How to build a global rescreening programme

Global rescreening fails less on the law than on the way teams stitch the law into everyday operations. The aim is not to memorise every country’s rules; it is to make a few defensible choices—lawful basis, notification, retention, vendor obligations—and then apply them consistently wherever you operate. Do that, and most reviews become routine rather than risky.

Consent vs legitimate interests (and how to decide)

Many programmes default to consent because it feels safe. In employment contexts, it often is not: consent can be withdrawn and may not be “freely given”. A better anchor—where local law allows—is legitimate interests tied to role risk. That means writing down the purpose (ongoing personnel due diligence), explaining why checks are necessary and proportionate for each tier, and listing the safeguards you use to protect employees (minimisation, redaction in exports, retention limits).

You will still meet countries or specific checks that need consent. Treat those as exceptions to the anchor, not the model itself: capture targeted consent for the particular check, explain why it is needed, and offer a reasonable alternative where the law requires one. The outcome is a single global stance—legitimate interests by default, consent where required—rather than a patchwork of local improvisations.

A simple decision path

1. Define purpose: ongoing personnel due diligence to manage insider risk and meet client obligations.
2. Assess necessity & proportionality: are the checks the minimum needed for the risk tier?
3. Pick basis by country:
   • If employment/data protection regimes permit legitimate interests, use it with an LIA and clear notices.
   • If a specific check requires consent (e.g., certain criminal/credit checks in some markets), capture consent just for that check.
4. Add safeguards: minimisation, redaction in exports, retention limits, clear opt-out/appeal routes where required.

What to document in your LIA (one page)

• Purpose and benefits
• Role tiers and why frequency is proportionate
• Check set by tier and why each is necessary
• Risks to the individual and how you reduce them (minimisation, redaction, retention)
• Why your interests are not overridden by employee rights

Employee communications (what to say and when)

People accept screening when they understand the purpose and the boundaries. They resist when they are surprised. Three touchpoints matter.

First, publish a short privacy notice addendum that anyone can read: why you rescreen, what lawful basis you rely on, the checks associated with each tier, how long records are kept, and whom to contact with questions. Second, keep an internal FAQ that answers the practical worries—who sees the results, what “pass/flag” really means, how to correct errors, what happens if something comes back late. Third, send a heads-up before each cycle: the role tier, the checks you will run, when it starts, and a reminder that exports to clients and auditors are redacted by default.

Minimum comms pack

• Privacy notice addendum (public): purpose, lawful basis, checks by tier, retention, contact.
• Internal FAQ (intranet): what we check, how often, who sees results, how to correct errors, what happens on a flag.
• Cycle notifications (email/in-app): “You are due for rescreening next month; here is what this involves.”

This is not just politeness. Clear, plain-language comms lower refusal rates, shorten review calls, and give managers something trustworthy to forward when questions surface.

Retention: keep less, for shorter

The cleanest evidence sets are small on purpose. Keep the artefacts that prove you designed and operated the control; avoid hoarding the rest.

Versioned policies, your tier/cadence model, and approvals form the governance spine—keep those for the long haul. For operation, a run log with dates, pass/flag outcomes, reviewer and next due is usually enough to demonstrate that the engine turns; three to five years is a sensible target aligned to audit and contract windows. Exception registers should live for the life of the exception plus a modest buffer. Full raw reports are the risk: restrict access tightly and reduce them to outcomes as soon as you reasonably can. When you send evidence externally, ship redacted extracts and record who saw what and when.

This is how you square global privacy regimes with auditability: demonstrate control over time without storing more personal data than you need.

Vendor management (make your supplier audit-ready)

If a partner runs checks, you remain accountable for legality and evidence. Put audit-readiness into the contract and the workflow.

Contracts should confirm data-processing terms, where data sits, who the sub-processors are, and how quickly incidents are reported. They should also acknowledge your lawful basis choices: the vendor must support your legitimate-interests model and your targeted consent flows where needed. Operationally, insist on the basics you will be asked to prove—time-stamped outcomes, access to logs, and a redacted view suitable for exports. Add SLAs for turnaround and error correction, and align retention so the vendor is not keeping more than you are.

Then, audit the relationship lightly but regularly: quarterly spot-checks against your run log, a look at redaction quality, and an annual review of sub-processors and hosting locations. The message to reviewers is simple: suppliers follow the same rules you do.

Vendor checklist

• Contractuals: data processing terms, jurisdictions, sub-processors, breach notice timelines, audit cooperation.
• Lawful basis handoff: your policy/LIA or consent mechanisms are recognised and supported.
• Evidence access: you can obtain logs, approvals proof (where relevant), and time-stamped outcomes.
• Minimisation: vendor provides a redacted view for export; raw data restricted.
• SLAs: turnaround times, error correction flow, re-verification triggers on access change.
• Security: encryption, access controls, retention alignment.

Ongoing oversight

• Quarterly sample of vendor output against your run log.
• Spot-check redaction quality in exports.
• Yearly review of sub-processors and data-hosting locations.

Handling refusals

Refusals will happen. Treat them as signals to check your design, not as confrontations to win.

Start by understanding the reason. Misunderstandings usually dissolve with a clear restatement of purpose, scope and safeguards, backed by your notice. Where a particular check genuinely requires consent and the individual declines, consider proportionate alternatives: defer the check pending documentation, reduce privileges, increase supervision, or reassign duties temporarily. For high-privilege roles, unresolved refusal may mean pausing access until an acceptable path is agreed.

Operational flow

1. Triage: why is the person refusing—misunderstanding, privacy worry, or a lawful right?
2. Explain: restate purpose, checks, safeguards, and lawful basis; provide the privacy notice.
3. Offer alternatives (where acceptable): e.g., defer a specific check pending documentation; increase supervision or reduce access temporarily.
4. Escalate: for high-privilege roles, unresolved refusal may mean reassignment or suspension of access pending resolution.
5. Record: log the refusal, decision, risk owner, temporary controls, and review date in the exception register.

Whatever you decide, record it as an exception with a risk owner, compensating controls and an expiry date. That single habit turns a tricky conversation into evidence of control.

Conclusion

Rolling out rescreening globally is a design problem first. Anchor your lawful basis in legitimate interests where the law permits, use targeted consent only when you must, and explain the programme to employees in plain English. Keep outcome-level records that prove the engine turns; restrict and shorten the life of raw reports. Hold vendors to the same standards you keep in-house. And when someone refuses, respond proportionately and document the decision.

Get these foundations right and everything else—cadence debates, audit sampling, renewal questions—becomes easier. The programme will feel the same everywhere it runs, even when the law does not.

‍