AI and HR Data: UK GDPR Compliance Guide

Every AI HR tool processes personal data about your employees or candidates. As the employer, you are the data controller and you carry the legal responsibility for ensuring that processing is lawful, fair, and transparent under UK GDPR and the Data Protection Act 2018.

You Are the Data Controller

The foundational principle is that you - the employer - are the data controller. You decide what employee data to collect, why, and what to do with it. The AI tool is an instrument of your decision-making. The vendor of that AI tool is your data processor.

This has practical consequences:

• You cannot outsource data protection compliance to your AI vendor
• You must have a written Data Processing Agreement (DPA) with every AI vendor that processes employee data on your behalf
• You are responsible for ensuring the vendor's technical and organisational measures are adequate
• If the vendor suffers a data breach, you may be liable to your employees and to the ICO

Review the terms of service of every AI HR tool you use. If there is no Data Processing Agreement available, or if the vendor's terms claim rights to use employee data for their own purposes, do not use the tool for employee data.

Lawful Bases for Processing Employee Data Through AI

Under UK GDPR Article 6, you need a lawful basis for every processing activity. For AI HR processing, the relevant bases are:

Article 6(1)(b) - Contract performance: Processing necessary for performing the employment contract or taking pre-contractual steps. This covers processing directly necessary to manage the employment relationship - payroll, leave management, contract administration.

Article 6(1)(c) - Legal obligation: Processing necessary to comply with a legal obligation. HMRC reporting, right to work checks, health and safety records.

Article 6(1)(f) - Legitimate interests: Processing for your legitimate business interests, provided these are not overridden by the employee's interests, rights, and freedoms. This is the most commonly cited basis for employee monitoring, performance tracking, and other AI HR processing. You must document a Legitimate Interests Assessment for each purpose.

Consent: Not generally appropriate for employee data. The ICO guidance is clear that freely given consent requires the ability to refuse without detriment, which is impossible in an employment relationship where power is unequal.

Special Category Data in AI HR Context

Some AI tools process data that qualifies as special category data under UK GDPR Article 9, which requires a higher legal threshold:

• Health data (absence records, occupational health data, disability information)
• Data revealing racial or ethnic origin (if the tool processes names, photos, or demographic data)
• Biometric data for identification (facial recognition, fingerprint data)
• Data concerning sexual orientation (inferred from communication patterns)

Processing special category data requires both an Article 6 lawful basis and an Article 9 condition. In the employment context, the relevant Article 9 conditions are typically Article 9(2)(b) (employment law obligations) or Article 9(2)(a) (explicit consent, noting the limitations on consent in employment). You must document the specific condition relied upon.

Sentiment analysis tools that infer emotional or psychological state from communications may be processing data about mental health - a form of health data requiring Article 9 conditions.

The DPIA Requirement

A Data Protection Impact Assessment (DPIA) is legally required before processing that is likely to result in high risk to individuals. The ICO has published a list of processing types that require a DPIA. AI HR tools almost always meet multiple criteria:

• Systematic monitoring of employees (monitoring tools, productivity trackers)
• Automated decision-making with legal or significant effects (AI performance scoring, automated shortlisting)
• Processing special categories of data at scale (health data in absence management tools)
• Use of innovative technology (new AI tools)
• Processing personal data about vulnerable individuals (employee health or wellbeing data)

A DPIA must:

1. Describe the processing and its purposes
2. Assess the necessity and proportionality of the processing
3. Identify risks to individuals
4. Identify measures to mitigate those risks
5. Document whether residual risks are acceptable

If a DPIA reveals high residual risk that cannot be mitigated, you must consult the ICO before proceeding. Deploying an AI HR tool without a required DPIA is a breach of UK GDPR and can result in enforcement action.

Transparency: What Employees Must Be Told

UK GDPR Articles 13 and 14 require you to provide employees with specific information about how their data is processed. Your employee privacy notice must cover AI tools and must explain:

• That AI tools are used in HR processes
• What categories of data are processed by each tool
• The purposes of processing
• The lawful basis relied upon
• How long data is retained
• Whether data is shared with third parties (the AI vendor)
• Whether data is transferred internationally
• Employee rights (access, correction, objection, human review of automated decisions)

The notice must be provided before or at the start of employment, not after the processing has begun. If you have introduced new AI tools since employees joined, you must update and reissue the notice.

International Data Transfers to AI Vendors

Many AI HR tools are provided by US-based companies. When employee personal data is processed on servers in the United States or other countries without a UK adequacy decision, this constitutes a restricted international transfer under UK GDPR Chapter V.

For UK employers, the relevant transfer mechanisms are:

UK International Data Transfer Agreement (IDTA): The UK's post-Brexit replacement for EU Standard Contractual Clauses. Vendors must agree to the IDTA as part of their data processing terms.

UK Addendum: UK-specific addendum to the EU Standard Contractual Clauses, permitting their use in UK transfers.

Adequacy regulations: A small number of countries have UK adequacy decisions (similar to EU adequacy decisions). The US does not have a general UK adequacy decision.

Before using any AI HR tool with a US-based vendor:

1. Confirm where your data is processed (the vendor's privacy notice and DPA should specify this)
2. Identify the transfer mechanism the vendor offers
3. Complete a Transfer Risk Assessment assessing the risk to data subjects in the recipient country
4. Document this assessment

Transferring employee data internationally with no mechanism in place is unlawful.

Data Minimisation and Retention

UK GDPR principles require:

Data minimisation: Only collect and process the minimum data necessary for your specified purposes. Many AI tools process more data than you actually need if you accept default settings. Review and configure tools to minimise data collection.

Purpose limitation: Employee data collected for one purpose cannot simply be used for a different purpose because an AI tool makes it convenient to do so.

Storage limitation: Employee data must be deleted when no longer needed. AI vendors may retain data longer than you intend unless you specifically configure retention settings or contractually require deletion.

Include data retention and deletion requirements in your Data Processing Agreements with AI vendors.

Building a Compliant AI HR Data Framework

Step 1: Create a data processing register (Record of Processing Activities - ROPA) that includes every AI tool and what employee data it processes.

Step 2: For each tool, document the lawful basis, the DPIA (if required), the transfer mechanism (if applicable), and the DPA with the vendor.

Step 3: Update your employee privacy notice to reflect all AI processing.

Step 4: Establish a data retention schedule and ensure AI vendors implement it.

Step 5: Implement a process for responding to employee subject access requests that includes data held by AI tools.

Step 6: Review annually and whenever you add a new AI tool.

---

This is guidance, not legal advice. UK GDPR compliance for AI HR tools is a complex area that intersects data protection law, employment law, and technology vendor management. If you are building or reviewing your AI HR data framework, take advice from a data protection specialist.