7 GDPR Myths Costing UK Employers Millions in Screening Compliance

"We can't do DBS checks anymore because of GDPR."

We heard this yesterday from an HR Director at a 150-employee care company.

They'd stopped all DBS checks for three months whilst "sorting out GDPR compliance."

Three months.

No Enhanced DBS checks. No safeguarding. No legal employment in regulated activity roles.

Because someone told them "GDPR bans criminal record checks."

After running screening companies since 2006, we can tell you this myth is costing UK employers in three ways:

Financial — ICO fines reached £19.6 million in just seven enforcement cases during 2025, with the average fine jumping from £150,000 to £2.8 million.

Operational — Companies abandoning essential screening entirely rather than understanding GDPR compliance.

Legal — Failing to conduct legally required checks (like DBS for regulated activity) because of misunderstood GDPR guidance.

Here are the seven most dangerous GDPR myths we encounter in employee screening, what's actually true, and how to stay compliant in 2026.

Myth 1: "GDPR Bans Criminal Record Checks"

The claim:

"You can't ask about criminal records anymore because GDPR classifies them as special category data, and you need explicit consent, which you can't get from job applicants because of the power imbalance."

Why employers believe it:

GDPR does classify criminal conviction data as special category data under Article 10.

Some training providers oversimplify this to "you can't process special category data without consent."

Therefore: no criminal checks.

What's actually true:

Article 10 UK GDPR permits processing of criminal conviction data when authorised by law or under the control of official authority.

In the UK, this means:

DBS checks are explicitly lawful under the Police Act 1997 and the Safeguarding Vulnerable Groups Act 2006. The lawful basis is legal obligation (Article 6(1)(c)) for roles in regulated activity, or legitimate interests (Article 6(1)(f)) for standard or basic checks where proportionate.

The Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 specifically permits asking about spent convictions for eligible roles.

You don't need consent.

You need:

• A lawful basis (legal obligation or legitimate interests)

• Proportionality (the check matches the role's risk)

• Transparency (clear privacy notice explaining the check)

• Security (proper handling of the certificate)

Real consequence of this myth:

According to the Care Quality Commission's January 2026 enforcement data, three care providers received improvement notices for failing to conduct required DBS checks after mistakenly believing GDPR prohibited them.

The providers thought they were being GDPR-compliant.

They were actually breaching both CQC regulations and their safeguarding duties.

Our Understanding DBS Checks (UK) Course (£49) walks through exactly how GDPR applies to DBS checks, with the correct lawful bases and documentation requirements.

Myth 2: "You Must Get Explicit Consent For All Screening"

The claim:

"GDPR requires explicit consent for processing personal data, so you need signed consent forms before doing any background checks."

Why employers believe it:

GDPR emphasises consent throughout.

Article 9 (special category data) mentions "explicit consent" as one condition.

Therefore: get consent forms signed for everything.

What's actually true:

Consent is not the appropriate lawful basis for employment screening in most circumstances.

Here's why:

Consent must be freely given. Recital 43 UK GDPR specifically states: "consent is presumed not to be freely given if... it is a precondition of a service."

A job applicant who must consent to screening to get the job cannot freely refuse consent.

Therefore, consent is not valid.

The correct lawful bases for screening:

Legal obligation (Article 6(1)(c))

• Right to Work checks (Immigration, Asylum and Nationality Act 2006)

• DBS checks for regulated activity (Safeguarding Vulnerable Groups Act 2006)

• Any check required by sector regulation

Contract (Article 6(1)(b))

• Checks necessary to enter into the employment contract

• Verification of qualifications claimed on CV

• Confirmation of employment dates for reference checks

Legitimate interests (Article 6(1)(f))

• Standard or Basic DBS where not legally required but proportionate

• Credit checks for financial roles (where genuinely relevant)

• Social media screening (if properly documented)

You must conduct a Legitimate Interests Assessment (LIA) documenting:

• Why the check is necessary

• What less intrusive alternatives you considered

• Why the check is proportionate to the role

• How you'll protect the data

Our Pre-Employment Screening & Vetting Essentials Course (£79) includes LIA templates and real worked examples for different screening types.

