Before GDPR, carrying out criminal record checks on prospective employees was something many companies did as a matter of routine. But under the new GDPR regulation they will have to re-think.

The General Data Protection Regulation, enforceable from May 25 2018, means that employers must look very carefully at how they screen new employees.

In fact, under the terms of GDPR, background screening can only occur under very specific conditions. However, a Data Protection Bill, published in September 2017, is designed to supplement GDPR and will authorise criminal records checks to a broader selection of companies, but only under certain strict conditions.

Before we look at the rules designed to supplement GDPR, consider the implications of GDPR, itself.

Under these regulations only two types of organisations are permitted to process personal data relating to criminal convictions and offences.


  • if the processing is under the control of an official authority
  • or if an organisation is authorised by law for providing appropriate safeguards. So this could relate to an organisation that is required to carry out Disclosure and Barring Service checks as it is working with children or vulnerable adults.
The Data Protection Bill will, however, authorise the processing of criminal convictions data when it is complying with employment law obligations or rights. But in order to do this, an organisation must have a written document concerning its GDPR policy relating to the processing of criminal record data and the retention and erasure of that data.

The Data Protection Bill also allows employers to process criminal record data under other certain circumstances, including where the employee agrees to this, but only when such consent meets the requirements of GDPR.

To find out more about GDPR check out the next GDPR Summit London