How GDPR Affects Background Checking

Article main image
Feb 14, 2019

Anyone who has visited a website since May 2018 will have undoubtedly noticed a pop-up window, asking you to accept cookies and a range of privacy settings. : GDPR.

Early 2018 saw a tsunami of emails flooding into every inbox – business and personal – requesting that we update our security settings: GDPR.

GDPR – it’s everywhere. The General Data Protection Regulation is a European Union set of privacy rules written to apply so broadly that companies everywhere are taking steps to comply. Including on their websites. GDPR is difficult to avoid, and – dare we say it, it’s a little bit annoying, isn’t it?

For all the wrongs that GDPR has striven to address, there’s still a tremendous amount of confusion around this new suite of privacy regulations and how they affect businesses, including in the United Kingdom. And, specifically, how they affect HR processes for companies doing business — and that’s interpreted broadly — in a country covered by the GDPR. As if the DBS [background] check needed to get more complicated.

GDPR confusion

One of the problems with GDPR has been in its roll-out: A plethora of misinformation, and what is out there is both vague and dense (a nice oxymoron for you, there). Lots of companies initially thought that GDPR would govern mailing lists and how personal data is stored.

Which it does.

But GDPR also affects how we carry out background checks. Are you operating in compliance with the law?

What has changed?

Carrying out DBS checks, pre-GDPR, was something that happened with many HR departments as a simple matter of course.

Not anymore.

GDPR means that we have to look very carefully into how we screen new and potential employees. Under the specific terms of GDPR, background checking is only allowed under very distinct conditions; making the screening of new employees particularly complicated unless you are recruiting for exempted industries – such as for those working with vulnerable adults and children.

The U.K.’s Data Protection Bill 2017 was created to supplement GDPR, providing some additional leeway to authorise criminal record checks in a broader context.

But strict conditions remain.

The implications of GDPR

Organisations under the control of either an official authority or one authorised by law to provide safeguards are permitted to process personal data relating to criminal convictions and offences under GDPR.

However, that still feels a little wishy-washy, doesn’t it?

So, how do you make sure that the people you’re employing here in the United Kingdom are safe to work in your environment?

Criminal checks authorised

The Data Protection Bill was an amendment to the general protections of GDPR, authorising the processing of criminal record checking when in compliance with employment law or safeguarding obligations.

To continue to process data in this way, the organisation requires a separate written document in addition to its GDPR policy, explaining how

  • The organisation will handle criminal data records
  • How those records are retained
  • How (and when) they are erased.

You may need permission

If there is no lawful basis for your business to carry out criminal record checks, you’ll need to request specific and clear consent. The basis could include:

  • Businesses authorised by the FCA (Financial Conduct Authority)
  • Employment that involves direct (or sometimes indirect) conduct with vulnerable adults and children.

Employee consent

It is still possible to carry out an appropriate DBS check for all industries. But individual and distinct consent must be clearly obtained and evidenced.

However, GDPR recognises that consent is often distorted by the power imbalance in the employee/employer relationship. It’s necessary, therefore, to make clear that any offer of employment is not dependent upon consent. An individual should, therefore, be freely given the opportunity to refuse consent, without that being prejudicial to their appointment.

Consent must be:

  • Freely given
  • Informed
  • Specific
  • Unambiguous
  • Clearly distinguishable from other matters
  • In plain and clear language
  • Easy for the individual to withdraw at any time

For industries that aren’t legally obliged to carry out a background check, consent remains the only path to DBS.

What does this mean for HR?

Of course, consent has always been a necessary factor in DBS checking.

Generic consent clauses, giving automatic permission to carry out an employee background check, were commonly embedded into standard employment contracts.

This is now a no-no. By nature, this approach is not specific, unambiguous, and it can’t be distinguished from the content of the rest of the employment contract.

So, HR professionals need to approach the obtaining of consent in different, more accountable ways; with separate consent declarations that comply with the higher standards set by GDPR.

You should have done these already – so make sure that this becomes a priority if you haven’t. An infringement of GDPR can cost your business dearly.

Consider your existing employment contracts:

  • Automatic consent for DBS or background checking should be removed as it’s no longer valid or legal
  • Prepare consent provisions in separate declaration documentation – it shouldn’t be intrinsically linked to acceptance of employment.
  • There is no “one size fits all”. In theory, you should be addressing consent with all existing employee contracts because embedded consent into employment contracts will no longer be valid.

Storing personal data

Of course, the primary driver of GDPR is how companies store and secure personal data – with consent being the sole justification for the storage of an individual’s data.

The DBS Code of Practice dictates that information revealed as a result of a criminal record background checking is only to be considered for the purpose for which it was obtained.

The destruction of DBS records has been a long-term practice, and GDPR requires that the retention of criminal records does not exceed six months or the period of necessity for that information.


While GDPR feels like a significant change, for most it simply means a change in how we obtain consent.

Consent can no longer be embedded into a standard contract, which previously provided blanket consent to criminal record checking throughout the entirety of an individual’s employ. Contractual consent must be clearly distinct from all other employment contracts and documentation, with clear instructions regarding how you will be using that individual’s personal information and how you will store and destroy it.