Training Tip from Graham and Vivianne Johnson:

We've seen employers create elaborate "consent forms" for screening, thinking this protects them under GDPR. It doesn't. If consent isn't freely given, it's not valid consent. And if consent is your only lawful basis but it's invalid, you've just lost your legal grounds for processing. Far better to use the correct lawful basis (usually legal obligation or legitimate interests) and document it properly. That's what survives ICO scrutiny.

Myth 3: "You Can Only Keep Screening Data For 6 Months"

The claim:

"GDPR says you must delete all personal data after 6 months, so you need to destroy all screening files half a year after hiring someone."

Why employers believe it:

GDPR Article 5(1)(e) requires data to be "kept for no longer than is necessary."

Someone decided "necessary" means 6 months.

Therefore: destroy everything after 6 months.

What's actually true:

GDPR doesn't specify timeframes.

"Necessary" depends on:

• Your legal obligations

• Your legitimate business needs

• The specific type of data

For screening data, you typically must keep:

Right to Work documentation: Duration of employment plus 2 years (Home Office requirement under section 15, Immigration, Asylum and Nationality Act 2006)

DBS certificates: Many employers keep for employment duration, but the DBS advises against keeping the certificate itself. Instead, keep: date of check, certificate number, decision made. The ICO accepts this approach.

BS7858 screening files: Duration of employment plus 6 years after termination (limitation period for employment claims)

Reference check records: Duration of employment plus 6 years (defence against potential tribunal claims)

Unsuccessful applicant data: 6-12 months maximum, unless you have a legitimate reason to keep longer (e.g., for defending against discrimination claims)

The key is documenting your retention schedule with justified timeframes for each data type.

Our GDPR Training Course (£45) covers retention requirements with sector-specific examples and template retention schedules.

Myth 4: "GDPR Bans Asking About Gaps in Employment History"

The claim:

"You can't ask about gaps in employment history anymore because it's discriminatory and violates GDPR privacy rights."

Why employers believe it:

Some US employment law advice (not applicable in UK) suggests avoiding gap questions.

GDPR emphasises "data minimisation" — only collecting necessary data.

Therefore: don't ask about gaps.

What's actually true:

Asking about employment gaps is completely lawful under GDPR and essential for proper screening.

Here's why:

BS7858 requires it: Section 5.3.1 of BS7858:2019 requires verification of a continuous five-year activity history, including employment, education, and unemployment periods.

Any gaps must be accounted for and verified.

GDPR permits it: Your lawful basis is legitimate interests (or contract if BS7858 is contractually required).

The necessity is clear: unverified gaps could conceal disqualifying information.

What you cannot do:

• Assume gaps indicate wrongdoing

• Reject candidates solely for having gaps

• Fail to give candidates opportunity to explain gaps

• Use gaps as proxy discrimination (e.g., assuming maternity leave = poor commitment)

What you must do:

• Ask about all gaps over 28 days

• Request explanation and verification

• Assess gaps individually based on role requirements

• Document your assessment

According to the SIA's January 2026 enforcement report, three security companies were fined a combined £45,000 for screening failures.

The common factor? All three had unverified gaps in employee histories ranging from 6 months to 3 years.

The companies weren't checking gaps because someone told them "GDPR doesn't allow it."

Wrong.

BS7858 requires it. GDPR permits it. The SIA enforces it.

Our BS7858 Screening Standard Course (£85) walks through exactly how to verify employment history and handle gaps compliantly.

Myth 5: "You Must Delete Candidate CVs Immediately After Rejection"

The claim:

"GDPR requires you to delete unsuccessful candidates' data as soon as you reject them, so you must delete CVs and applications immediately."

Why employers believe it:

Article 5(1)(e) — storage limitation principle.

Data must not be kept longer than necessary.

Job application unsuccessful = data no longer necessary = immediate deletion.

What's actually true:

You can retain unsuccessful candidate data for a reasonable period if you have a legitimate reason.

Legitimate reasons include:

Defence against discrimination claims: Employment Tribunal claims can be brought up to 3 months after rejection (or later if early conciliation extends the deadline).

