AI Governance Briefing · May 2026
Are UK SMEs using AI in hiring legally? What the ICO's Recruitment Rewired report means for you.
On 31 March 2026, the ICO published Recruitment Rewired, its findings from nine months of engagement with over 30 UK employers using AI in recruitment. The headline finding is not subtle: many organisations using automated tools to screen and score candidates are relying on solely automated decisions without knowing it, and without the legal safeguards UK GDPR and the Data (Use and Access) Act now require.
The central AI governance failure the ICO identified is not technical. It is structural. Most employers told the ICO their tools were being used for decision support, with a human in the loop. In practice, the ICO found that human involvement was not meaningful. Recruiters were approving AI-generated shortlists without the authority, time, or access to raw candidate data needed to genuinely override them. The ICO was explicit: human involvement must be active and genuine. A token review or rubber-stamp of an automated output is not sufficient. If a recruiter cannot exercise real influence over a decision before it is applied, the process is treated as solely automated, regardless of who nominally sits in the chain.
The report also found that most employers cannot adequately tell candidates how their personal data is being processed, including what vendors are doing with it. That transparency obligation sits with the employer, not the software provider.
Since 5 February 2026, the Data (Use and Access) Act has changed the legal framework for AI governance in hiring. The old near-prohibition on solely automated decisions has been replaced with a Right of Challenge: SMEs can use AI in hiring, but must have documented safeguards enabling candidates to request human review and contest outcomes. If those safeguards do not exist and are not documented, you are already non-compliant.
Three AI governance actions for any SME using AI recruitment tools
Second,
pull your vendor's Data Processing Agreement and check it for one specific clause: what happens to candidate data after the process ends, and whether it is used to improve the vendor's models. Ask in writing and get the answer in writing.
Third,
test the override, do not just document it. Put a recruiter in front of a rejected candidate's raw CV and ask whether they have the time, the access, and the authority to reverse the AI's decision. If the honest answer is no, your documented process is describing something that is not happening.
And before any of the above: if your organisation deployed AI recruitment tools without first completing a Data Protection Impact Assessment, that omission is itself a compliance failure. A DPIA is a legal requirement where AI processing is likely to result in high risk to individuals, and AI-assisted hiring qualifies. If one does not exist, the named owner's first task is to commission it.
Frequently asked questions
The ICO's Recruitment Rewired report, published 31 March 2026, found that many UK employers using AI to screen and score candidates are relying on solely automated decisions without meaningful human involvement, without adequate transparency for candidates, and without completing the Data Protection Impact Assessments the law requires. The report covers evidence from over 30 employers gathered between March 2025 and January 2026.
Since 5 February 2026, the Data (Use and Access) Act has replaced the previous near-prohibition on solely automated decision-making with a Right of Challenge. UK employers can now use AI to make hiring decisions, provided they have documented safeguards in place: candidates must be informed that automated processing is being used, given the opportunity to make representations, and able to request human review and contest the outcome. Having a policy document is not sufficient, the process must be genuinely operational and testable.
A Data Protection Impact Assessment is a structured analysis of the privacy risks created by a processing activity, required under UK GDPR where processing is likely to result in high risk to individuals. AI-assisted recruitment qualifies as high-risk processing. The ICO found that most employers in its Recruitment Rewired engagement either had not completed a DPIA before deploying AI tools, or had produced DPIAs that did not meet UK GDPR requirements.
The ICO's Recruitment Rewired report sets a clear standard: a human must have the authority, discretion, and competence to alter an AI's decision before it takes effect. If a recruiter is approving AI-generated shortlists without access to the underlying candidate data, without the time to review it, or without genuine authority to override the outcome, the ICO will treat the decision as solely automated.
Source
Lena Chauhan is a Fractional Director of AI Governance and founder of Rise IQ. She is an affiliate of the KCL Responsible AI Institute and a contributor to AI policy at the House of Lords.
Use a Rise IQ diagnostic to map your exposure in 30 days.
Six concrete deliverables. A board-usable action plan. A clear basis for the decisions that come next.
Board-level AI governance advisory for UK
SMEs. Led by Lena Chauhan.
London
