The Truth About Social Media Screening and GDPR
One of the most common questions we get asked is how our searches comply with GDPR. In particular, there are always questions around privacy, data protection and social media screening. Our searches are fully compliant and are always updated to reflect any changes in regulations – but questions are always asked once social media is added to the checking process.
Here’s some common questions we get asked:
- Do you need consent under GDPR to run these checks?
- Are social media checks common practice?
- Can the candidate see their report?
- While I need to manage risk / comply with regulations, I don’t want to be intrusive…
Here’s a breakdown of current regulations, the risks of running checks internally and tips on how to stay compliant.
International Social Media Screening
Social media screening as part of background checking has existed in some form since the platforms began and recent studies suggest their deployment is only going to increase.
The US government introduced a new visa procedure in 2019 which demands foreign visitors applying for working visas to disclose their social media accounts on their applications. They see social media as a reliable and valuable way to review a person’s behaviours and attitudes, beyond just database or box-checking exercises.
The US has so far been at the forefront of driving social media background screening to becoming commonplace for high risk roles. Recently, the armed forces screened their troops ahead of the presidential inauguration and the Washington police chief is suggesting they do the same for their officers.
With the use of social media screening growing, the need for a consistent, regulated approach is obvious.
What are the data protection laws when it comes to social media?
Data protection laws are different all around the world, so the complexities change depending on the jurisdiction. The EU, for example, takes data protection very seriously and in 2018 brought in the GDPR.
We’re all familiar with the basic ins and outs of the GDPR by now and the hefty fines that can be given out for breaking these guides.
Specifically relating to social media, the GDPR states that employers should notify candidates before viewing their social media accounts unless they have a lawful basis for processing data – such as consent or legitimate interests. It goes on to state that employers should only take into account data that is relevant to the role.
As a third party background screening provider, at Neotas we have “legitimate interest” to perform these checks for business purposes, as requested by our clients. Our reports only include role-related risks and our policies are consistently updated to reflect changes in legislation.
Many data protection authorities have supplemented the GDPR guidance with additional advice in relation to social media screening. This can include:
- Screening to be conducted as late as possible in the recruitment process (to avoid the opportunities for human bias)
- Candidates should be made aware of any screening that will take place and how it will be conducted
- Only accessing publicly available information
- Screening levels being proportionate to the seniority of the role
The overall guidance here is clear:
- Only review relevant, role-related data
- Ensure that protected characteristics remain protected
- Only process data if you have a lawful basis for doing so
The Risks of Internal Social Media Screening
The risks that come with carrying out social media background checks in-house are significant. By combing through a candidate’s social media accounts, protected characteristics (such as race, sexuality, political stance) are unintentionally revealed to internal staff.
Whether intentional or not, it’s both illegal and unethical to make hiring decisions based on these characteristics. Internal staff are left exposed to potential accusations of unconscious or discriminatory bias, accusations that could prove costly in any legal proceedings. It would be difficult to legally argue that discriminatory bias hadn’t taken place if staff were exposed to personal data for potential new hires.
Using Third Party Background Screening Providers
Using a third party background screening provider is the best way to avoid these risks and the financial or reputational damage that can come with them.
While they may mean well, internal staff are less likely to be trained in data handling and may be less aware of the stringent GDPR practices that must be followed.
Third party providers like Neotas are externally audited, regulated by industry standards and often hold external certification to process sensitive data. At Neotas, we are:
Alongside the technical certifications, third party background screening providers are completely objective. Providers like Neotas have zero hidden agendas and we only ever present relevant, role-related risks in our reports. Our role is to demonstrate that the candidate meets the level of honesty and integrity expected of their new position.
Lastly, the technology used is cutting edge, capable of processing data at hugely efficient speeds. Our AI and machine learning technology processes vast quantities of data, highlighting potential risks before context is applied by objective human analysis. This way, protected characteristics remain protected and candidates need not worry about their new employer seeing old holiday photos.
Download our recent social media screening case study here: