Bringing Cybersecurity and Data Protection Experts to the UK & Data protection concerns for Business Immigration

Mohammad Chaudhry
Mohammad Chaudhry

Published: February 29th, 2024

7 min read

Given the current digital landscape, the demand for skilled professionals in cyber security and data protection has sky rocketed. Securing the right talent is crucial for safeguarding sensitive information and maintaining the integrity of digital assets. The skilled worker route provides an avenue for companies to attract top tier cyber security and data protection experts from around the globe.

Skilled Worker Visa:

To sponsor a skilled worker, a business must obtain a Sponsor licence, enabling them to assign a certificate of sponsorship (COS). The COS is then used by the Skilled worker when applying to the Home Office for their visa. The certificate of sponsorship must be issued by the employer no more than three months before the date of their application. The employer is required to pay an immigration skills charge and COS fee. Employing an overseas worker without the necessary licence results in a breach of immigration rules and right to work legislation, and you may be fined and prosecuted.

Employers must ensure that the role for which they are recruiting is sufficiently skilled (at or above RQF Level 3). This means checking that the job corresponds with one of the eligible "standard occupation codes (SOC)". The salary which is being offered must at least be at the minimum level of £26,200 per anum unless it is in a shortage occupations list.

Businesses looking to hire overseas workers must navigate a complex landscape of data protection and cyber security challenges. From conducting right to work checks, to collaborating with immigrations advisors, employers must process, retain, and send sensitive information whilst also ensuring compliance with data protection polices and regulations.

Right to work checks:

One crucial step in hiring overseas workers is the right to work check, a process that involves verifying an individual's eligibility to work in the UK. Employers must have to copy and keep the sensitive information, for the duration of the workers employment and for two years after. The processing of sensitive information in this circumstance is not against the UK GDPR as it is necessary for compliance with a legal obligation (Article 6 UK GDPR).

Data required for Right to Work checks, such as passports, visas and birth certificates, are classed as "special category data". Special category data is personal data which the UK GDPR says is more sensitive, and as such requires more protection. This data, to comply with the UK GDPR, must be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Kept for no longer than is necessary for the purposes for which the personal data is being processed.

Data storage methods

  • Your company should implement appropriate security measures, including encryption, password protection, access control and regular security audits.
  • Minimise the amount of data retained to the essentials required for compliance - redacting irrelevant information and avoiding storing the data longer than necessary.
  • Manual paper-based storage systems, i.e., filing cabinets, with minimal restrictions are at risk. Ensure they are locked up, with only those necessary having access to it.
  • It is also important to have a plan on how you will respond to data leaks.

Data deletion

Organisations have a legal obligation to store right to work checks for two years once an employee has left the business. Consideration must be given as to how this data is controlled and audited. Data/paperwork must be confidentially exposed of at the end of the required period.

Privacy Notice:

If you are employing an overseas worker, it may be necessary to provide a comprehensive privacy notice detailing how and why their data is processed, the duration of retention, and any third-party collaborations, such as immigration advisors.


Ensuring compliance with data protection policies and regulations, implementing robust data storage methods, and establishing clear protocols for data deletion are crucial steps in safeguarding the privacy of individuals involved in the hiring process. As businesses venture into the global talent market, prioritising these measures not only facilitates legal compliance, but also builds trust and credibility in an environment where data protection is paramount.

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here. Authorised and regulated by the Financial Conduct Authority.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.