A new hire accepts your offer on Friday. They start on Monday. Somewhere between the excitement of filling the role and the scramble to set up a laptop and desk, someone remembers: "Have we done the right to work check?"
The answer, more often than most businesses would admit, is no. Not yet. It is on the list. It will get done during the first week. Probably.
This is how the majority of UK employers handle compliance during onboarding. The important things — the legally required things — are treated as administrative tasks to be completed alongside setting up email accounts and ordering business cards. Compliance sits at the end of the onboarding process, as a box to tick once the person is already working.
The problem is straightforward: if you discover a compliance issue after someone has started, you have already committed the offence. A right to work check done on day three does not provide a statutory excuse for days one and two. A DBS check that comes back unsatisfactory after the employee has had two weeks of unsupervised access to vulnerable people does not undo those two weeks.
Compliance at the end is risk at the start. Here is how to reverse it.
Why most onboarding processes are backwards
The typical onboarding sequence looks something like this:
- Offer accepted
- Start date confirmed
- IT setup, desk allocation, team introductions
- First day: welcome pack, office tour, meet the team
- First week: HR paperwork, including right to work check, contract signing, pension enrolment
- First month: probation review, training completion
Notice where compliance sits: steps 5 and 6. By the time you are checking whether this person has the legal right to work for you, they have already been working for you. By the time their DBS check clears, they may have already been in contact with vulnerable clients or sensitive data.
This is not a theoretical risk. The civil penalty for employing an illegal worker is up to £45,000 for a first offence and £60,000 for repeat offences. With the Fair Work Agency now operational with walk-in audit powers, the enforcement probability has increased across every sector and company size.
The compliance-first checklist
The principle is simple: nothing that is legally required should happen after the start date. Everything below should be completed and documented before the new hire's first working day.
Phase 1: Pre-offer (during recruitment)
Right to work pre-screening. Before you invest interview time, establish whether the candidate has the right to work in the UK and, if so, on what basis. This is not about discrimination — it is about understanding whether you can legally employ this person and what, if any, sponsorship requirements exist.
- Ask the right to work question at application stage
- For roles requiring sponsorship: confirm you hold an appropriate sponsor licence and have available Certificates of Sponsorship
- Document the response for your records
Role-specific requirements check. Identify upfront what compliance checks this specific role requires:
- Does the role require a DBS check? At what level (basic, standard, enhanced, enhanced with barred list)?
- Does the role require professional registration (NMC, GMC, SRA, etc.)?
- Does the role require specific qualifications or certifications?
- Does the role involve regulated activity with children or vulnerable adults?
Phase 2: Post-offer, pre-start (the critical window)
This is where compliance-first onboarding diverges from the standard approach. Everything in this phase must be completed before the start date. If it cannot be completed in time, the start date moves.
Right to work check. Conduct the full, compliant right to work check appropriate to the worker's nationality and document type:
- British/Irish passport holders: Manual inspection of original document OR digital check via certified IDSP
- Non-UK/Irish nationals with share code: Online verification via the Home Office checking service
- Non-UK/Irish nationals with physical documents only: Manual inspection of original documents in person
Record the date of check, method used, documents inspected, reference numbers, expiry dates (if time-limited), and who conducted the check. Retain copies as required. This creates your audit trail.
If the worker has time-limited right to work, set an expiry reminder immediately. Do not wait until the "onboarding is complete" to set up monitoring.
DBS check (where required). For roles that require criminal record checks, the DBS application should be submitted as early as possible after the offer is accepted. Processing times vary, but standard and enhanced checks typically take two to four weeks.
For roles involving regulated activity: do not allow the person to start unsupervised until the DBS is returned. If timing is tight, consider a risk assessment for supervised start while the check is pending — but document your reasoning and the supervision arrangements.
Professional registration verification. For regulated professions, verify registration status directly with the relevant body. Do not rely on the candidate's assertion. Check:
- NMC register for nurses and midwives
- GMC register for doctors
- SRA register for solicitors
- Other professional bodies as applicable
References. Obtain and verify at least two references, including the most recent employer. For roles in care and education, satisfactory references before start date are typically a regulatory requirement, not just good practice.
Contract and terms. Issue the contract and written particulars of employment. Under the Employment Rights Act 1996, employees are entitled to a written statement of terms on or before their first day. This is a legal requirement, not an administrative preference.
Phase 3: Day one (the start date)
If Phase 2 was completed properly, day one should be free of compliance anxiety. The legally required checks are done. The start date is clean. Now you can focus on what day one should actually be about: setting the person up for success.
GDPR data handling. Provide the privacy notice explaining how employee data will be processed, stored, and protected. Obtain any required consents. This is legally required under UK GDPR and should happen before you start collecting and processing any employee data beyond what was needed for recruitment.
Health and safety induction. Brief on fire evacuation procedures, first aid arrangements, and any role-specific health and safety requirements. This is a legal duty under the Health and Safety at Work Act 1974, not an optional extra.
IT and access provisioning. Now — not before the compliance checks are done — the new hire gets their email, system access, building pass, and equipment. The principle: access follows verification, not the other way around.
Team introduction and orientation. The welcome. The desk tour. The lunch plans. All the things that make a first day good. They happen after compliance, not instead of it.
Phase 4: First month (ongoing compliance)
Probation milestones. Set clear expectations and review points. Document these from the start.
Training completion. Mandatory training — data protection, health and safety, safeguarding (where applicable), anti-bribery — should be completed and recorded within the first month. Create a training record that captures what was completed, when, and by whom.
Compliance record consolidation. By the end of month one, the employee's compliance file should be complete and centralised:
- Right to work check record (with copies and expiry tracking if time-limited)
- DBS certificate reference number and date
- Professional registration confirmation
- Signed contract
- Completed training records
- References received
- GDPR privacy notice acknowledged
This file should be instantly accessible. When the Fair Work Agency conducts an unannounced visit, you need to produce it within minutes.
The cost of getting it backwards
The financial penalties for right to work failures are well documented. But the operational cost of backwards onboarding goes beyond fines.
Wasted investment. You spend two weeks onboarding someone, assign them to a team, begin training — then discover their visa doesn't cover the work they are doing. You have invested salary, management time, and opportunity cost into someone you now cannot legally employ.
Disruption. The team has started to plan around the new hire. Projects have been assigned. Clients have been introduced. Unwinding all of that is expensive and disruptive.
Reputational risk. In sectors like care and education, a compliance failure during onboarding can trigger regulatory scrutiny that extends well beyond the individual case. CQC, Ofsted, and other regulators view onboarding compliance failures as systemic indicators — if you got this one wrong, what else are you missing?
Legal exposure. Beyond the civil penalty, there is personal liability for directors and officers who knew or ought to have known about the failure. And there is the cost of defending the action, even if you ultimately avoid the maximum fine.
Making it work in practice
The objection to compliance-first onboarding is always the same: "We can't delay start dates. The business needs people now."
The answer is to build compliance into the recruitment timeline, not to bolt it on at the end. If your recruitment process takes three weeks from first interview to offer, add one more week for compliance completion before start date. Communicate the timeline to candidates upfront. Most will understand — and those who object to basic legal checks may not be candidates you want anyway.
For high-volume or time-sensitive hiring, technology changes the equation. Digital right to work checks can be completed in hours, not weeks. Automated document collection means the candidate uploads their documents from their phone, and verification happens in the background while you are sorting out their desk.
Certifyd's Right to Work Portal moves compliance checks to the earliest possible stage — candidates receive a verification link, upload their documents, and compliance status is confirmed before they ever set foot in your office. Automated, auditable, and built for the pace that real hiring demands.