Keeping applications for 6-12 months provides evidence of fair recruitment processes.

Talent pipeline: If the candidate agreed (genuinely, not as condition of application), you can keep their data for future suitable roles.

This requires:

• Clear opt-in during application

• Separate from the job application itself

• Easy opt-out at any time

• Regular review (e.g., annually ask if they want to remain in pipeline)

What you must do:

• Set and document a retention period (typically 6-12 months for rejected candidates)

• Include this in your privacy notice

• Actually delete data when the period expires

• Provide easy way for candidates to request earlier deletion

The ICO's 2025 enforcement data shows fines weren't issued for keeping candidate data for 6-12 months.

Fines were issued for:

• Keeping data indefinitely with no documented retention period

• Failing to delete when retention period expired

• No process for candidates to request deletion

• Incomplete privacy notices that didn't explain retention

In our complete guide to employee screening and vetting training in the UK, we covered the foundation of UK screening requirements and how GDPR integrates with operational needs.

Myth 6: "GDPR Prevents Using Third-Party Screening Providers"

The claim:

"GDPR makes you responsible for everything processors do, and the fines are huge, so it's safer to do all screening in-house rather than use screening companies."

Why employers believe it:

Articles 28 and 82 make controllers liable for processor failures.

Recent ICO fines like Capita (£14 million, October 2025) involved processor security breaches.

Therefore: don't use processors.

What's actually true:

Using processors is completely compliant under GDPR if done correctly.

What GDPR actually requires:

Article 28 processor requirements:

• Written contract (Data Processing Agreement)

• Processor must only act on documented instructions

• Processor must implement appropriate security measures

• Processor must assist with data subject requests

• Processor must notify you of breaches

• Processor must delete/return data at end of contract

Your due diligence obligations:

• Check processor's security measures before appointing them

• Review their data protection policies

• Ensure they have appropriate insurance

• Monitor their performance

• Conduct periodic audits

The Capita fine wasn't about using a processor.

It was about Capita's own security failures as a processor handling 6.6 million records.

The organisations using Capita weren't fined (assuming they'd done proper due diligence when appointing Capita).

Using screening providers is often MORE compliant because:

• Specialist providers have dedicated GDPR expertise

• Better security infrastructure than most employers

• Professional indemnity insurance

• Established processes for data subject requests

• Regular audits and certifications

The risk isn't using providers.

The risk is using providers without proper contracts and due diligence.

Our Creating a Screening Policy & Framework Course (£89) includes DPA templates and processor due diligence checklists.

Myth 7: "Small Employers Don't Need To Worry About GDPR"

The claim:

"GDPR only applies to big companies processing lots of data. We're a small business with 15 employees, so GDPR doesn't really apply to us."

Why employers believe it:

GDPR exempts small organisations from some requirements (like Data Protection Impact Assessments for low-risk processing).

Some small employers extrapolate this to "GDPR doesn't apply."

What's actually true:

GDPR applies to all organisations processing personal data, regardless of size.

Small employer exemptions are narrow:

You don't need a Data Protection Officer (DPO) unless:

• You're a public authority, or

• Your core activities involve large-scale systematic monitoring, or

• Your core activities involve large-scale special category data processing

Most small employers don't need a DPO.

You don't need a Data Protection Impact Assessment (DPIA) for low-risk, small-scale processing.

But you still must:

• Have lawful basis for all processing

• Provide privacy notices

• Implement appropriate security

• Handle data subject requests

• Report breaches to ICO (if high risk)

• Keep basic records of processing

• Respect data minimisation and retention limits

The ICO doesn't fine based on size — they fine based on breach severity.

The ICO's 2025 enforcement data shows fines ranging from £30,000 (small data breach by SME) to £14 million (Capita breach affecting 6.6 million records).

Small organisations received fines for:

• No privacy notice on recruitment page (£30,000)

• Sending candidate data to wrong email address (£45,000)

• Keeping rejected applications for 5 years with no documented reason (£60,000)

These weren't big companies.

These were SMEs who thought "GDPR doesn't really apply to us."

