GDPR Article 22 for hiring: Automated decision making explained

In March 2026, the UK Information Commissioner’s Office warned employers that many automated recruitment processes may already fall within the scope of GDPR Article 22.

When hiring decisions happen without meaningful human involvement, they may be unlawful.

The real risk

Most organisations believe they have a volume problem. They use automation to handle the scale: scoring candidates, ranking them and moving them through the funnel more quickly. In doing so, many cross an important line. They shift from using automation to support decisions to letting automation make those decisions. That is where Article 22 becomes relevant.

What Article 22 covers

The regulation gives individuals the right not to be subject to decisions based solely on automated processing when those decisions have significant effects. In hiring, this includes being rejected, screened out or prevented from progressing. If a system makes that decision without human review, the process is in scope.

What “solely automated” actually means

A decision is considered solely automated when no human reviews the outcome, when the system’s recommendation is treated as final or when recruiters do not actively check or challenge results. Designing the model or setting thresholds does not count as human involvement. The human must participate in the decision itself.

Meaningful human involvement

Meaningful involvement requires a reviewer who understands how the outcome was produced, has the authority to change it, considers additional context and genuinely evaluates whether the recommendation is appropriate. Simply approving an automated result does not meet this standard.

Why employers face risk

The ICO has already audited recruitment AI providers and raised concerns around bias, transparency and decision safeguards. Employers risk complaints, regulatory action, legal claims and an inability to explain individual decisions. Many of these risks appear when processes rely on systems whose logic is unclear or poorly defined.

What non-compliance looks like

Common examples include automatic rejection after assessments, CV screening models that hide lower‑ranked candidates from recruiters and AI‑scored video interviews that lead to rejection without any human review. In each case, the candidate is effectively rejected by the system rather than by a person.

The deeper issue: opaque decision-making

Automated systems often obscure how decisions are made. Criteria may be loosely defined, scoring models configured quickly and weightings applied without scrutiny. Recruiters may not be able to explain why one candidate progressed and another did not. Under Article 22, organisations must be able to justify the decision and the method that produced it.

The missing foundation

Most hiring teams focus on tools and thresholds instead of defining what good performance actually looks like, which attributes matter most and where human judgement is necessary. Without these foundations, automation simply scales poor decision-making.

A more defensible approach

A compliant process starts with clear role criteria and transparent weighting decisions. Automation is applied only once the decision model is defined, understood and documented. This allows every outcome to be explained, ensures human judgement is present where it needs to be and enables genuine auditing of bias and consistency.

Designing processes that stand up to scrutiny

The most resilient hiring processes combine automation with structured human review. Automation manages scale, but humans remain involved in decisions with significant impact. Scoring remains transparent. Outcomes are monitored routinely.

This is the approach ThriveMap is designed to support: automation that informs and strengthens human judgement, rather than replacing it.