The General Data Protection Regulation, usually abbreviated to GDPR, was introduced across Europe in May 2018. Even though the UK had already voted to leave the EU at that point, the GDPR rules still apply. Most businesses are up to speed already with their GDPR responsibilities, but some are still lacking. However, ignoring GDPR legislation could result in huge fines, so it’s a risky practice. Whether you’re involved in disclosure checks as an applicant or as someone processing the checks, here’s the basics of what you need to know.
There are core principles which underwrite GDPR legislation, whatever the type of data which is being processed. These are all about the way companies obtain, store and dispose of your personal information. When it comes to DBS checks, this can be broken down further into three stages.
If you’re applying for your DBS check online, then you will have to set up a secure username and password to access the site. This ensures that only you can access the form while you’re completing it, and only you can log back into the site to see how the application is progressing. Another important part of the application stage is to verify your identity, by taking original passports, driving licence or utility bills to your employer. They will return the original documents to you but may take copies.
The GDPR legislation is also clear about how important it is to store information properly and safely. This doesn’t just include disclosure check information, but also other data such as addresses, bank account details or employee sickness information. The GDPR doesn’t define what secure means, however. A smaller company without computerised records might define secure as locked away in a filing cabinet in the boss’s office. Other companies might scan everything into a computer system, so in these cases secure would mean password protecting areas of the system and putting controls in place to make sure unauthorised people can’t get access to it.
The GDPR rules also state that companies can’t hold on to information about you for longer than is necessary. In terms of your disclosure certificate, this usually means that you will be allowed to keep the original, rather than handing it over to your employer. Most will have a process whereby they just tick to say they’ve seen it, or some other way of recording what the certificate showed. If you leave your position, then the organisation has a responsibility to delete all of your personal information, or shred it, within a reasonable period of time, usually six months.
Penalties for Non-Compliance
If you’re not happy with the way your employer is storing your data, then you have the tight to report them over it. However, this is probably not the best tactic should you wish to keep your job. Report in the first instance to whoever in the organisation has responsibility for GDPR and advise that you are aware of the need for secure storage. Fines under GDPR can be up to 10 million euros.