GDPR and AI in Recruitment: What You Need to Know

AI Is Brilliant for Recruitment. But GDPR Still Applies.

If you are a UK recruiter using AI tools like ChatGPT, Claude, or any of the AI-powered sourcing platforms, you need to understand where the data protection lines are. Not because GDPR should scare you away from using AI. It should not. But because getting it wrong can mean fines, reputational damage, and losing the trust of candidates and clients.

The good news is that staying compliant is not complicated. It requires awareness, a few practical habits, and some common sense. This guide covers what you actually need to know, without the legal jargon that makes most GDPR guides unreadable.

Quick Refresher: What GDPR Means for Recruiters

The UK GDPR (retained from EU law after Brexit, enforced by the ICO) governs how you collect, store, process, and share personal data. For recruiters, personal data includes names, email addresses, phone numbers, CVs, interview notes, salary information, and anything else that identifies an individual.

As a recruiter, you are a data controller (or processor, depending on your relationship with clients). You have legal obligations around how you handle candidate data.

The key principles that matter most for AI use are:

• Lawful basis. You need a legal reason to process someone's data. For recruitment, this is usually "legitimate interest" or "consent."
• Purpose limitation. You can only use data for the purpose it was collected. If a candidate gave you their CV for Job A, you cannot feed it into an AI tool for an unrelated purpose without telling them.
• Data minimisation. Only process the data you actually need. Do not feed entire CVs into AI tools when you only need to assess specific skills.
• Storage limitation. Do not keep data longer than necessary. This applies to data stored in AI tools as well.
• Transparency. Candidates have the right to know how their data is being used, including whether AI is involved in processing it.

The Big Question: Can You Put Candidate Data Into AI Tools?

This is where most recruiters are unsure, so let us be clear.

The short answer: Yes, but with significant caveats.

The longer answer: It depends on which AI tool you are using, what data you are inputting, and whether you have told candidates about it.

Understanding How AI Tools Handle Your Data

When you paste a CV into ChatGPT or Claude, you need to know what happens to that data:

ChatGPT (OpenAI): By default, conversations may be used to train future models. You can opt out of this in settings (Settings > Data Controls > Improve the model for everyone > Off). If you are on a paid Team or Enterprise plan, your data is not used for training by default.

Claude (Anthropic): Similar to ChatGPT. The API and business plans have stronger data protections. Free and Pro plans may use conversations for improvement unless you opt out.

Specialist recruitment AI tools (HireEZ, SeekOut, etc.): These typically have GDPR-specific data processing agreements. Check their terms and ensure they have a Data Processing Agreement (DPA) in place.

The critical point: if you are using a free tier of any AI tool and pasting candidate personal data into it, you may be breaching GDPR unless you have opted out of data training and have a lawful basis for the processing.

Practical Compliance: What You Should Actually Do

1. Anonymise Before You Input

The simplest and most effective approach. Before pasting a CV or candidate details into an AI tool, remove or replace identifying information:

• Replace the candidate's name with "Candidate A"
• Remove their email address and phone number
• Remove their home address
• Remove the names of their referees

You can still assess their skills, experience, and suitability without any of this identifying information. The AI does not need to know who the person is to evaluate whether their experience matches a role brief.

This one habit eliminates most GDPR risk.

2. Use Business-Tier AI Tools

Upgrade to business or enterprise plans that have proper data processing agreements. These plans typically guarantee that your data is not used for model training, is encrypted in transit and at rest, and is deleted after a set retention period.

The cost difference between free and paid plans is minimal compared to the GDPR risk of using free tools with candidate data. For a comparison of the best AI tools for recruiters, see our practical guide to AI for UK recruiters.

3. Update Your Privacy Notice

Your recruitment privacy notice (the one on your website and the one you send to candidates) should mention that AI tools may be used in the recruitment process. You do not need to go into enormous detail, but candidates should know.

A simple addition like this works:

"We may use AI-assisted tools to help assess your suitability for roles, generate interview questions, or summarise your experience. These tools process your information securely and do not make automated decisions about your candidacy. A human recruiter always makes the final decision."

This covers your transparency obligation without being so detailed that it overwhelms the rest of your privacy notice.

4. Never Let AI Make the Final Decision

Under UK GDPR, individuals have the right not to be subject to purely automated decision-making that significantly affects them. This means you cannot use AI as the sole decision-maker in recruitment.

In practice, this means:

• AI can screen and score CVs, but a human must review the shortlist
• AI can suggest interview questions, but a human must conduct the interview
• AI can rank candidates, but a human must make the hiring recommendation

Most recruiters already work this way. AI is a tool in your process, not a replacement for your judgement. Just make sure you can demonstrate this if asked.

