Due Diligence Now Includes Digital Behaviour

In 2018, a major UK financial institution withdrew a senior appointment after a pre-employment digital screening revealed a pattern of social media activity that was incompatible with the institution's regulatory obligations. The candidate's qualifications were impeccable. Their professional references were strong. Their financial and criminal background checks were clear. The digital screening identified what every other diligence process missed — because no other process was designed to look.

The incident was not an anomaly. It was an early indicator of a structural shift in how organisations assess risk associated with individuals. Due diligence — historically confined to financial records, criminal databases, directorship searches, and personal references — now includes digital behaviour. And the organisations that have not adapted their diligence processes to include this dimension are operating with a gap in their risk assessment that grows more consequential with every passing year.

The Compliance Rationale

The integration of digital behaviour into due diligence is not driven by curiosity. It is driven by compliance obligation.

UK employers, particularly those in regulated sectors, have a legal duty to assess the fitness and propriety of individuals in positions of influence. The Financial Conduct Authority's Senior Managers and Certification Regime requires firms to certify that individuals performing senior management functions are fit and proper — a determination that encompasses honesty, integrity, and reputation. The Prudential Regulation Authority applies equivalent standards.

These determinations cannot be made comprehensively without reference to digital behaviour. An individual's social media activity, public commentary, professional associations, and digital conduct provide evidence relevant to fitness and propriety that is unavailable through any other diligence channel. The regulator has not yet mandated digital screening explicitly, but the direction of regulatory expectation is clear: the firm that fails to identify a fitness issue that was discoverable through reasonable diligence will be held accountable for the omission.

Beyond financial services, the Equality Act 2010, the UK GDPR, and employment law create a framework in which an employer's failure to identify discriminatory, harassing, or otherwise problematic behaviour by a candidate — behaviour that was publicly available on social media — creates legal exposure. The defence that "we did not look" is increasingly untenable in a regulatory environment that expects organisations to exercise reasonable care in their appointment processes.

What Digital Screening Reveals

Digital screening identifies categories of risk that are invisible to traditional due diligence.

Behavioural patterns. A candidate's social media activity over time reveals patterns of behaviour — temperament, judgement, professional conduct — that a curated CV and a structured interview are designed to conceal. Aggressive or confrontational online interactions, discriminatory commentary, or evidence of poor professional judgement provide data points that are relevant to the appointment decision and unavailable through any other means.

Association risk. The professional and personal networks visible through digital platforms reveal associations that may create compliance, reputational, or operational risk. A candidate connected to individuals under regulatory investigation, associated with organisations on sanctions lists, or linked to entities with adverse reputational histories presents risks that emerge only through digital analysis.

Consistency of representation. Discrepancies between the information a candidate presents in their application and the information available in their digital footprint — different employment dates, omitted roles, exaggerated qualifications, undisclosed directorships — are identifiable through systematic digital screening and frequently invisible to traditional reference-based processes.

Historical conduct. Archived content — deleted social media posts recoverable through web archives, historical forum activity, cached professional profiles — reveals conduct that the candidate may have believed was no longer accessible. The digital record is more permanent than most individuals assume, and more discoverable than most diligence processes are designed to find.

The Methodology Question

The value of digital screening is a function of the methodology applied. Automated keyword-based screening — the approach employed by most bulk-processing services — identifies surface-level issues through algorithmic pattern matching. It flags profanity, identifies explicit content, and categorises posts by topic. It does not interpret context, assess judgement, or evaluate the significance of what it finds.

The limitations of automated screening are significant. Irony is indistinguishable from sincerity. Professional commentary on a sensitive topic is indistinguishable from personal endorsement. A post sharing a news article about extremism is flagged identically to a post endorsing extremism. The false positive rate of keyword-based screening degrades trust in the process and creates legal risk in the assessment.

Human-reviewed digital screening addresses these limitations by applying analytical judgement to the data that automated tools collect. The human analyst interprets context, distinguishes commentary from conduct, evaluates patterns rather than isolated incidents, and produces assessments that reflect the nuance the compliance decision requires.

The distinction matters legally as well as practically. The UK GDPR and the Data Protection Act 2018 require that decisions with significant consequences for individuals are not based solely on automated processing. Digital screening that informs employment or appointment decisions must incorporate meaningful human review to satisfy this requirement.

The Candidate's Position

The rise of digital screening in compliance creates obligations in both directions. Organisations have a duty to conduct reasonable diligence. Individuals have an interest in ensuring their digital footprint reflects the professional standing they wish to present.

The executive who has never audited their own digital footprint — who does not know what a comprehensive search of their name, their email addresses, their username history, and their platform activity would reveal — is operating with an exposure they have chosen not to measure. The exposure does not diminish through ignorance. It persists until it is discovered — by an employer, a regulator, a journalist, or an adversary.

A self-screening exercise — conducted before the external diligence process, by a service with the methodology to identify what an adversary or a compliance officer would find — converts an unknown vulnerability into a manageable one. The content that cannot be removed can be contextualised. The content that can be removed should be. The content that does not yet exist can be governed to ensure it does not create future exposure.

The choice is not whether your digital behaviour will be evaluated. It is whether you will evaluate it first.