AI has quickly become part of most hiring processes. It’s summarising interviews, drafting job descriptions, ranking CVs, and increasingly, shaping who gets hired and who doesn’t.
But most companies haven’t stopped to ask the obvious question: is your AI hiring process actually fair, compliant, and something you could defend if a regulator or a candidate asked you to?
AI is just one of several privacy risks scale-ups need to get ahead of this year, and recruitment is often where it creeps in first.
Trust Keith recently ran a webinar on exactly this, alongside CharlieHR, covering how HR and compliance teams can use AI in hiring in a way that’s fast, fair and defensible. This guide pulls together the key takeaways.
Kayleigh Logan-Cleghorn, Lead DPO @ Trust Keith
Kayleigh is the Lead DPO at Trust Keith, where she leads a team of privacy experts dedicated to helping customers manage data compliance with confidence.
Alisa Mistry, HR Advice Manager @ CharlieHR
Alisa is the HR Advice Manager at CharlieHR. She leads the HR Advice team, supporting small businesses and startups with practical, expert people guidance.
Most AI use in recruitment isn’t the dramatic, fully-automated hiring bots people imagine. According to Alisa Mistry, HR Advice Manager at CharlieHR, who works with around 200 small and medium-sized businesses, the real pattern looks more like this:
“The pattern across all of these is the same. AI seems to be taking a lot of the volume and the repetition, and the human role from an HR perspective is shifting upward, towards judgment, towards relationships and decision-making.”
— Alisa Mistry, HR Advice Manager, CharlieHR
Kayleigh Logan-Cleghorn, Lead DPO at Trust Keith, confirmed she’s seeing the same pattern from the compliance side:
“In general, what we’re seeing is AI typically being used less as a hiring decision maker and more as a productivity tool. The most common use case that we’re seeing across the board is candidate data being captured through transcription and recording.”
— Kayleigh Logan-Cleghorn, Lead DPO, Trust Keith
The risk isn’t usually the technology itself. It’s that adoption tends to happen tool-by-tool, team-by-team, with little consistency in how it’s assessed or governed, which is exactly the gap this guide is here to close.
The clearest illustration of how AI hiring tools can go wrong is Amazon’s well-known experiment with an AI CV-screening tool.
The idea was sensible on paper: train a model on a decade of successful Amazon hires and use it to rank new candidates. The problem was the training data. Because the majority of technical hires over that period had been men, the model learned that being male correlated with being a “good” candidate, and began penalising CVs that included the word “women’s,” such as “women’s chess club captain,” or that listed all-women colleges.
Amazon tried to fix the bias and couldn’t. Once it was baked into the model, removing it would have meant rebuilding the system from scratch. They scrapped the tool entirely.
“The reason this is so important is because Amazon weren’t careless when they were building it — they had some of the best engineers working on it. But if you train a model on biased data, you will get a biased model even when you didn’t mean to. And once that bias is in, it’s really difficult to get out.”
— Kayleigh Logan-Cleghorn, Lead DPO, Trust Keith
This isn’t purely historical, either. There’s an ongoing legal case in the US against HireVue, alleging that facial expression and speech pattern analysis in video interviews discriminated against candidates on the basis of race and disability. The case hasn’t been decided, but it’s a live signal of where regulatory and legal scrutiny is heading, and UK regulators are no less active.
Trust Keith’s round-up of recent ICO fines shows just how costly getting this wrong can be, in cash terms and reputationally.
The core lesson for UK scale-ups: if a third-party AI tool discriminates against candidates, your company carries the liability, not just the vendor.
“AI bias sits at an intersection of data protection and equality law. Even if an AI recruitment tool appears neutral, if there’s screening, scoring or profiling involved, that process can disproportionately disadvantage people with protected characteristics under the Equality Act — which is indirect discrimination. Employers remain responsible for the outcomes, even when using third-party AI providers.”
— Kayleigh Logan-Cleghorn, Lead DPO, Trust Keith
This is exactly the kind of high-risk processing that should be triggering a formal risk assessment before go-live. If you haven’t run one recently, Trust Keith’s guide to AI DPIAs covers when they’re required and how to run one properly.
In the UK: the Information Commissioner’s Office (ICO) has identified automated decision-making in recruitment as a regulatory priority, with recent scrutiny focused on how employers and recruitment platforms use AI for sourcing, screening, scoring and selection. Transparency is a particular focus. Candidates need to know how AI is being used and how their data feeds into it, at every stage of the funnel.
The Data (Use and Access) Act 2025 has slightly diluted the rules around challenging automated decision-making compared to the previous UK GDPR position. But Trust Keith would still recommend treating recruitment as high-risk and avoiding the “solely automated decision-making” bracket altogether wherever possible.
