GDPR has been around for about 18 months now. The new European data protection rules are hugely changing how companies manage and process data and personal information about their workers. GDPR also applies to applicants and customers. There’s a growing concern that many companies are not doing this properly, especially when it comes to pre-employment screening. What are employers allowed to do, and what should they be telling us?
What is Pre-Employment Screening Anyway?
Pre-employment screening has a range of other names which might be more familiar. It’s also known as background checking, vetting or fact checking. There is no one “best” way of running background checks. Each company does their own thing. For example, if you’re running a restaurant, you might want to check that your new chef really has worked in that 5* hotel listed on their CV. If on the other hand you’re recruiting for financial services, you may be more interested in their credit rating. Checks may also vary within companies depending on the type of position. A senior position with a high level of responsibility is likely to require more in-depth checks than an entry level position.
Employers have to check staff because unfortunately people can’t be relied on to tell the truth. Lots of people exaggerate on their CV. Employers want to try to weed out these fibs and exaggerations, and make sure that they have a very clear picture of someone’s background. However, new data protection legislation might be putting the brakes on checks.
Are Checks Legitimate and Proportionate?
New GDPR laws give more power to workers to challenge the sorts of checks that their employers want to do. Many employers are confused about the whole issue because of the “muddy” nature of the legislation. As every company is different, it’s impossible to draw up a law which covers every situation. Therefore, the law just says that any checks should be legitimate and proportionate. It’s up to each company to work out what this means for them. Get it wrong, and they might be open to legal challenge by the applicant.
There are a couple of exceptions to all of this. Employers can face huge fines if they employ illegal workers, so have the legal right to ask people to prove their nationality. Furthermore, some positions require a DBS check. This sort of check is also known as a CRB check, or a criminal records check. This isn’t optional. If you are being employed in a position needing a DBS check, you won’t be able to challenge this.
What does this mean for job applicants?
Although GDPR might make things a bit trickier for employers, it doesn’t mean that they’re going to stop doing background vetting altogether. Companies still have to address the risk of employing someone who is either unsuitable for the role because they have exaggerated their experience, or who is a fraud risk. GDPR does require that employers are very clear about what they are going to check, and why. They must also tell employees what they are going to be looking at, and get consent. A blanket statement asking people to agree to background screening isn’t enough any more.
One important point to remember is that GDPR doesn’t stop employers looking at information which is out there in cyberspace about you. They don’t need consent to look at your social media accounts, if they are open to public view. They can google your name and see what comes up about you online, just as anyone else can. Consent is needed for other types of searches such as credit reports, or contacting your old employers to make sure you actually did the job you are claiming to do.
Storing Data
Employers also have to be really careful about the sort of information they store about their workers. GDPR law allows employees to request all information held about them by an employer. Unlike old data protection law, employers can’t charge for doing this. There’s an increasing trend for people who are involved in disputes with their employer to ask for files; not just HR information but emails, performance reviews and everything else. If employers refuse to provide this, then they can be fined.
So if you’re applying for a new job and undergoing checking, expect lots more information about what they’re doing and why. If not, could your employer be breaking the law?