Please join Arnall Golden Gregory (AGG) for our annual Employment Law Seminar on Tuesday, October 30, 2018 at the Cobb Energy Performing Arts Centre in Atlanta, GA. Our attorneys—who have been recognized by Chambers USA: America’s Leading Lawyers for Business and Super Lawyers—will address what you need to know regarding employer rights and obligations in 2019.  AGG attorneys speaking include Montserrat Miller, Megan Mitchell, Henry Perlowski, Brad Kelley and Ed Cadagin, to name a few.

Click here to register. Complimentary breakfast and lunch will be provided. State Bar of Georgia CLE credit, Society for Human Resource Management HRCI recertification credit and CPE credit hours have been applied for.

Topics Include:

  • Skeletons in the Closet: Another Year of #MeToo
  • Trick or Treat, Part I: What Federal Regulatory Changes Are In Store
  • Trick or Treat, Part II: A Spate of New State Employment Laws
  • Supreme Court Spell Book: The Expanding Availability of Arbitration for Employment Disputes
  • Stirring the Cauldron: Hot Topics Brewing in Benefits Law
  • R.I.P. Employment Relationship: Minimizing the Risks Associated With Employee Terminations
  • Double, Double, Toil and Trouble: The Increasing Level of Worksite Enforcement by Homeland Security
  • Privacy Pumpkin Patch: Background Screening, Social Media, the GDPR, Email, and Other Privacy Concerns
  • The Wage and Hour Spider’s Web: Navigating Some of the Lesser Known Parts of the FLSA

This week’s edition of the Compliance News Flash by Arnall Golden Gregory includes blurbs about the:

  • National Association of Professional Background Screeners (NAPBS) conference in Baltimore;
  • Temporary Protected Status program and an injunction against the government;
  • EU-U.S. Privacy Shield program and enforcement actions against organizations related to their certification;
  • Updated “A Summary of Your Rights under the Fair Credit Reporting Act” model form; and
  • Italy and the General Data Protection Regulation (GDPR).

Click here to read.

Enjoy and have a great weekend!

Check out this week’s Compliance News Flash with quick reads about:

  • Background screening operations in Canada and capturing consent.
  • Colorado’s new law safeguarding personal data.
  • Homeland Security and increased workplace investigations.
  • GDPR (need I say anything more for those working on this?).
  • Termination of Temporary Protected Status and work authorization.

Any questions please contact me at

Background screening is a key step in hiring and the onboarding process, but there are a litany of federal and state laws in the US that establish certain obligations on employers as well as provide applicants with certain rights, including from discrimination.

Join Montserrat Miller, Partner, Arnall Golden Gregory LLP, and iCIMS Genera Counsel, Neal Dittersdorf, on Thursday, May 10th at 3:00 pm EST for Remaining Compliant During the Background Screening Process, the latest webinar in iCIMS quarterly Compliance Webinar Series. During this session, attendees will learn about:

  • The requirement to get applicants consent through the disclosure & authorization form
  • The adverse action process
  • How Fair Chance Hiring laws affect employment screening
  • Pay equity laws
  • GDPR compliance

Click here to register.

This week’s Compliance News Flash features information on the GDPR and the assessment of administrative fines, remote hires and the employment eligibility verification process, Homeland Security and worksite enforcement for small businesses, the end of Temporary Protected Status for Nicaraguans, and information about my presentation on developing a compliant background screening program at my firm’s upcoming Employment Law Seminar in Atlanta next week.

Click here to read the News Flash.

Companies that transfer personal data from the European Union (“EU”) to the United States should be working toward their compliance with the EU’s General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) which will go into effect May 2018.  Oh, but how silly, that’s, like, over a year away!  Why should you care?  If you transfer personal data from the EU to the US there’s a lot to know about the GDPR and it takes time.  I’m going to focus on the Data Protection Officer (“DPO”) requirement today.

Organizations that process personal data related to EU nationals may be either a “controller” or “processor,” or both.  Let’s say you are a background screening company and you’ve been hired to conduct a background investigation or check on an individual who lives, or previously lived and worked, in the EU. You’ll very likely need to transfer data to the United States from the EU and the bottom line is that whenever an organization transfers personal data related to EU nationals to the United States, you need to consider the GDPR in order to ensure compliance.  You also need to consider whether you have a legitimate cross-border onward mechanism, but that’s for another blog posting.

Let’s talk about the DPO.  Article 37(1) of the GDPR requires the designation of a DPO by a controller or processor (i) where the processing is carried out by a public authority or body; (ii) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or (iii) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data (as defined in Article 9) and (or) personal data relating to criminal convictions and offenses (as described in Article 10).

Special categories of data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and information related to a person’s sex life or sexual orientation.

The DPO can be an internal employee or can be hired as an outside consultant, if you will.  The role and tasks of the DPO are described in Articles 38 and 39 of the GDPR.

And, in case you are wondering the cost of non-compliance?  It’s steep.  A violation of the obligation of a controller or processor related to the designation of a DPO can subject a company to administrative fines of up to 10 million Euros or up to 2% of the “total worldwide annual turnover of the preceding financial year.” (Article 83(4)(a)).

For recent guidelines from the Article 29 Data Protection Working Party on the role of the DPO, click here.

So, if you find your company in this situation and are doing a Google search of GDPR at this time, the privacy team here at AGG can help.  Just shoot me an email at