Our world is driven by data. It stretches from online shopping and banking to social media and stock markets. Our personal information is everywhere and therefore vulnerable. That’s why data protection laws like the General Data Protection Regulation (GDPR) are in place.
The GDPR sets stringent guidelines for handling personal data across Europe. Employment screening is no exception. For companies conducting pre-employment screenings, ensuring compliance with GDPR is a legal requirement and a commitment to protecting candidates’ privacy. We cover the main points of GDPR in employment screening and provide tips for businesses to stay compliant while keeping a high-quality hiring process.
What Is GDPR and How Does It Affect Employment Screening?
The GDPR was implemented in May 2018. It’s a comprehensive data protection law that applies to all EU member states and organisations processing EU citizens’ data. Following Brexit, the UK has adopted its own version: the UK GDPR. This mirrors the EU regulation.
GDPR has profound implications for employment screening. It governs how employers collect, process, and store personal data of job applicants and employees. The regulation emphasises individuals’ rights over their personal information and imposes strict obligations on organisations handling such data.
What Constitutes Personal Data in the Context of Employment Screening?
When the law refers to “personal information”, what does that actually mean? Personal data in employment screening may include:
- Name, address, and contact details
- Date of birth
- National Insurance number
- Employment history
- Educational qualifications
- Criminal record information
- Financial information (for credit checks)
- Medical information (where relevant to the role)
- Right to work documentation
How Can Employers Establish a Lawful Basis for Processing Personal Data During Screening?
Under GDPR, employers must have a valid lawful basis for processing personal data. The most relevant lawful bases during the recruitment process are:
Consent
While consent can be a lawful basis, it’s generally not recommended for employment screening. It can create a power imbalance between employers and job applicants.
Legal Obligation
Some checks are required by law. For example, right to work verification.
Contract
Data processing may be necessary if it’s part of setting up an employment contract.
Legitimate Interests
This applies when processing data is necessary for the employer’s legitimate interests, unless the applicant’s rights outweigh those interests.
Employers must carefully consider which lawful basis applies to each type of check and document their decision-making process.
What Steps Can Employers Take to Ensure GDPR Compliance During Screening?
To comply with GDPR during employment screening, organisations must protect candidates’ data and uphold their privacy rights. This is how to apply the key principles of GDPR in hiring practices:
1. Conduct a Data Protection Impact Assessment (DPIA)
Before collecting or processing personal data, employers should assess the risks to candidates’ privacy. A DPIA helps identify and minimise potential data protection issues.
2. Create a Clear Privacy Notice for Candidates
Under GDPR, transparency is essential. Employers must inform candidates how their data will be used, stored, and shared. They can do so by providing a detailed privacy notice at the start of the recruitment process.
3. Ensure Data Minimisation and Purpose Limitation
Employers must only collect data that is necessary for the screening process and only use it for the specific purpose of recruitment. Avoid requesting or storing irrelevant information to comply with GDPR’s data minimisation and purpose limitation principles.
4. Implement Appropriate Security Measures
GDPR requires employers to protect personal data from unauthorised access or breaches. Organisations must ensure they have strong security protocols in place to safeguard candidates’ sensitive information throughout the screening process.
5. Train Staff on GDPR Compliance
Employees involved in recruitment must understand GDPR requirements. Training staff on data protection principles helps ensure everyone follows the correct procedures when handling candidates’ data.
6. Establish Data Retention Policies
GDPR specifies that personal data should not be kept for longer than necessary. Employers must establish clear data retention policies to ensure that candidate information is only stored for as long as required by law or business needs.
7. Respect Candidates’ Rights Under GDPR
Candidates have specific rights under GDPR, such as the right to access, correct, or erase their personal data. Employers must respect these rights and provide mechanisms for candidates to exercise them easily.
8. Document All Processes and Decisions
To demonstrate GDPR compliance, employers must record how they handle personal data throughout the screening process. Documenting decisions, processes, and rationales ensures transparency and accountability.
How Should Employers Approach Different Types of Background Checks Under GDPR?
Employers must approach each type of background check with GDPR compliance in mind. Here’s how to handle them:
Right to Work Checks
Employers must base right to work checks on a legal obligation. Collect only the documents needed to verify the right to work. Securely store copies for the duration of employment, plus two years.
Criminal Record Checks
Criminal checks should be necessary and proportionate to the role. Use Disclosure and Barring Service (DBS) checks where applicable. Be extra careful when processing criminal data due to its sensitive nature.
Financial Checks
Before conducting financial checks, employers should assess if they’re truly required for the role. Legitimate interests can be used as the lawful basis, but candidates must be fully informed about the check and its purpose.
Social Media Checks
Social media checks should be done with caution. Only use publicly available information that’s relevant to the job. Also, make sure to document the reasoning behind these checks for transparency.
What Are the Potential Consequences of Non-Compliance?
Non-compliance with GDPR in employment screening can lead to serious consequences. Employers could face hefty fines of up to £17.5 million or 4% of global turnover. They could also damage their reputation, lose the trust of candidates and employees, and face legal action. Additionally, organisations may undergo regulatory scrutiny and audits, which can further disrupt operations.
How Can Advanced Vetting Help Ensure GDPR Compliance?
Complying with GDPR in employment screening is crucial for UK employers. By understanding the requirements and working with experienced partners like Advanced Vetting, organisations can conduct thorough background checks while respecting candidates’ privacy rights and meeting data protection obligations.
Advanced Vetting specialises in comprehensive pre-employment screening and can help your organisation comply with GDPR. We offer tailored data protection vetting packages that align with GDPR principles and guidance on lawful bases for different checks. We also keep you updated on changes to data protection laws.
Partnering with us ensures your employment screening is both thorough and fully compliant with data protection laws. Contact us today with any questions.
Additional sources:
