UK GDPR Compliance for Recruitment Agencies: The Complete 2026 Guide

UK recruitment agencies are data controllers for the candidate data they handle — which means the full weight of UK GDPR applies to you directly, not just to the employers you work for. That covers your lawful basis for holding CVs, how long you keep them, how you secure them, what you share with clients, and — since 2026 — how you use AI to make decisions about candidates. This guide is the overview: every core obligation in one place, with links to the detailed walkthrough of each. Treat it as the map; follow the links for the deep dives.

This guide is general information for UK recruitment agencies, not legal advice. For your specific obligations, consult a data protection adviser or solicitor.

Are recruitment agencies data controllers under UK GDPR?

Yes. For the candidate data you collect, source, screen, and submit, your agency is a data controller in its own right — you decide why and how that personal data is processed. You are not merely a processor acting on the employer's behalf. That distinction matters because every controller obligation lands on you: lawful basis, transparency, data minimisation, security, breach notification, retention limits, and candidate rights.

The Information Commissioner's Office (ICO) has made this concrete. Its 2023 reprimand of a UK recruitment company over a cloud misconfiguration, and its 2026 work on AI in hiring, both treat agencies as accountable controllers. "The employer is the controller, not us" is not a defence that holds for the candidate data you handle.

Your core UK GDPR obligations at a glance

Here is the whole picture in one table. Each row links to the detailed guide for that obligation.

Obligation	What it means for your agency	Go deeper
Lawful basis	Document a valid basis (usually legitimate interest) for processing each candidate's data	Below
Data minimisation	Share only what a decision needs — redact contact details before client submission	Candidate bypass & redaction
AI / automated decisions	New 2026 rules govern AI that screens, ranks or shortlists candidates	The DUAA rules · ICO Recruitment Rewired
Security & breaches	Encrypt, access-control, and notify the ICO within 72 hours of a reportable breach	GDPR risks & the ICO reprimand
Retention	Keep candidate data only as long as justified — and mind the statutory conflict	Below
Candidate rights	Answer access and erasure requests within one calendar month	Below

Lawful basis for processing candidate data

Every piece of candidate data you process needs a documented lawful basis, and for recruitment that is usually legitimate interest rather than consent — consent is hard to treat as freely given when someone wants a job. Legitimate interest is valid, but it is not automatic: you must apply the ICO's three-part test (is the purpose legitimate, is the processing necessary for it, and is it balanced against the candidate's rights) and record the outcome. Your privacy notice must state which basis applies to which activity.

One caveat that has become important since 2026: where you use AI to make automated decisions about candidates, you cannot rely on the Data (Use and Access) Act's new "recognised legitimate interest" basis for that processing — see the AI section below.

Data minimisation: share only what a decision needs

Data minimisation (Article 5(1)(c)) requires that personal data is "adequate, relevant and limited to what is necessary." For a shortlisting decision, a candidate's name, phone number, home address and LinkedIn URL are not necessary — the client needs skills, experience and fit. Sending the full CV with contact details attached shares more personal data than the purpose requires.

The practical control is redaction: removing direct identifiers before a CV goes to a client. It does double duty — it satisfies data minimisation and it protects your placement fee, because a client who cannot contact the candidate directly has to come back through you. That is the link between compliance and commercial self-interest, and it is why redaction is the single highest-value habit a small agency can adopt. For how it prevents back-door hires and the full redaction workflow, see candidate bypass and CV redaction. Tools such as Quibench apply one-click redaction before submission, and there is a free CV redaction tool to try the workflow.

AI and automated decision-making: the 2026 rules

This is the fastest-moving area of recruitment compliance, and the one most agencies have not caught up with. Two developments matter.

First, the Data (Use and Access) Act 2025 (DUAA) rewrote the rules on automated decisions. Since 5 February 2026, the old near-ban on solely automated significant decisions was replaced by a permission-plus-safeguards model (Articles 22A–22D of the UK GDPR). If your agency uses AI to screen, rank, or shortlist candidates without meaningful human involvement, you are now operating under that regime and must provide specific safeguards. The full breakdown is in what the DUAA means for recruitment agencies using AI.

Second, the ICO's "Recruitment Rewired" report (31 March 2026) showed how the regulator intends to apply those rules. It found many employers and agencies running automated decisions while labelling them "decision support," wrote to 16 organisations, and signalled enforcement. The detail — including the test for "meaningful human involvement" and the four things the ICO told organisations to fix — is in the ICO's Recruitment Rewired verdict.

The strategic takeaway for a small agency: the more a tool decides for you, the more compliance you inherit. A tool that scores or filters candidates pulls you into the automated-decision regime; a tool that only handles mechanical work — parsing, formatting, redaction — and leaves every decision to a consultant does not. