How to use AI in recruitment without breaking UK law

Using AI in recruitment is legal in the UK, but two sets of rules decide whether your setup is compliant. UK GDPR, as amended by the Data (Use and Access) Act 2025, governs how you process candidate data and what safeguards apply when software makes significant decisions about people. The Equality Act 2010 makes you, the employer, liable if a tool discriminates, even when the bias sits inside a vendor's algorithm. The safe pattern is straightforward: let AI handle drafting, scheduling and admin, keep a human making every shortlisting and rejection decision, tell candidates clearly what the tools do, and complete a data protection impact assessment before anything goes live.

"Tribunals do not accept 'the algorithm did it' as a defence. Let AI do the admin and keep a person making every decision about another person. That configuration is both the safest and the most valuable."

Dean Cookson, founder, Operosus

Is it legal to use AI to hire people in the UK?

Yes. There is no UK law that bans AI in recruitment, and no licence or approval you need before using it. What exists instead is a framework of existing law that applies to AI the same way it applies to any other hiring method:

• UK GDPR and the Data Protection Act 2018: how you collect, use, explain and retain candidate data, plus specific rules for automated decision-making.
• The Data (Use and Access) Act 2025: amended the automated decision-making rules from February 2026 (more below).
• The Equality Act 2010: section 39 prohibits discrimination in "arrangements" for deciding who gets a job, which covers any screening tool you use.
• Regulator guidance: the ICO's audit outcomes report on AI tools in recruitment and the Department for Science, Innovation and Technology's Responsible AI in Recruitment guide.

Adoption is no longer fringe. The CIPD's Resourcing and Talent Planning report 2024 found that 31% of UK organisations use some form of AI or machine learning in recruitment and onboarding, up from 16% in 2022. The same report found that of those using AI, 66% said it improved hiring efficiency. The legal question is not whether to use it, it is which tasks to give it and what controls to put around them.

What does UK GDPR require when AI screens candidates?

Four things carry most of the weight.

A lawful basis and honest transparency. Candidates must be told, in plain language and before they apply, that AI is involved, what it does with their information, and how long you keep it. Burying this in a privacy policy nobody reads is the most common failure the ICO sees.

A data protection impact assessment (DPIA). Screening candidates with AI is exactly the kind of high-risk processing that requires a DPIA before you start, not after. It forces you to document what the tool does, what could go wrong for candidates, and what you have done about it.

Data minimisation and retention limits. Collect only what the tool needs to do its job, and delete candidate data on a defined schedule. Tools that hoover up CVs into permanent talent databases without candidates' knowledge are a known regulator target.

Meaningful human involvement in significant decisions. If software rejects a candidate with no human genuinely reviewing the decision, that is automated decision-making in the legal sense and a specific set of safeguards kicks in: telling the person, letting them make representations, and giving them a route to human intervention and challenge. The ICO's guidance on rights related to automated decision-making sets these out.

What did the ICO find when it audited AI recruitment tools?

Between August 2023 and May 2024 the ICO audited several developers and providers of AI recruitment tools and made almost 300 recommendations, all of which were accepted or partially accepted by the companies involved. The findings are a useful map of what goes wrong in practice:

• Some tools let recruiters filter out candidates by protected characteristics.
• Some inferred gender and ethnicity from a candidate's name rather than asking.
• Some collected far more personal information than necessary and kept it indefinitely to build candidate databases without people's knowledge.
• Privacy information given to candidates was often vague or missing.

Ian Hulme, the ICO's Director of Assurance, put the regulator's position plainly: "AI can bring real benefits to the hiring process, but it also introduces new risks that may cause harm to jobseekers if it is not used lawfully and fairly."

Did the rules change in February 2026?

Yes, and in employers' favour, with conditions. The Data (Use and Access) Act 2025 replaced Article 22 of UK GDPR with new Articles 22A to 22D, and the reforms came into force on 5 February 2026.

The practical changes:

• More lawful bases for automated decisions. Previously, fully automated significant decisions were only allowed with explicit consent, contractual necessity or legal authorisation. Employers can now also rely on legitimate interests, which the ICO's summary of the Act describes as opening up the full range of lawful bases for significant automated decisions.
• Safeguards are still mandatory. You must still tell candidates an automated decision was made, let them make representations, provide human intervention on request and allow them to contest the outcome.
• Special category data keeps the stricter regime. If the automated decision involves health data, biometric data or other special category information, the old, tighter restrictions still apply.

The headline: fully automated screening is now easier to justify under data protection law. It does nothing to reduce your exposure under the Equality Act, which is where the larger risk usually sits.

How does the Equality Act 2010 apply to AI hiring tools?

Three points matter for any UK employer.

You are liable, not your vendor. Section 39 prohibits discrimination in the arrangements you make for deciding who to offer a job. A CV-scoring model you bought from a third party is part of your arrangements. If it produces discriminatory outcomes, the claim lands on you, and the Equality and Human Rights Commission and employment tribunals do not accept "the algorithm did it" as a defence.

Proxy discrimination is the real danger. A model never has to see a protected characteristic to discriminate by it. Career gaps can proxy for maternity, postcode for ethnicity, graduation year for age. The ICO audit findings above show this is not hypothetical: tools were inferring ethnicity and gender from names.

Reasonable adjustments still apply. If your process uses timed assessments, video interviews or chatbot screening, disabled candidates are entitled to adjustments, and you need a visible route for requesting them before the AI stage filters anyone out.

Which recruitment tasks are safe to automate first?

The pattern across that table: exposure rises with the tool's influence over who gets through. Scheduling an interview faster harms nobody. Ranking humans does, if the ranking is wrong in a patterned way.

This matches how we build at Operosus. Across our client work, from automated booking and notification flows for a veterinary home-visit service to structured first-draft generation for tender responses, the same division of labour holds: the AI does the admin, the assembly and the drafting, and a person makes every decision that affects another person. It is the highest-value, lowest-risk configuration, in recruitment and everywhere else.

What should you ask a vendor before buying an AI recruitment tool?

The ICO published questions for exactly this purpose alongside its audit report. The short list every UK SMB should put in writing:

1. Have you completed a DPIA for this tool, and can we see it?
2. What bias testing do you run, how often, and against which characteristics?
3. What data does the tool collect, and what is the retention period?
4. Are we the controller and you the processor, and does the contract say so?
5. Can the tool's decisions be explained to a candidate in plain English?
6. How does a candidate request human review, and how is that logged?

A vendor who cannot answer these quickly is telling you something useful.

Where to start

You do not need a legal team on retainer to do this properly. The order of operations for a UK SMB:

1. List every point in your hiring process where software influences an outcome. Include the applicant tracking system features you switched on and forgot about.
2. Run a DPIA on anything that screens, scores or filters. The DSIT Responsible AI in Recruitment guide gives a sensible structure if you have never done one.
3. Rewrite your candidate privacy notice so it names the AI tools in use, what they do and how long data is kept.
4. Put a named human between any AI score and any rejection, and record that the review happened.
5. Start your automation with scheduling, drafting and admin, where the time savings are real and the legal exposure is close to zero, and earn your way up the table.

For the operational side of agency automation, sourcing, screening notes and candidate comms, see our guide to AI for recruitment agencies and our recruitment industry page. The wider data protection ground rules are covered in our guide to AI and UK GDPR for small businesses.

If you want help working out which parts of your hiring process are worth automating, and which parts should stay firmly human, that is the kind of build-and-advise work we do at Operosus every week. Get in touch and we will look at your process with you.