Practical AI and SaaS for Business

AI Recruitment Candidate Data Privacy UK

AI-assisted recruitment tools can process hundreds of applications a week, but UK GDPR still applies to every candidate's data the moment it's collected. This guide covers what the ICO expects around consent, retention, and deletion when an AI tool screens job applicants.

Last verified: 17 July 2026. References checked against current legislation.

Editorial Perspective

You run HR for a growing logistics company, and you've just turned on an AI tool that screens every application before a human sees it. The problem isn't whether the tool finds good candidates, it's what happens to the data on everyone it rejects. This page explains what UK data protection law expects from you specifically, and how to set retention and deletion up properly. No legal background needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

UK GDPR does not pause because the person reviewing an application is a piece of software instead of a person. The moment your AI recruitment tool ingests a candidate's CV, covering letter, or answers to screening questions, that data is personal data under UK GDPR, and every one of the usual obligations, lawful basis, purpose limitation, storage limitation, applies in full.

In short: If you use an AI tool to screen, rank, or shortlist job applicants, UK GDPR requires a lawful basis for processing that data, a retention limit for candidates you don't hire, and a way for candidates to understand and challenge automated decisions that affect them. The rules don't change because the process is automated.

The plain-English answer

Using an AI screening tool to process job applications is legal under UK GDPR. What isn't automatically legal is what a lot of businesses do around it by default: collecting more candidate data than the role needs, keeping rejected applicants' data indefinitely "just in case," and giving candidates no real way to find out how a decision about them was made. Those are the three areas the ICO has specifically flagged after auditing AI recruitment tools operating in the UK market.

Why this matters for your business

A 40-person logistics company running 200 applications a week through an AI screening tool isn't a hypothetical, it's a fairly typical mid-size UK employer. At that volume, a manual data retention process breaks down fast unless it's built into the hiring workflow from the start. The risk isn't abstract: the ICO can open an investigation off the back of a single candidate complaint, and "we didn't think about it" is not a defence once your business is the data controller for that person's information.

There's also a quieter cost. Candidates increasingly ask what happens to their data after they apply, and a business that can't answer clearly looks worse than one that never used an AI tool at all. Getting this right isn't only a compliance exercise, it's part of how a candidate experiences your business before they've even had an interview.

What UK data protection law actually says

The relevant framework is UK GDPR, enforced by the Information Commissioner's Office (ICO). Between August 2023 and May 2024, the ICO carried out consensual audits of AI recruitment tool providers operating in the UK and published a report of its findings and recommendations. The report doesn't create new law, it clarifies how existing UK GDPR obligations apply specifically to AI-driven sourcing, screening, and selection tools, and it's the clearest signal available on what UK regulators actually look for in this area.

Three of the ICO's findings are the ones most relevant to a business using, not building, an AI screening tool. First, on data minimisation: the ICO found some tools collected far more personal information than the role required, and retained it indefinitely to build searchable candidate databases without those candidates' knowledge. Second, on fairness and bias: the ICO's guidance calls for monitoring a tool's performance to check it isn't systematically disadvantaging candidates who share a protected characteristic. Third, on human oversight: where a tool makes or heavily influences a decision about a candidate, the ICO's guidance points toward a straightforward way for that candidate to understand and challenge the outcome, automated decisions should not be the final word with no route to human review. Read the ICO's own summary of its AI recruitment audit findings for the full detail, and its guidance on special category data if your screening process touches health, disability, or similar sensitive information.

What this looks like in practice

Picture the HR manager at a 40-person logistics company, running roughly 200 applications a week through an AI tool that ranks candidates automatically before a human looks at the shortlist. Left on the tool's default settings, rejected candidates' full application data, CV, cover letter, screening answers, sits in the system indefinitely. Nobody made a decision to keep it that long, it's simply what happens when retention isn't actively managed.

The fix isn't complicated once it's deliberate. The HR manager sets a written retention policy: shortlisted candidates' data is kept for the length of the hiring process plus a defined period afterwards, in case a dispute arises or a similar role reopens. Everyone else's data is deleted or anonymised on a fixed schedule, typically within a few months of the role closing. That single change turns an open-ended liability into a bounded, defensible process, and it's exactly the kind of evidence an ICO investigation looks for if a complaint ever lands.

What you can do about it

A few practical steps cover most of the ICO's stated concerns without needing a legal team to implement them:

  • Set a written retention period for rejected candidates' data, and configure the AI tool to delete or anonymise it automatically once that period passes.
  • Check what data the tool actually collects by default. Many pull in more than the role needs, including social media activity or inferred demographic signals, and turn off anything you don't have a genuine reason to keep.
  • Ask the vendor directly whether any decision is ever made by the tool alone with no human review, and if so, build a manual review step into your process before you get the answer.
  • Tell candidates, in plain language on the application page, that an AI tool is used in screening and where they can go for more detail.

For a broader look at vetting an AI vendor before you commit to one, see our AI vendor due diligence checklist. For the wider legal picture on recruitment tools generally, beyond data privacy specifically, see AI recruitment tools: what's legal and what's not.

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.

Does UK GDPR apply if the AI recruitment tool is provided by a US vendor?

Yes. UK GDPR applies based on whose data is processed and where your business operates, not where the vendor is based. If you're a UK employer processing UK candidates' data, UK GDPR applies regardless of where the AI tool's servers sit. Check the vendor's data transfer safeguards as part of onboarding, not after.

How long can we legally keep rejected candidates' data?

There's no single fixed number in UK GDPR, the rule is that you keep it only as long as you have a genuine reason to. Many UK employers use around six months as a working retention period for rejected applicants, long enough to handle a dispute or a similar role reopening, but this should be a deliberate, documented decision rather than a default setting left untouched.

Do candidates have to be told an AI tool is screening their application?

The ICO's guidance points toward transparency being expected as part of processing personal data fairly, candidates should be able to find out an AI tool is involved and get a meaningful explanation if they ask. A short, plain-language note on the application page is the simplest way to meet this.

What happens if a rejected candidate complains to the ICO?

The ICO can investigate based on a single complaint. If your business can show a documented retention policy, a genuine human review step, and a clear answer to what data was collected and why, you're in a materially stronger position than a business with no policy at all.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Set up a real AI usage policy for your whole team, not just recruitment

Get the free template