In the EU: the EU AI Act is the most comprehensive AI regulation globally, and it explicitly classifies AI systems used for recruitment, candidate screening and employment-related decisions as high-risk, because of the potential impact on someone’s rights and opportunities. High-risk classification brings extensive obligations: risk management, human oversight, data governance, transparency, monitoring and documentation.
Crucially, the EU AI Act applies to both:
“It’s not about where you’re operating, it’s about how it impacts individuals resident in the EU. If you’re actively recruiting in Europe, I’d strongly recommend you’re au fait with the rules around the EU AI Act.”
— Kayleigh Logan-Cleghorn, Lead DPO, Trust Keith
If you’re a scale-up recruiting across multiple markets, the advice from the webinar was simple: don’t try to solve for every jurisdiction on day one. Build your process around a strong baseline — transparency, data minimisation, security, meaningful human oversight and candidate rights — and that foundation will travel well as you expand.
It’s the same principle Trust Keith recommends for scale-ups approaching Series B: get the fundamentals right before you need to prove them under pressure.
This is arguably the single most important concept from the whole session, and it’s one a lot of businesses get wrong.
AI helps, but a human genuinely makes the call:
…even if a human is technically “in the loop”:
“There’s a massive difference between using AI to support a decision and using AI to make a decision. They can look similar from the outside, but legally and ethically they’re miles apart.”
— Alisa Mistry, HR Advice Manager, CharlieHR
The regulatory test isn’t whether a human is present, it’s whether their involvement is meaningful.
“If AI ranking or scoring is routinely accepted without meaningful review or challenge, a regulator may view that process as effectively automated, even if a human is formally signing it off. The test isn’t whether a human’s involved, but whether their involvement is meaningful. There should be an opportunity for the human in the loop to understand how the decision was reached, it shouldn’t be a black box. A superficial sign-off process just isn’t going to cut it.”
— Kayleigh Logan-Cleghorn, Lead DPO, Trust Keith
Beyond the legal risk, there’s a commercial cost too: if AI is optimising for “the average” candidate, you may be systematically filtering out the unconventional hires — career changers, people with non-linear paths — who often turn out to be your best.
Even where AI isn’t making hiring decisions, it introduces privacy risks that are easy to overlook:
Data sprawl
AI tools often create copies, summaries and assessments of candidate data. Do you know where those copies live, how long they’re retained, and whether you could retrieve them if a candidate submitted a subject access request?
No internal rules on use
If your team hasn’t been told what data can and can’t go into which AI tool, they’ll make mistakes, and human error remains the leading cause of data protection incidents.
Over-sharing data with AI tools
Full CVs often contain far more than necessary — age, photographs, details that reveal protected characteristics (a women’s college, an LGBT society membership). If it’s not needed for the assessment, it shouldn’t go in.
Outdated privacy notices
If your privacy notice doesn’t reflect how AI is being used in your recruitment process, it’s no longer accurate, and that’s a compliance gap in itself.
Candidate rights
The same rights apply regardless of the tool: candidates can still request access to or deletion of their data, and you need to be able to fulfil that within the statutory deadline, not scrambling when it lands. And it doesn’t stop once someone’s hired. The same AI-generated interview notes and assessments can resurface in an employee DSAR further down the line, so it’s worth being able to locate them from day one.
“The medium is not the message. It doesn’t matter if personal data is in a spreadsheet or in an AI tool — the same GDPR principles apply. That’s a really important thing which is easily forgotten once systems get more complex.”
— Kayleigh Logan-Cleghorn, Lead DPO, Trust Keith
From what Trust Keith sees across its customer base, the same patterns come up repeatedly, and they line up closely with the broader privacy risks scale-ups tend to overlook:
The goal isn’t to avoid AI. It’s balance: use it where it saves time on repeatable work, and keep humans meaningfully involved wherever a decision actually affects someone’s opportunities.
Here's a practical checklist for building an AI hiring process that holds up:
If you’re not confident your current AI hiring process would hold up under scrutiny, that’s exactly the kind of gap Trust Keith’s privacy programmes are built to close — practically, and without slowing your hiring down.
“Just because you can use AI doesn’t mean you should. Think about which part of your process AI is actually going to be valuable for, and use it there — rather than defaulting to AI for everything.”
— Kayleigh Logan-Cleghorn, Lead DPO, Trust Keith
“Make sure you’re using AI to support decisions rather than make them for you — and make sure the tools you’re using are genuinely inclusive, tested internally, and documented.”
— Alisa Mistry, HR Advice Manager, CharlieHR
AI in recruitment isn’t going away, and nor is the scrutiny around it. If you’re not confident your current process is fair, transparent, and defensible under UK GDPR, the Equality Act, or the EU AI Act, Trust Keith can help you find out, and fix it, before it becomes a problem.
Book in some time with one of our experts →