Using AI to recruit in the UK? Don’t forget about GDPR 

Published: 13 June 2023
Author: Recruiter On Demand

There’s no slowing down tech development. AI is already shifting the recruitment landscape and the pace of change isn’t likely to slow down any time soon. According to the Society for Human Resource Management, 88% of companies globally already use AI in some way for HR. AI-powered tools are helping recruiters and TAs to streamline processes, save time and money, and ultimately, find the best fit for the job.

But with AI tools processing data at scales and speeds never seen before, there’s a potential threat to keeping data private and secure. Non-compliance with GDPR is not only a legal and reputational risk but can cost a company as much as 4% of its annual revenueIt’s a complex subject – here we take a look into the ever-shifting sands of AI and regulation.

Part 1: Data Protection in the recruitment process

In 2018, the European Union enacted new legislation to protect individuals’ personal data. This was followed up in 2021, with the UK General Data Protection Regulation (or UK GDPR). This is the main legislation you’ll need to comply with when it comes to using AI in your recruitment processes.

Three key areas to be aware of are: 

  •  Personal data must only be collected and processed for a specified, explicit and legitimate purpose: You must be clear about why you’re processing data from the start. You can’t collect data for one purpose, and then use it for another.
  •  It’s crucial to be transparent about how you store and process candidate data: You must have clear privacy policies in place that candidates can easily access if they choose to. This includes disclosing where candidate data is stored and stating that it will only be used for recruitment (i.e. you cannot use it for marketing purposes).
  •  You need strong policies and procedures in place for data retention and erasure: Candidates have the right to access the data you hold on them and ask you to amend it. however, the right to erasure isn’t an absolute right and is dependent on the legal basis used to collect the data in the first place. For example, you cannot erase data collected under a legal obligation, but you would be required to if consent was used. The time period for undertaking the erasure is without undue delay and at least within one calendar month.

Part 2: Adding AI to the mix

When AI enters the equation, there are a few extra areas to address. Here are a few to get you started.

  • Carry out a data protection impact assessment (DPIA). Going through this process will help to identify and minimise the data protection risks, and it’s worth doing before starting any new AI project. It will help to determine whether you’re purchasing a new AI product because it’s proven to be effective for a specific function, or whether you just want the latest tech.
  • Give applicants specific information about how their data will be collected and used. GDPR states that individuals have the right to know how their personal data is processed. If decisions, such as shortlisting, are made using AI, then make sure it’s clear to candidates. For example, you could include it in the data privacy notice you send to them.
  • Understand that candidates can request human input. Article 22 of the UK GDPR states that people have the right ‘not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her’. There are exceptions to the rule, but essentially, decisions made by AI don’t always win out.  

Part 3: GDPR best practices in AI recruitment in the UK

Here are a few ways to exercise GDPR best practices.

Audit GDPR compliance on a regular basis

Auditing your GDPR compliance isn’t a one-off. There’s no hard and fast rule about how often it should be – that depends on the size and complexity of your organisation. But it should be thorough and regular, to help you evaluate and improve your GDPR processes.

Make sure you’re working with GDPR-compliant AI suppliers and service providers

If you’re using AI in your recruitment processes, it’s likely that you’re outsourcing to specialist AI suppliers and service providers. That might be a chatbot to talk to prospective candidates or a platform helping you source candidates from different social channels. Whoever you work with needs to be GDPR compliant. Check this during a tender process and then regularly throughout your relationship with them.

Keep up with legislative changes

With AI rapidly developing, legislation will be hard-pushed to keep up. But it’s inevitable that regulation and legislation around AI will shift and change. Make sure whoever oversees your GDPR compliance – whether consultant or in-house – keeps up with the unavoidable changes. You’ll then need to update processes and systems to make sure they are compliant.

Make sure you grant candidate requests

A big part of GDPR compliance is helping candidates exercise their legal rights relating to their data. That includes enabling them to access their personal data if they request it, deleting personal data or restricting processing, and letting candidates withdraw their consent. Make sure your processes are in place to be able to fulfil these requests and check that any third-party suppliers do the same.  

In essence: get to grips with data protection

GDPR can be baffling to the untrained eye – and that’s without layering on the complexity and constant evolution of AI. Having a thorough understanding of your legal obligations in relation to data protection, or working with a GDPR expert, is crucial. That way you can keep your candidates’ data private and safe while reaping the benefits of powerful AI tools. 

Get in touch

At Recruiter on Demand, we understand just how important it is to run a swift and smooth hiring process. We work as part of your recruitment team to hire the best candidates for your company and pride ourselves on our expertise and efficiency.