A complete guide to GDPR compliance in background employment screening

Background screening is a data protection exercise from the moment a candidate’s details are collected, not only for the security of your employees but for the compliance laws around GDPR.

For UK organisations, there’s often a risk that checks are often too broad, poorly explained, stored for too long, or handled without a clear lawful basis. GDPR compliance in background screening starts with a simple question: what do we need to verify for this role, and why?

That question should shape your whole process.

What GDPR means for employment screening

Under UK GDPR, any information that identifies a candidate counts as personal data. 

The Information Commissioner’s Office says employers should be clear about why vetting is needed, what checks are proportionate for the role and how candidates will be told about the process. It also notes that criminal record checks should be tied to the nature of the role and the correct level of check. See our full guide on criminal record checks for GDPR.

That means HR teams should avoid blanket screening policies. A finance director and a temporary warehouse worker may both need checks, yet the checks are unlikely to be identical. The seniority of the role, access to money, access to vulnerable people, regulatory duties and exposure to sensitive data all matter.

Veremark’s guide to background checks for employment gives a useful overview of the checks employers commonly use and when they may be relevant.

Choose the right lawful basis

Before processing candidate data, employers need a lawful basis under UK GDPR. In employment screening, this is often legitimate interests, legal obligation, or consent, depending on the check.

Legitimate interests may apply where an employer has a clear business need to verify information, such as checking employment history for a senior hire. Legal obligation may apply where a check is required by law, such as right to work compliance. .

Consent needs careful handling. In recruitment, there is often an imbalance between employer and candidate, which can make consent less reliable as a GDPR lawful basis. Consent may still be required for some checks as part of a provider or statutory process, yet HR teams should not assume that consent alone makes every screening activity lawful.

For criminal record data, the rules are stricter. The ICO states that criminal offence data can only be processed under official authority or where domestic law allows it with appropriate safeguards. Veremark’s article on criminal record checks and GDPR explains why employers need both an Article 6 lawful basis and a separate condition under the Data Protection Act 2018.

Keep checks proportionate

Proportionality is the practical test HR teams should apply before ordering checks. The check should match the risk.

A role handling payroll may justify identity, employment history, qualifications and a relevant financial probity check. A role working with children may require a DBS check at the correct level. A graduate marketing role is unlikely to need the same level of screening as a regulated financial services role.

This is central to GDPR compliance in background screening because UK GDPR requires data minimisation. Employers should only collect personal data that is adequate, relevant and limited to what is necessary.

In practice, that means asking for the least intrusive check that still manages the risk. Do not collect extra documents because they might be useful later. Do not repeat checks where a valid, recent result already meets the need. Do not screen social media unless there is a clear role-related reason and a fair process.

A case study of unlawful biometric data processing

In February 2024, the Information Commissioner’s Office found that Serco had unlawfully processed the biometric data of more than 2,000 employees across 38 leisure facilities. The data was used for attendance checks and payment of staff time. The ICO said Serco had failed to show why biometric checks were necessary or proportionate when less intrusive options, such as ID cards or fobs, were available. Employees were also not offered a clear alternative to having their faces and fingerprints scanned.

If an employer wants to collect sensitive candidate data, such as criminal record information, financial history or biometric identity data, it needs a clear legal basis and a proportionate reason. “This makes the process easier” is not enough. Neither is “everyone else does it”. HR teams should be able to explain why the check is needed for the role, why a less intrusive check would not work and how candidates or employees are given clear information about the process.

‍

Be transparent with candidates

Candidates should know what checks will be carried out, why they are needed, who will process their data, how long the process will take and how long their data will be kept.

This should be set out in a candidate privacy notice and reinforced during the hiring process. Hiding screening details in dense policy wording is poor practice. Candidates should not have to guess whether a reference check, criminal record check or credit check is being run.

Transparency also reduces friction. Candidates are more likely to provide accurate information quickly when they understand the purpose of each request.

For UK hires, Veremark’s UK background screening page outlines common pre-employment checks for local hiring, including checks that support safer and more compliant recruitment.

Handle criminal record checks with care

Criminal record data needs stricter controls because it can have a serious effect on a candidate’s career. Employers should confirm whether the role is eligible for the type of check requested and whether spent convictions should be considered.

A basic DBS check shows unspent convictions and conditional cautions. Standard and enhanced checks are only available for eligible roles, and employers should use the official DBS guidance for employers before deciding which level of check applies. Asking for a higher level of check because it feels safer is a compliance risk.

HR teams should also decide who can see criminal record results. Access should be limited to people who need the information to make or review the hiring decision. Results should not be copied into general HR files without a clear retention reason.

Veremark’s criminal record check service page gives more detail on what these checks can include.

Set clear retention periods

Keeping screening data indefinitely is hard to justify. HR teams should define retention periods for each type of check and apply them consistently.

Some records may need to be kept to prove compliance, such as right to work evidence. Other screening data may only be needed until the hiring decision is complete, or for a short period afterwards in case of dispute.

Retention rules should cover successful candidates, unsuccessful candidates and withdrawn applications. They should also cover reports supplied by screening providers, raw documents uploaded by candidates and internal notes made during the review.

Good GDPR compliance in background screening depends on deletion as much as collection. If the business no longer needs the data, keeping it creates avoidable risk.

Check your screening provider

Using a third-party screening provider does not remove the employer’s responsibilities. The employer must understand what the provider processes, where data is handled, which subprocessors are used and what security controls are in place.

A comprehensive data processing agreement will set out instructions, confidentiality duties, security measures, breach reporting, international transfers, deletion terms and audit rights.

This matters more for international hiring. Candidate data may move across borders, and different countries have different rules on what can be checked. An experienced screening partner like Veremark understands these nuances and adds an added layer of compliance protection to your organisation.

Build a defensible screening policy

A good screening policy is practical. It should help you make consistent decisions and define which checks apply by role type, who approves exceptions, what lawful basis applies, how candidates are informed, who can view results, how adverse findings are reviewed and when data is deleted.

The policy should also explain how candidates can raise concerns or correct inaccurate information. Background screening data can be wrong or incomplete. A fair process gives candidates a chance to respond before a final decision is made.

Make GDPR compliance part of hiring by design

GDPR compliance in background screening is not about avoiding checks. It is about running the right checks, for the right reason, with the right safeguards. For UK HR teams, that means using a screening process that is clear, proportionate and easy to evidence. Veremark helps employers build that process with compliant background checks, candidate-friendly workflows and screening support across UK and international hiring. 

Find out more about using Veremark

‍