4 Key Ways the GDPR May Affect Credentialing Bodies

August 15, 2019

By: Oliver M. Krischik

Credentialing Insights: The Online Journal for ICE

View Link

The EU’s General Data Protection Regulation (GDPR) can feel like a burden to your credentialing organization, but it’s imperative to stay compliant. This article by GKG Law's Oliver Krischik will help you navigate the challenges your organization may face when requesting and obtaining information.

Credentialing bodies collect information such as the name, address and occupation of people applying for certification. If an organization accepts such information from residents of countries in the European Union (EU) or operates a branch office in the EU, the organization may be subject to the EU’s General Data Protection Regulation (GDPR). This means that, among other things, organizations will need to: determine the lawful basis for all data processing, evaluate the lawfulness of any criminal background checks, establish a procedure for destroying data after a certain time frame and add data privacy language to existing contracts with vendors that process data on the organization’s behalf. 

While the GDPR applies to all entities that fall within its scope, its relationships among credentialing organizations, relevant industry sectors, credential-holders, and the public are unique in many ways. As a result, credentialing organizations may face different burdens and challenges in navigating the GDPR when compared to other types of associations. Below are four areas of GDPR compliance that may affect credentialing bodies differently than other types of organizations. 

1) Lawful Basis For Processing, Sharing and Communications 

Under the GDPR, organizations must have a “lawful basis” to justify the collection, processing or sharing of personal data. Processing is only permissible where an organization has explicit and informed consent from an individual, or where processing is necessary to meet one of the other lawful bases. Obtaining consent under the GDPR requires specific disclosures, procedures and record-keeping. Due to the nature of the credentialing industry, however, a great deal of credentialing bodies’ processing activities may be able to proceed without consent by relying on the following lawful bases:

• Contract Performance: Organizations can process personal data when necessary in the context of a contract or intention to enter into a contract. In most cases, the relationship between a credentialing body and the credential holder is multi-faceted and long-term while involving a range of obligations and services. For this reason, credentialing bodies can rely on the following activities to justify the lawful basis to process data when issuing and maintaining credentials:
  • reviewing applications
  • vetting applicants, with some exceptions for criminal background checks
  • publishing the fact that the credential has been granted to the holder
  • conducting any testing needed to obtain the credential
  • providing other services necessary for the organization to grant and maintain the credential.

When relying on these activities as the lawful basis, it is prudent for credentialing organizations to clearly communicate to applicants what types of personal data processing activities are involved with obtaining and maintaining a credential.

• Pursuing Legitimate Business Interests: Credentialing bodies may be able to rely on this lawful basis to process information in ways related to and reasonably expected by credential holders, such as: (1) direct marketing related to the renewal and maintenance of a credential (g., emailing credential holders regarding the need to renew their registration); or (2) investigating wrongful or fraudulent representations about a credential, such as the misuse of suspended, denied or revoked credentials. This lawful basis requires a balancing test, so credentialing organizations should weigh their legitimate interests against the data privacy interests of any credential holder. 

2) Restrictions on Criminal Background Checks

The GDPR restricts processing related to criminal history except where authorized by an EU Member State’s laws. Many EU Member States forbid processing of this information except by local government institutions. As a result, credentialing bodies may be practically prohibited from processing criminal history data about individuals in the EU even when the individuals have provided explicit consent. At the same time, credentialing bodies may have a substantial interest in processing criminal history, particularly when the credential relates to practitioners who work with vulnerable individuals like the elderly, sick, disabled or children. Credentialing bodies that work with EU-based credential holders should carefully review their obligations to develop compliant policies for criminal background checks. 

3) Data Retention 

The GDPR requires organizations to destroy or return personal data once it is no longer necessary for the purposes for which it was collected. Credentialing bodies, however, may have a unique interest in retaining such data to keep a record of past and present credential holders. Accordingly, credentialing organizations should review their data retention policies to determine: (1) what data may require longer-term retention; and (2) specific timeframes for the retention of certain data. For example, certain contact and payment information may be less important following the expiration of a credential, whereas the organization may determine that a record of the name of the credential holder and dates the credential was valid should be retained for a longer period. Once an organization has developed a data retention policy, the relevant time frames should be reflected in an organization’s privacy policy.

4) Data Protection Addendums and Contractual Language 

The GDPR requires organizations and vendors that process data on behalf of organizations to enter into written agreements setting forth specific data privacy terms. Over the past year, United States (U.S.) organizations and vendors have worked to find suitable contractual language that covers GDPR requirements and protects both parties. Not all data protection agreements were created equal, however, and many of the data protection clauses floating around the marketplace are either non-compliant or overly broad. 

The credentialing process often involves substantial data processing by third-party vendors as part of application, training and testing practices. In many cases, these third-party vendors may not be very familiar with the GDPR, particularly when the vendors serve a limited clientele located purely in the U.S.. For these reasons, credentialing bodies should carefully review contracts with vendors to ensure that the clauses meet both the GDPR requirements and protect the credentialing organization. Specifically, credentialing bodies should be sure that vendors are: (1) only processing data per documented instructions; and (2) vendors have adequate data security. Over the past year, EU data protection agencies have used the GDPR’s mandatory data breach reports to open broad investigations into organizations’ GDPR compliance practices. Good data security practices help mitigate the risk of investigation. 

Conclusion 

Credentialing bodies that are subject to the GDPR can benefit from a close examination of their GDPR obligations. As the world continues to focus on data privacy legislation, becoming GDPR compliant can provide organizations with excellent tools to understand and refine their data privacy practices. Every credentialing body will have different compliance requirements based on its processing activities, including what data it collects, what it does with these data and how data is shared. There is no “one size fits all” GDPR compliance program. Each compliance program should be customized based on what an organization does.