The General Data Protection Regulation (GDPR) was first proposed in 2012; however, it was not enacted by the European Union (EU) Parliament and Council until December 2016. It became effective on May 25, 2018. The GDPR puts forward a policy for data protection with enhanced obligations for businesses and its jurisdiction is global. The GDPR applies to any company (no matter its location) that deliberately offers services or goods to the European Union, or that monitors the behavior of people within the EU.

An emphasis is placed on consent, data portability, and required breach notifications which will change how businesses handle sensitive data. The regulation also requires the business to have a “data protection officer” who would be responsible for implementing and complying with the GDPR.

The main purpose of the GDPR is to blend data privacy laws across Europe, to safe guard all EU citizens’ personal identifiable information across the region. The GDPR replaces the Data Protection Directive (officially Directive 95/46/EC) approved in 1995. This European Union ordinance controls the administering of personal data within the European Union. It is a vital element of EU privacy and human rights law.

The law applies if the data controller (organization that acquires personal identifiable information from European Union residents) or processor (an entity that processes data for a controller), and or the data subject (individual) is located in the EU. Additionally, the regulation applies to employers located outside of the EU that process or collect personal identifiable information from people located in the EU.

The European commission has determined the following to be considered personal identifiable information:

• Name
• Home Address
• Photo
• Email Address
• Bank Details
• Social Media Posts
• Medical Information
• Computer IP Address

Just like U.S., employers must certify a permissible purpose to collect consumer data information. The GDPR requires the similar types of permissions for organizations in the European Union such as:

• For the legitimate interests of a data controller or a third party, unless these interests are overridden by the Charter of Fundamental Rights (especially in the case of children)
• To perform a task in the public interest or in official authority
• To comply with a data controller’s legal obligations
• To fulfill contractual obligations with a data subject
• To perform tasks at the request of a data subject who is in the process of entering into a contract with a data controller
• To protect the vital interests of a data subject or another person

Employers must demonstrate compliance with the GDPR by implementing data protection by design and by default. Article 25 requires data protection measures to be designed into the development of business processes for products and services. If employers are hiring and employing individuals located in the EU, they must adhere with the new regulation especially when it comes to the background screening process. If an employer utilizes a third-party vendor to conduct their background screening report, they should ensure compliance with the new standard as well.