are other business impacts beyond those that concern consumer-facing applications. Background screening is one process that could see effects from this new form of legislation.
Employers already collect a large amount of information about applicants on the road to conducting employment background screening to determine suitability. This can include data such as the applicant’s Social Security number, driver's license number, home address, and more. In some cases, employers may even order a copy of an applicant's credit report. Previously, back-office best practices kept this information safe and secure. Now it may be a matter of law.
More importantly, individuals are often empowered under these privacy acts to request that companies delete the information they have on file. For employers conducting background checks, this could create a need for an entirely new set of procedures around handling and ultimately discarding the data gathered during the vetting process.
Conferring with background screening companies to ensure they also understand compliance concerns regarding your applicants is necessary. This information, including the background check itself, is often very sensitive and could lead to identity theft or other kinds of harm if leaked to or stolen by bad actors. Mishandling the data could lead to expensive lawsuits under these new acts. With that in mind, companies in the affected states should re-examine their screening processes.
Ultimately, adding a "disposal" step to employee screening can have benefits beyond background check compliance with privacy laws. Does any business owner want to be the steward of such potentially sensitive information without a concrete need? In most cases, there is no reason to keep background checks and all the personal data they contain on file after you make a final hiring decision. Appropriately destroying the data—whether on request or as a matter of process—makes good sense. As concerns for data privacy grow, now is the time for companies to get ahead of the curve.