Using AI to screen candidates or score clients? The UK rules changed this year

More and more firms now let software help decide who gets hired, who makes the shortlist, or which clients to take on. Often that is fine, and used well it can even make things fairer and faster. But sometimes the software is not helping a person decide. It is making the decision itself, and the candidate or client on the other end never knows. On 5 February 2026 the UK changed the rules on exactly this, and most firms have not noticed. If your firm uses AI to screen applicants, score candidates, or sort clients by risk, here is what changed, why it matters to the people affected as much as to you, and what to check.

First, what this is and is not about. The rules here cover serious decisions a computer makes about a person mostly on its own: who gets the job, who gets shortlisted, who gets refused. They do not cover every use of AI in the business, every draft a person properly reviews, or decisions about a company rather than a human being. And this is general information, not legal advice. The aim is to help you see where this lands in your firm, and when to call someone who can give you the legal detail.

This is a UK story, and one worth getting right. The headlines this spring have been about the EU AI Act and its deadlines, which matter for some firms here depending on whether the Act reaches them at all. The change that lands directly on a firm based in the UK is the home-grown one, and it has had far less attention.

What actually changed

For years, the rule in UK data protection law was simple. A computer was not allowed to make a serious decision about a person entirely on its own, apart from a few narrow exceptions. The law calls these solely automated decisions: ones made with no real human involvement that have a legal or similarly significant effect on someone, like being refused credit or turned down for a job. Being filtered out of a shortlist can count too, where it genuinely affects a person's chance and no one was really involved.

That default has now flipped. The Data (Use and Access) Act 2025, in force from 5 February 2026, replaced the old rule, Article 22 of the UK GDPR, with a new set, Articles 22A to 22D. Where the decision does not involve sensitive personal information, a firm can now make it automatically, as long as it has a proper reason and puts safeguards in place for the people affected. As the ICO explains for organisations, the change opens up a wider set of grounds a firm can rely on, so long as it keeps protecting people properly. For a recruiter who wanted to use a scoring tool but kept hitting the old consent rule, that is a real easing.

There is one area this change deliberately leaves alone, and it is the one that matters most to the person. Where a decision rests, entirely or partly, on sensitive details about someone, such as their health, their racial or ethnic origin, or their religion or beliefs, the looser rule does not apply. The law calls these special category data, and they sit behind a tighter gateway. That holds even where a tool only infers one of these things, and even where it gets it wrong. The reason is human, not technical. A hiring tool that quietly reads a health condition or ethnicity into someone's application, and lets that shape whether they progress, can do real harm to a real person, often without anyone noticing. So those decisions stay under tighter conditions, and they are exactly where you want legal advice rather than guesswork.

The catch: the human review has to be real

The easing comes with a test, and the test is where firms are getting caught. Having a human in the loop is not a box you tick after the machine has done the work. What matters is whether that person can really affect the outcome. If they cannot, the law treats the decision as the computer's alone, and the stricter duties apply.

In March 2026 the ICO published Recruitment Rewired, drawing on evidence from more than thirty employers who spoke to it between March 2025 and January 2026. Its main finding was that many employers using automated recruitment are probably making solely automated decisions without realising it, because the human involvement they rely on is not real. This came from voluntary conversations rather than an audit, but the message to employers is plain.

The bar the ICO sets is higher than the comfortable version most firms tell themselves. A person only counts as meaningfully involved where they can genuinely influence the decision before it takes effect, with the authority, the discretion and the knowledge to change it. So picture a reviewer handed a ranked shortlist who signs it off. If they cannot realistically overturn it, they are not part of the decision that mattered, which was the one to set everyone else aside.

The numbers make it concrete. A firm gets eight hundred applications and runs them through a scoring tool. The tool picks out the top forty, and a hiring manager chooses a shortlist from those. If the manager never sees the seven hundred and sixty the tool set aside, and has no real way to revisit the scoring, then the decision that mattered was the machine's.

It is worth remembering who is on the other side of that gap. Those seven hundred and sixty people were never told a machine had decided, and had no way to ask why or to put their case to a person. That is what the rules are really about. They are not just paperwork for the firm. They exist so that someone turned down by software can find out it happened, understand roughly how, and ask a human to think again. For the person, a fair hearing is not a technicality. It can be the difference between a job and a closed door they were never told about.

