GDPR Compliant Employee Screening Best Practices

GDPR Compliant Employee Screening Best Practices

GDPR Compliant Employee Screening Best Practices

IG-Smart Ltd has developed this brief guide for Reed Screening and its clients to set out key data protection best practices you should follow when screening and vetting new employees to ensure compliance with the General Data Protection Regulation 2016 (GDPR) and the UK Data Protection Act 2018.


Employee background checking

Not only is it advisable from an employment perspective to conduct background checks to establish the provenance of prospective employees credentials (with particular regard to their qualifications and employment history) - it is also advisable from a data protection compliance perspective.

This is effectively to ensure that unsavoury characters are not given access to personal data – particularly to sensitive personal data or commercially sensitive information. For example, organisations that provide services to vulnerable children and adults should ensure that people that have been convicted of violent crimes or sex offences are not given access to any personal data that may place vulnerable people at risk. Similarly, organisations that process payment card data and details about peoples personal finances should not provide someone that has been convicted of fraud, theft and perjury access to such data.

That said there is still the need to consider the prospective employees' rights and fundamental freedoms when conducting background checks. In particular, each candidates right to privacy, and the right to not be discriminated against.

Here are some basic do’s and don’ts you can follow to help ensure that your background checks are aligned with data protection compliance best practices:



  • Provide candidates with transparent information (in the form of Privacy Notice on your website, as a minimum) about the personal data you may process as part of your screening/vetting processes (including whether you may process personal data about candidates that is in the public domain – e.g. via social media).
  • Ask for references, and contact at least two referees.
  • Ask for and check qualifications with academic institutions.
  • As for evidence of any criminal convictions, by obtaining a copy of the prospective employees' Disclosure & Barring Service check (formerly, criminal records checks in the UK).


  • Trawl through the prospective employees personal social media pages unless there is a clear legal justification (e.g. it is directly relevant to the position they are apply for and you are using a platform like LinkedIn to read a prospective employees professional profile and any endorsements or recommendations they may have).
  • Gather any sensitive personal data that may reveal information about a prospective employees religious or philosophical beliefs, racial or ethnic origin, sexual orientation or sex life, political opinions, health (including genetic or biometric data), or trade union membership, unless it is directly relevant for employment purposes (e.g. it is for the purpose of taking ‘positive action’ towards people with ‘protected characteristics’ as defined within the Equality Act 2010, or the ‘protected characteristic’ is an occupational requirement), and it is not used in a discriminatory way.
  • Keep personal data for longer than is necessary – whether a candidate is successful or not (see Data Retention & Destruction below, for further information).


Data Retention & Destruction

Once you have undertaken your prospective employee screening and vetting processes and you have made a decision about whether you are going to offer a candidate a job or not, you need to ensure that you retain and destroy the right data. This is to ensure that personal data is not kept for longer than is necessary, as to do so, would be a data breach.

Here are some of the things you need to consider, for each of the possible outcomes:

Outcome A - No job offer made

Data to be retained:

Any information about the reason the prospective employee was not offered the job may be retained for 6 months, in case of any legal claims that may be brought against your organisation (e.g. if someone claims that you did not offer them the job for discriminatory reasons). This for example may include feedback from referees, a copy of the prospective employees' CV and/or job application and any interview notes.

Data to be destroyed:

All personal data belonging to the unsuccessful candidate should be immediately destroyed, unless, for example, it is necessary to retain it for up to 6 months (e.g. for defending against any potential legal claims, as above).

Outcome B - Offer made and accepted

Data to be retained:

Any personal data that is going to be relevant for the purposes of employment may be retained for as long as is necessary. This may for example include a copy of the new employees' CV, references (minus the personal data of the referee, see below), interview notes, etc.

Data to be destroyed:

You should destroy any personal data that is not necessary (e.g. copies of any disclosures from the Disclosure & Barring Service should be immediately destroyed, and the personal data of any referees should be destroyed after 6 months).

Outcome C - Offer made and rejected

All personal data belonging to the candidate should be immediately destroyed.

What about keeping CVs for future reference?

You should only keep the CVs of unsuccessful candidates or candidates that have rejected your job offer, if they opt-in (e.g. say yes via email) to having their CV stored in your database for the purpose of being contacted about future job opportunities. You should not keep CVs on file without consent.


About IG-Smart Ltd

This Tips sheet was prepared by IG-Smart Ltd. Proud winners of the Innovation & Excellence Award for “GDPR Consultancy of the Year 2020” and UK Enterprise Award for “Best Cyber Security Consultancy Firm 2019” and Global 100 Best Cyber Security Consultancy Firm 2020.

IG-Smart Ltd has helped world renowned institutions and leading brands to achieve many GDPR Governance & Compliance success stories. Delivering comprehensive DPO as a Service, GDPR Gap Analysis, GDPR Audit, GDPR Training, Cyber Security Vulnerability Assessment and Penetration Testing services.

Author: Michael Abtar, Principal Consultant IG Smart Ltd.

May 2020

Enquiries to

Phone: + 44 (0) 20 7167 4268