On 31 March 2026, the Information Commissioner's Office (ICO) published a report and draft guidance on automated decision-making (ADM) in recruitment. The ICO engaged more than thirty employers and issued written notices to sixteen organisations using ADM in hiring. Those sixteen organisations committed to implementing recommended improvements. The report and draft guidance address the full lifecycle of AI-driven recruitment tools, from CV screening to scoring of online assessments.
The controlling legal instruments are Article 22 of the UK General Data Protection Regulation (UK GDPR) and Sections 49-51 of the Data Protection Act 2018 (DPA 2018). Article 22 UK GDPR restricts decisions "based solely on automated processing" that "produce legal effects" or "similarly significantly affect" data subjects, subject to three exceptions: contractual necessity, legal authorisation, and explicit consent. The ICO guidance applies these provisions to CV screening algorithms, assessment scoring systems, and AI-driven applicant ranking tools used by employers in recruitment workflows.
Employers using ADM in recruitment must: disclose to candidates when and how automated processing affects their applications; test for bias against protected characteristics under the Equality Act 2010 and implement mitigation measures; enable candidates to exercise their right to contest automated decisions and request human review; demonstrate a lawful basis under Article 6 UK GDPR for personal data processing through ADM; and conduct data protection impact assessments where ADM involves large-scale processing or special category data. Where ADM constitutes a solely automated decision under Article 22, one of the Article 22(2) exceptions must apply and appropriate safeguards must be in place.
The Data (Use and Access) Act 2025 amended certain Article 22 provisions, broadening the circumstances in which organisations may deploy ADM. The draft guidance addresses those amendments and their interaction with the retained safeguards, including the right to human review. The guidance remains in draft form and is open for consultation. Employers and technology vendors may submit responses to influence its final content. The ICO retains enforcement powers under the DPA 2018 and may issue fines and enforcement notices for ADM practices that breach UK GDPR requirements, irrespective of the guidance's final status.
Licentium advises technology providers, HR platforms, and employers on UK and EU data protection compliance for AI systems, including ADM impact assessments, bias audit strategies, and regulatory engagement with the ICO. We maintain dedicated partner networks for UK and EU AI regulatory matters and assist clients with the ICO consultation process and compliance responses. Parties seeking guidance on the March 2026 draft guidance or Article 22 UK GDPR compliance in AI recruitment tools may contact us. Our practice encompasses: AI and ADM compliance, UK GDPR Article 22 analysis, DPIA preparation, data protection in employment, bias testing frameworks, and AI regulatory engagement.
Source: Information Commissioner's Office (ICO), news release "Here's what jobseekers need to know about automated recruitment decisions," 31 March 2026, https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/03/here-s-what-jobseekers-need-to-know-about-automated-recruitment-decisions/; ICO news release "Automated decisions can streamline the hiring process, with the right safeguards in place," 31 March 2026, https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/03/automated-decisions-can-streamline-the-hiring-process-with-the-right-safeguards-in-place/
The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.