GDPR…Data Protection & Employee Screening One Year On

  |      Pre Employment Screening  |       |     Reading Time: 3 minutes

25th May 2019 marked the one-year anniversary of the implementation of the General Data Protection Regulation and GDPR compliance continues to be a key priority for most businesses.


Under the GDPR, EU businesses must ensure:

  • There is an appropriate lawful basis to process data.
  • Only data necessary for the purpose for which it was collected is processed.
  • Data is securely protected and is only kept for as long as necessary to meet the purpose.
  • Data subject rights are dealt with appropriately.


Businesses that engage suppliers to process personal data, such as employee screening companies, must have a good understanding of how this employee and candidate data is processed on their behalf – what protections are in place and how the rights of the data subject can be met.



Data Subject Rights Requests


Since Q4 2018, Vero have noticed a substantial rise in volume of data subject rights requests received from Candidates. The two most common types of request relate to the erasure of Candidate data from Vero’s systems, or copies of information and documentation collected during the employment screening process.


Suject Access Requests can place a significant burden on businesses, especially where they relate to requests for copies of screening related documentation. The ability to have access to that data instantly is essential – our platform provides that for our clients.


Where Candidates seek to exercise their right to erasure (or ‘right to be forgotten’) by requesting the ad hoc deletion of their records, your employment screening company should be able to do that quickly and easily with written authority.


It is worth noting the GDPR (and by extension the Data Protection Act 2018) sets out other fundamental obligations from a data controller to a data subject which apply during background checking.


These include:


The right to be informed – This relates to the provision of prescribed information pertaining to the data controller and the nature of the processing. In the context of pre-employment screening this will typically be addressed in the data controller’s privacy notice and other employee onboarding documentation and resources.


The right to rectification – This could apply in cases where personal data have been identified to be incorrect. In the context of background screening this would be relevant if a third party (eg former employer) misreported information which was pivotal to the hiring decision (eg job title).


The right to restrict processing – This will apply if the data subject questions the accuracy of the data, the lawful basis for the processing or the data controller’s legitimate grounds for processing.


The right to object to processing – In the context of pre-employment screening this is only likely to occur where a Candidate does not wish specific checks to be carried out.



Employment Screening Policy


We recommend organisations maintain an appropriate pre-employment screening policy which explains to Candidates the nature, purpose and lawful basis of their processing activities.


Such a policy has a dual benefit:

(1) Informing Candidates as to how and why checks are being conducted;

(2) Clarifying to the business what checks are being conducted and why.


Taking such steps will help reduce the risk of processing excessive or unnecessary information, in breach of data protection legislation. This is particularly relevant with respect to criminal record checks.



Data Minimisation & Security


A key feature of the GDPR is data minimisation. Essentially organisations should only collect the personal data necessary to achieve the purpose for which it was sought. Ensuring data is not kept for any longer than required for the purpose it was collected is also a key obligation under the GDPR.


A further concern for businesses since the implementation of the GDPR is the use of organisational and technical security measures to protect personal data. Data controllers should conduct Data Protection Impact Assessments (DPIAs) when engaging suppliers who will handle personal data on their behalf. These DPIAs will assist Clients in responding confidently to any questions from data subjects.



Our Guide To How Vero Addresses GDPR & Pre-Employment Screening


Vero is committed to offering fully GDPR compliant background checking and employment screening services to its clients.

To help navigate these data protection waters, we have developed a detailed document for HR Managers & Directors that covers our approach to compliance and looks at the data protection trends over the last 12 months.


In this guide, we discuss:

Data Subject Rights Requests

Subject Access Requests

Pre-Employment Screening Policy

Candidate Declaration

Data Minimisation

Technical & Security Measures

Data Retention

International Background Checks


If you would like a copy of our guide please email us!



Let us help you!

If you would like to find out more about our pre-employment background checking services, please get in touch and we’ll be pleased to help.


About Georgina Wilson

Georgina joined Vero in 2011, having previously worked at FPR Ltd, subsequently acquired by Kroll, where she headed up Capital Intelligence, with responsibility for director-level due diligence, primarily for AIM-listed organisations. A long-standing member of Vero’s Senior Management Team, in January 2020 she became part of the newly established Leadership Team. Her energy for bringing clarity and correctness is crucial to Vero’s ability to deliver clever solutions to clients.

Related posts