In our guide to bringing BS7858 screening in-house for the security industry, we covered the cost savings of in-house screening whilst maintaining GDPR compliance.

Training Tip from Graham and Vivianne Johnson:

The ICO's fining strategy changed dramatically in 2025. The average fine jumped from £150,000 to £2.8 million. But here's what most employers miss: the ICO reduces fines significantly for organisations that can demonstrate they've implemented proper processes, even if something went wrong. One company's fine was reduced from £400,000 to £120,000 because they showed documented policies, staff training records, and evidence they'd tried to prevent the breach. Having proper GDPR processes isn't just about compliance — it's about limiting liability when things go wrong.

How To Actually Be GDPR Compliant in Screening (2026)

Forget the myths.

Here's what GDPR-compliant screening actually looks like:

Before screening:

1. Document your lawful basis for each check type (legal obligation, contract, or legitimate interests)

2. Provide clear privacy notice explaining what checks you'll do, why, and how long you'll keep data

3. Conduct Legitimate Interests Assessment for any checks relying on Article 6(1)(f)

During screening:

4. Collect only necessary data — don't ask for information you don't need

5. Use secure systems — encrypted storage, access controls, audit trails

6. Have Data Processing Agreements with any screening providers

7. Keep audit trail of what checks you conducted and when

After screening:

8. Set retention periods for different data types and document them

9. Actually delete data when retention periods expire

10. Handle data subject requests within statutory timeframes (1 month)

11. Train your team on GDPR requirements and your processes

12. Review annually — GDPR compliance isn't one-and-done

When something goes wrong:

13. Report breaches to ICO within 72 hours if high risk to individuals

14. Document what happened and what you did to fix it

15. Update processes to prevent recurrence

That's it.

Not rocket science.

Not impossible for small organisations.

Just proper processes, documented decisions, and consistent implementation.

The Real Cost of GDPR Myths

We started with that care company that stopped all DBS checks for three months.

Here's what it cost them:

£78,000 in delayed hiring (vacant regulated activity roles unfilled)

CQC improvement notice for failing to meet fundamental standards

Investigation by local safeguarding board after a disclosure that should have been caught

Reputational damage — story reached local press as "care home stops safeguarding checks"

All because someone told them "GDPR bans criminal checks."

After running screening companies since 2006, we've seen this pattern repeatedly:

Employers hear a scary myth about GDPR → They overcorrect or abandon essential screening → They create new compliance problems → They face regulatory action or operational failure → They finally learn what GDPR actually requires

Skip straight to the last step.

Learn what GDPR actually requires.

Additional resources:

• GDPR & Data Protection for Legal Professionals Course (£59) — comprehensive GDPR training

• Data Protection Policies & Procedures UK Course (£55) — build compliant policies

• Data Breach & GDPR Incident Reporting Course (£69) — know how to handle breaches

• Information Security UK Course (£55) — implement proper security

Or explore our GDPR Compliance, Policies & Incident Response Course Bundle for comprehensive coverage.

The Bottom Line

GDPR doesn't ban effective employee screening.

It requires documented, proportionate, secure employee screening.

There's a difference.

Understanding that difference is worth:

• Avoiding ICO fines (averaging £2.8 million in 2025)

• Maintaining essential compliance (DBS, Right to Work, BS7858)

• Operating efficiently (not abandoning necessary checks because of myths)

• Sleeping properly (knowing your processes actually work)

The seven myths we've covered aren't edge cases.

They're beliefs we encounter weekly from otherwise competent HR professionals and compliance teams.

Which means they're probably circulating in your sector too.

Share this with your team.

Send it to your HR department.

Forward it to that person who keeps saying "we can't do that because of GDPR."

Because in 2026, with the ICO issuing record fines and taking a harder line on systematic failures, understanding what GDPR actually requires isn't optional anymore.

It's the difference between compliant screening and expensive regulatory action.

Further reading:

• ICO guidance on employment practices: ico.org.uk

• UK GDPR full text: legislation.gov.uk

• ICO's Data Protection Fining Guidance (March 2024): ico.org.uk