5. Respond to Subject Access Requests (SARs)

Candidates have the right to ask what data you hold on them, including any data processed by AI tools. If a candidate submits a SAR and you have used AI to assess their CV, you should be able to explain what the AI was used for, what data was input, and what output was generated.

This is another good reason to use anonymised data where possible. If you anonymised the CV before inputting it, there is no personal data in the AI system to worry about.

The Pro Playbook for Recruiters includes a complete GDPR compliance checklist for AI use in recruitment, along with template privacy notice wording and practical workflows that keep you compliant without slowing you down. Available at proplaybooks.co.uk.

Common Scenarios and How to Handle Them

Scenario 1: Screening CVs with AI

The situation: You have 50 CVs for a role and want to use AI to do an initial screen.

Compliant approach: Copy the CV text into the AI tool, but replace the candidate's name, contact details, and any other identifying information with generic labels. Ask the AI to assess the experience and skills against the role brief. Review the AI's assessment yourself before making any decisions.

Scenario 2: Writing personalised outreach using AI

The situation: You want to use AI to draft personalised LinkedIn messages based on candidate profiles.

Compliant approach: LinkedIn profiles are publicly available data, which you can process under legitimate interest for recruitment purposes. You can input profile information (job title, company, skills) into AI to generate outreach messages. However, do not input private data (salary expectations from a previous conversation, personal circumstances they shared in confidence, etc.) into AI tools. For tips on writing effective outreach messages, see our guide on LinkedIn InMails that actually get replies.

Scenario 3: Client reporting with AI

The situation: You want to use AI to summarise candidate interviews for a client report.

Compliant approach: Anonymise the interview notes before inputting them. Use "Candidate 1, 2, 3" instead of names. Remove any sensitive information (health conditions, personal circumstances) that came up in conversation. The AI can summarise the professional assessment without needing personal identifiers.

Scenario 4: Using AI sourcing platforms

The situation: You are using a platform like HireEZ or SeekOut that uses AI to source candidates.

Compliant approach: Ensure the platform has a GDPR-compliant Data Processing Agreement (DPA) in place. Check that they source from publicly available data. Review their data retention policies. Include these tools in your Record of Processing Activities (ROPA).

What the ICO Has Said About AI and Recruitment

The Information Commissioner's Office has published guidance on AI and data protection that is relevant to recruitment. Key points include:

• AI systems used in recruitment should be transparent and explainable
• Organisations must conduct Data Protection Impact Assessments (DPIAs) for high-risk AI processing
• Profiling candidates using AI requires a lawful basis and appropriate safeguards
• Individuals must be informed when AI is used in decisions that affect them

For most individual recruiters and small agencies, the practical requirements are straightforward: be transparent, anonymise where possible, use business-grade tools, and keep a human in the decision-making loop.

Larger agencies using AI at scale should consider conducting a formal DPIA for their AI processes. The ICO provides templates and guidance for this on their website.

A Simple Compliance Checklist

Here is a practical checklist you can follow:

1. Tool audit. List every AI tool you use and check their data processing terms. Upgrade to business plans where available.
2. Anonymisation habit. Make it standard practice to anonymise candidate data before inputting it into any AI tool.
3. Privacy notice update. Add a line about AI processing to your recruitment privacy notice.
4. Human review. Ensure every AI-assisted decision is reviewed by a human before it affects a candidate.
5. Data retention. Do not store AI-generated assessments longer than necessary. Delete them when the role is filled.
6. SAR readiness. Be prepared to explain your AI use if a candidate asks.
7. Team training. Make sure everyone in your team understands these basics.

Do Not Let GDPR Stop You Using AI

The worst outcome would be to avoid AI entirely because of GDPR concerns. That is like refusing to use email because of data protection rules. The answer is not avoidance. The answer is using AI properly.

UK recruiters who use AI responsibly are faster, more productive, and more competitive. Those who avoid it are falling behind. Those who use it recklessly are taking unnecessary risks.

The middle ground is simple: use AI, anonymise candidate data, choose business-grade tools, be transparent, and keep a human in charge.

For a complete guide to using AI in recruitment, including GDPR-compliant workflows, tested prompts, and practical strategies for every stage of the recruitment cycle, get The Pro Playbook for Recruiters at proplaybooks.co.uk. Available for £19.99 direct or £9.99 on Kindle.

Related reading:

• How to Use AI for Recruitment: A Practical Guide for UK Recruiters
• The Best AI Prompts for Recruiters in 2026
• How to Write LinkedIn InMails That Actually Get Replies
• AI Boolean Search Generator: Find Candidates 10x Faster