With the use of AI tools in recruitment on the rise, understanding the rules and requirements for automated decision-making is more important than ever. The use of automated decision-making within recruitment has also been a particular area of focus for the Information Commissioner’s Office (ICO), the UK’s privacy regulator.
The UK General Data Protection Regulation (UK GDPR) restricts solely automated decision-making which has a significant effect on individuals, unless certain exceptions apply. Solely automated recruitment decisions will of course have a significant effect on candidates, impacting whether or not they are successful with securing a job.
The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, relaxes some of the current restrictions. However these changes are not expected to come into force until December at the earliest, meaning that for now recruiters must continue to comply with the current rules.
In this article we outline the current UK GDPR rules, how they're changing under the Data (Use and Access) Act and how recruiters should prioritise for the revised rules.
Solely automated decision-making refers to the process where decisions are made entirely by automated means, without meaningful human intervention. In a recruitment context, this can include shortlisting CVs using AI or conducting automated interviews.
As these recruitment decisions will have a significant effect on candidates, under the current rules they are only permitted if one of the following exceptions applies:
These exceptions apply narrowly.
The ICO had previously published draft guidance for consultation, on the use of automated decision-making within recruitment. This draft guidance states that in the context of recruitment, the ‘contract lawful basis’ can only be relied upon once a prospective employer has made the candidate a job offer and they have accepted the offer. Thus taking the position that earlier stages of the recruitment process - including shortlisting, testing and interviewing candidates – cannot be treated as necessary pre-contractual steps for the purpose of the ‘contract lawful basis’.
Consent is also rarely appropriate in the recruitment context because of the imbalance of bargaining power between recruiter and candidate.
The takeaway from the draft guidance is therefore that it's very difficult to demonstrate the lawful use of solely automated decision-making at earlier stages of the recruitment journey, for example at the CV screening and interviewing stages.
Instead, partly automated decision-making, which is not subject to the same restrictions, is easier to implement. Although it's still important that recruiters have appropriate safeguards in place for partly automated decision-making. By partly automated decision-making we mean using AI tools and automated processes to assist with the different recruitment stages, but ensuring meaningful human involvement at every step. In particular making sure that any decisions about whether a candidate progresses to the next stage are made by a human.
However, the draft guidance is just that, a draft. The ICO is now revisiting the draft guidance in light of the reforms contained in the Data (Use and Access) Act 2025.
The changes to automated decision-making rules under the Data (Use and Access) Act are expected to come into force approximately six months after the Act received Royal Assent, meaning that they are expected any time from December 2025.
Once in force, recruiters will no longer need to identify an exception to be able to use solely automated decision-making that will have a significant effect on candidates, provided that no special category data is involved. Instead they will need to establish a lawful basis for the data processing activity, which can include their legitimate business interests, and ensure that appropriate safeguards are in place. Safeguards will include enabling the candidate to obtain human intervention on the automated decision and to contest the decision.
However, note that where special category data is involved, the current UK GDPR restrictions will remain.
Once the ICO has published its updated guidance on the use of automated decision-making in recruitment, accounting for the Data (Use and Access) Act reforms, this will hopefully give us greater clarity on the regulator’s expectations for recruiters carrying out automated decision -making under the new relaxed laws.
In the meantime, in readiness for the revised rules, recruiters should prioritise risk assessing prospective automated decision-making tools, and ensuring that appropriate safeguards can be implemented.
For further information or advice, please contact our data protection team.