GDPR and Background Screening: How to Make Them Work Together?

GDPR and Background Screening: How to Make Them Work Together?


Remember the barrage of privacy notices and cookie pop-ups that flooded your screens in 2018? That was the arrival of the General Data Protection Regulation (GDPR), a landmark European Union regulation designed to empower individuals with control over their personal data. Its impact extends beyond website cookies, fundamentally reshaping how businesses handle sensitive information, including during employee background verification.

The GDPR introduces a new set of complexities to background checks. Today the HR professionals must navigate a landscape of lawful basis requirements in the employment context, transparency obligations, and data minimization principles. This heightened focus on data privacy is reflected in rising investments. Gartner forecasts that the average annual budget for privacy at large organizations will surpass $2.5 million by 2024, highlighting the growing importance of robust data governance practices. Moreover, studies show a positive return on investment for data privacy initiatives. However, given the monetary and reputational risks associated with non-compliance, navigating the GDPR becomes crucial for HR departments conducting background screening. Let's explore how GDPR impacts background checks and how you can balance it with your organization's interests.

The GDPR Compliance Checklist for Employee Background Verification

1. Lawful Basis

The GDPR demands a clear legal justification for processing any individual's data. It applies equally to employee background verification, where a simple routine might have sufficed previously. While several lawful bases exist, "legitimate interests" is the most common choice for EU-based organizations conducting background checks. However, this justification requires careful consideration of the specific industry, role, and information collection type. Simply put, the benefits of background screening must outweigh the privacy intrusion on the candidate. Thorough research is necessary to establish a strong case for the data you need.

2. Transparency and Consent

Candidates undergoing background checks have the right to clear and comprehensive information about how their data will be processed, its purposes, and its rights under the regulation. This GDPR information is typically provided through a privacy notice.

While consent was once a common practice in background checks, the GDPR has shifted the focus toward other legal bases. This is because the power imbalance between employer and employee can potentially render consent invalid. However, it may be a viable option in specific situations where the candidate offers clear, informed, and uncoerced consent.

3. Data Minimization and Retention

The GDPR emphasizes data minimization, meaning organizations should only collect and process the personal information strictly necessary for the intended purpose. It applies directly to employee background verification. Gathering excessive or irrelevant data can be a violation.

Furthermore, the regulation mandates clear data retention periods. Organizations must determine how long background check information will be stored based on legal requirements, business needs, and the potential for future disputes. Once the retention period expires, the data should be securely purged.

4. Selecting Compliant Providers

Choosing a background screening provider that adheres to GDPR is crucial. Reputable providers should offer:

• Transparent data processing practices • Clear contractual agreements outlining data protection responsibilities • Secure data storage and transmission protocols • Mechanisms for responding to data subject rights requests

5. Data Sharing Agreements

Data-sharing agreements become essential whenever background checks involve sharing personal data with third parties, such as previous employers or reference providers. These agreements clearly outline the purpose of data sharing, the specific information transferred, and each party's data security and compliance responsibilities.

6. Candidate Rights

The GDPR empowers individuals with various rights regarding their data, including:

• Right to Access: Candidates can access the personal information they collect during the background check process. • Right to Rectification: In case of inaccuracies, candidates can request corrections to their data. • Right to Erasure (Right to be Forgotten): Under certain circumstances, individuals can request the deletion of their data. • Right to Object: Candidates may object to processing their data, particularly if it negatively impacts them.

Top GDPR Challenges in Background Screening

1. Defining Roles: Controller vs Processor

While some situations are straightforward, such as a provider simply offering data storage without actively processing it, background screening often involves various activities. Retrieving information from previous employers or conducting criminal record checks might constitute controller functions, while merely providing a platform for candidate data input could fall under processor duties.

This distinction becomes critical when negotiating contracts, as the GDPR outlines specific requirements for controller-processor and controller-controller agreements. Many organizations, however, favor standard controller-processor agreements regardless of the service provider's specific role.

2. Handling Criminal Record Data

Article 10 of the GDPR specifically addresses the use of criminal conviction data, delegating its regulation to individual European countries. Determining if the desired criminal history information is even available in the country is crucial. Employee background verification providers can often confirm this, as some countries have established mechanisms for employment-related checks while others don’t.

While the provider might possess some general knowledge, legal counsel is necessary to determine the permissibility of a criminal history check within a specific employment context. It depends on various factors, such as the country, industry, company risk tolerance, and the specific role and responsibilities the candidate will hold.

3. One-time Data Transfers for International Checks

Contrary to popular belief, the GDPR doesn't completely prohibit transferring personal data outside the European Economic Area (EEA) or the UK. However, it requires that transferred data benefits from protections equivalent to the GDPR. It can be achieved through:

• Standard contractual clauses issued by regulatory authorities • Binding corporate rules applied across global companies • Adequacy decisions where specific non-European countries are deemed safe for data transfers


The GDPR's influence on background checks extends far beyond mere compliance. It signifies a fundamental shift in the power dynamic between organizations and individuals regarding personal data. This shift has broader implications, potentially influencing data protection practices globally and setting a precedent for a more balanced approach to data collection and usage across various sectors. While navigating the GDPR's intricacies requires careful attention to detail, its ultimate impact is a more ethical and privacy-conscious landscape for background checks, contributing to a more responsible and transparent business environment.

Image source -