A managing director at a ten-person professional services firm posts a coordinator role. One hundred and sixty applications arrive in three days. Her operations lead runs them through the AI screening feature built into their hiring platform. A shortlist of twelve comes back by end of day. The panel interviews from that list, makes an offer, and the process wraps up cleaner than it ever has before. The ICO would call it automated decision-making. Without specific safeguards in place, it is likely non-compliant with UK GDPR. The fact that humans conducted the interviews does not, by itself, change that.
What does the ICO’s AI recruitment guidance actually cover?
The ICO published two significant pieces of guidance on AI in recruitment. Its November 2024 audit of AI sourcing, screening, and selection tools used across the UK produced 296 recommendations and 42 advisory notes to providers. The March 2026 “Recruitment Rewired” report, drawing on evidence from over 30 UK employers, then identified where current hiring practice may already be falling short of UK GDPR’s automated decision-making rules.
The central issue is automated decision-making (ADM): any process where an algorithm decides the outcome for a candidate without genuine human involvement. Under UK GDPR, if a decision has legal or similarly significant effects on an individual and is made solely by an algorithm, specific rights and safeguards apply. Rejecting a candidate at screening stage clearly qualifies as a decision with significant effects.
The ICO’s finding, confirmed in both the 2024 audit and the 2026 guidance, is that many employers using AI for CV filtering, suitability scoring, or automated video analysis do not recognise they are in ADM territory. They see the tool as “just a filter” or “decision support”. The regulator’s position is that if a hiring manager only sees the AI-produced shortlist and cannot realistically look beyond it or override the system, the decision is functionally automated, regardless of what the vendor’s materials call it.
Why should a small services firm care about this?
UK employers are the data controller for their recruitment processes. Compliance responsibility sits with the firm, not the AI vendor. The ICO’s 2024 audits found multiple gaps per tool even among established providers, so assuming vendor compliance as a default is not safe. If a candidate challenges a decision and the ICO investigates, it will look to the employer first.
The enforcement signal has been unusually explicit. The ICO’s AI and biometrics strategy, updated in June 2025, names automated decision-making in recruitment as a priority regulatory focus. Law firm commentary from DLA Piper and Keystone Law reads this as a clear indication that non-compliant employers face elevated enforcement risk. The ICO has levied over £3.7 million in data protection enforcement across sectors; it has demonstrated both the appetite and the authority to pursue cases.
For a small services firm, the practical risk extends beyond financial penalties. A candidate rejected through an AI process, who then discovers they had no right to request human review and no way to challenge the outcome, can bring a complaint to the ICO. That complaint triggers an investigation. The administrative burden of responding to an investigation, and the reputational exposure if findings are published, is significant before any fine is considered.
Where in your hiring process does this apply?
The ICO’s rules on automated decision-making are triggered by decisions with legal or similarly significant effects on individuals. Rejecting a job applicant qualifies. The ICO identifies several typical points where AI tips hiring into ADM territory: filtering CVs before a human reviews them, ranking candidates by automated scoring, and using AI-analysed video interviews to decide who progresses to the next stage.
The less obvious trigger is the one the ICO warns about most directly in its guidance: AI tools that technically produce a “list” rather than a “decision”, but where hiring managers in practice work exclusively from that list. LinkedIn Talent Solutions, Indeed’s sourcing features, and talent-pooling tools such as Beamery all provide AI-ranked candidate outputs. If your manager never reviews applicants outside the tier the AI surfaced, the process is functionally automated, whatever the marketing materials call it.
Professional services and financial advisory firms using AI to handle large graduate intakes, and contact-centre employers using gamified psychometric assessments scored by AI to determine shortlists, are cited in ICO and DLA Piper commentary as structurally at risk. Models trained on historical hiring data can encode past patterns, including a tilt towards particular universities or demographic groups. That creates a bias risk alongside the ADM compliance issue.
When do you need to act, and when can you wait?
The ICO’s March 2026 draft guidance presents two options for employers. Acknowledge that you are using solely automated decisions in parts of your process and implement the full ADM safeguard package, or redesign the process to ensure meaningful human involvement at every step. For SMEs with lean HR teams, the first option is often more practical.
The full ADM safeguard package includes being transparent with candidates about the use of AI, providing a right to request human review of any automated decision, maintaining a genuine process to consider and potentially reverse outcomes, completing a recruitment-specific Data Protection Impact Assessment (DPIA), and carrying out ongoing bias monitoring by protected characteristic. None of these is trivially small, but each is achievable for a firm of any size.
The second option, ensuring meaningful human involvement for every candidate, is what the ICO describes as a high bar. Human reviewers need time, information, and real authority to interrogate and depart from AI outputs. For a three-person operations team processing three hundred applications, meeting that standard consistently is difficult to sustain.
The timing question is shaped by two regulatory developments. The Data (Use and Access) Act 2025, in force from February 2026, replaced the previous near-blanket restriction on automated decisions in UK GDPR with a right to challenge with safeguards. That gives employers more operational flexibility than before. It also makes the transparency and challenge obligations more explicit, not less.
From August 2026, the EU AI Act classifies AI recruitment tools as high-risk systems requiring risk management, transparency, and human oversight controls. UK firms that screen candidates based in EU countries, or that operate in EU markets, will need to comply with those obligations alongside UK GDPR and the DUAA. UK-only firms hiring domestically may have more runway, but the regulatory direction is clear.
What else comes with the territory: DPIAs, vendor due diligence, and special category data?
Three supporting obligations tend to catch employers by surprise once they acknowledge they are in ADM territory: the Data Protection Impact Assessment, vendor due diligence, and the question of special category data. Each carries its own ICO expectations and documentation requirements. Getting the ADM decision right without addressing these three leaves compliance gaps that can surface separately in an investigation.
On DPIAs: a Data Protection Impact Assessment is legally required under UK GDPR wherever AI tools are used for systematic and extensive evaluation of individuals, which covers algorithmic scoring in recruitment. The ICO’s 2024 audit found that many DPIAs reviewed were too generic, missing specifics on model logic, data sources, fairness risks, and mitigation steps. A generic risk form will not pass scrutiny. You need one specific to the tool, the role, and the applicant population.
On vendor due diligence: the UK government’s Responsible AI in Recruitment guidance and multiple law firm briefings converge on the same set of questions to ask before you sign up. Request evidence of bias testing by protected characteristic, including methodology and frequency. Ask what training data were used and how representativeness was assessed. Require documentation on what the model is and is not designed to predict. Insist on override mechanisms so human reviewers can understand what drove a candidate’s score.
On special category data: the DUAA now allows legitimate interests as a lawful basis for automated decisions in many recruitment contexts. For decisions involving special category data, including health conditions or ethnicity that might be inferred from application materials, the stricter pre-DUAA rules still apply. Check what data your tool is ingesting before assuming the more flexible basis applies to your process.
If you are using AI tools in hiring and have not worked through these three questions yet, that is where to start. The ICO is not waiting for the technology to mature before it expects employers to have answers.
