Background screening and GDPR

Before GDPR, carrying out criminal record checks on prospective employees was something many companies did as a matter of routine. But under the new GDPR regulation they will have to re-think.

The General Data Protection Regulation, enforceable from May 25 2018, means that employers must look very carefully at how they screen new employees.

In fact, under the terms of GDPR, background screening can only occur under very specific conditions. However, a Data Protection Bill, published in September 2017, is designed to supplement GDPR and will authorise criminal records checks to a broader selection of companies, but only under certain strict conditions.

Before we look at the rules designed to supplement GDPR, consider the implications of GDPR, itself.

Under these regulations only two types of organisations are permitted to process personal data relating to criminal convictions and offences. 


  • If the processing is under the control of an official authority
  • Or if an organisation is authorised by law for providing appropriate safeguards. So this could relate to an organisation that is required to carry out Disclosure and Barring Service checks as it is working with children or vulnerable adults.

The Data Protection Bill will, however, authorise the  processing of criminal convictions data when it is complying with employment law obligations or rights. But in order to do this, an organisation must have a written document concerning its GDPR policy relating to the processing of criminal record data and the retention and erasure of that data.

The Data Protection Bill also allows employers to process criminal record data under other certain circumstances, including where the employee agrees to this, but only when such consent meets the requirements of GDPR.

To find out more about how you can comply in time for May 2018, visit GDPR Summit London.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.