In today’s data-driven world, employers must balance the need to vet staff through background checks with the responsibility of handling personal data lawfully. GDPR and DBS checks go hand in hand—when employers request a Disclosure and Barring Service (DBS) check, they must also ensure they comply with the UK General Data Protection Regulation (UK GDPR). Understanding how to legally process this information is essential for maintaining trust, transparency, and compliance.
What Personal Data Is Involved in a DBS Check?
A DBS check involves gathering and processing a range of sensitive personal information, including:
-
Full name and date of birth
-
Address history
-
National Insurance number
-
Convictions, cautions, reprimands or warnings
-
Whether an individual is barred from working with vulnerable groups (for Enhanced Checks)
Because this data is classed as “special category data” under the UK GDPR, it requires extra protection and must be processed with a clear legal basis.
The Legal Basis for Processing DBS Data
Under Article 6 of the UK GDPR, employers must identify a lawful basis for processing personal data. For DBS checks, the most common lawful bases include:
-
Legal obligation – If a DBS check is legally required for a specific role (e.g., teachers, care workers).
-
Legitimate interests – For roles where safeguarding isn’t legally required but may be deemed necessary for risk management.
In addition, since DBS data qualifies as special category data, employers must meet a condition under Article 9—typically employment, social security and social protection law.
Consent Isn’t Always Required
Many employers believe they need the applicant’s consent to carry out a DBS check. However, under UK GDPR, consent isn’t always the best option—especially if the check is a condition of employment. Consent must be freely given and can be withdrawn at any time, which may not offer employers the protection they expect. Instead, relying on legal obligation or legitimate interest is more appropriate.
Storing and Retaining DBS Data
Employers should only keep DBS certificates or related information for as long as necessary. The DBS Code of Practice recommends storing such data for no more than six months. During this time, it must be securely stored—preferably in a locked cabinet or encrypted digital system—and access should be limited to authorised personnel only.
After the retention period, any physical or digital copies should be securely destroyed.
Transparency and Privacy Notices
Before collecting DBS data, employers must provide a privacy notice that explains:
-
Why the information is being collected
-
How it will be used and stored
-
Who it will be shared with
-
How long it will be retained
Being transparent builds trust with employees and job applicants and ensures that your organisation remains GDPR-compliant.
Conclusion
GDPR and DBS checks are closely linked when it comes to legal compliance in the hiring process. Employers must treat sensitive data with care, ensuring that they have a lawful basis for processing, store data securely, and respect privacy rights at all times. By staying informed and compliant, businesses protect both their staff and their reputation.