This goes beyond hiring

Recruitment is the clearest case, which is why the ICO started there. CV filtering, suitability scoring, online assessments and behavioural analysis can all fall squarely under these rules, where they weigh up personal information and decide who progresses or is rejected without a real person in the loop. Not every automated screen is caught. A simple pass or fail check against a basic requirement a person has set, such as the right to work in the UK, can be different.

The same logic is not limited to hiring. It can reach any serious decision a computer makes on its own about a named individual, using their personal information. A firm that scores new clients for onboarding risk, or runs automated eligibility or affordability checks, may be covered where those decisions really affect actual people, such as sole traders, directors, guarantors or applicants, rather than a company.

What to check now

The practical response is short, and most of it is not legal work. Find where AI touches an important decision about a person across the firm: hiring, onboarding, eligibility, risk. For each one, ask the plain question the new rules turn on. Could the person in the loop really change the outcome, or are they signing off what the machine has already decided? Where you are not sure, treat that as the signal to look closer and take proper advice, rather than to assume the old "a human approves it" story still holds.

In plain terms, the law now expects two things of a firm making these decisions: a human check that is genuine, and basic fairness to the person, which includes telling them when an automated decision is being made and giving them a way to ask for a human to look again. Those are not just compliance boxes. They are how a real person gets to understand a decision that affects their livelihood, and challenge it if it is wrong. How the detail applies to your own tools and data is the kind of thing to take advice on, not to settle from a blog. The job for a leader is narrower and more useful: know which of the firm's decisions a machine is really making, so you can put a person who can change the outcome where it counts, and ask the right questions of your advisers and your vendors.

Which rules apply to you

It helps to be clear about which rules actually apply to you. The UK has no single AI Act to match the EU's. The legal duties for a firm here sit mainly in the UK GDPR as amended by the Data (Use and Access) Act, the Data Protection Act 2018 and the Equality Act 2010, with ICO guidance showing how the regulator reads those duties rather than adding new law of its own. The Equality Act point is easy to forget. A screening process that disadvantages a protected group can create real risk under that Act, and the firm carries that risk even when the tool came from a vendor. The person who loses out does not care whose software it was.

The UK has loosened its automated-decision default for ordinary, non-sensitive information, while the EU has gone the other way, putting extra duties on hiring AI through its AI Act and keeping the stricter rule. The EU has, though, agreed to push back the main duties on high-risk hiring AI, so they are now set to apply from December 2027 rather than this summer. A firm that hires or serves people in the EU may therefore have EU obligations on top, depending on how far it operates there and when each duty takes effect, and the looser UK position is not the one that governs that EU-facing work. Knowing which set of rules applies to which part of the business is the judgement worth getting right.

This is the kind of question the Good Transformer Lessons for Leaders sessions are built around: turning a change in the rules into a plain understanding of your own firm, and a way of working your team can keep to. The aim is not to turn you into a data protection officer, and it is not a substitute for legal advice. It is to know which decisions in your firm a machine is really making, to treat that as a risk worth managing like any other, and to keep a person who can change the outcome, and answer for it, where it counts.

If that is worth an hour for your firm, book a discovery call.

FAQ

Did the UK ban or allow AI to screen candidates and score clients?

Neither outright. The Data (Use and Access) Act 2025 moved serious, solely automated decisions about people from a default ban under the old Article 22 to a permitted-with-safeguards approach under the new Articles 22A to 22D, in force from 5 February 2026. Such decisions can now be made where the firm has a proper lawful reason and safeguards are in place for the people affected. Where the decision draws on sensitive information, such as health or ethnicity, tighter conditions apply. How this works for a specific firm is a matter for legal advice.

What counts as meaningful human involvement?

The ICO's test is that a person can genuinely influence the decision before it takes effect, with the authority, the discretion and the knowledge to change it. A reviewer who signs off a tool's ranked output without really being able to overturn it is not meaningfully involved, and the decision is then treated as the machine's alone, with the stricter duties that brings.

Do the new rules cover AI used in hiring?

They can. Recruitment is where the ICO has focused first. CV filtering, suitability scoring, online assessments and candidate ranking can involve solely automated decisions where the tool weighs up personal information, the effect on the person is serious, and there is no real human involvement. In its March 2026 Recruitment Rewired report, the ICO found many employers were probably making such decisions without realising it.

What should a firm do first?

Map where AI touches an important decision about a person, across hiring, client onboarding, eligibility and risk. For each, ask honestly whether the human in the loop could really change the outcome. Where the answer is no, or unclear, treat it as a flag to review the process and take proper advice, rather than assuming the old "a human approves it" position still holds.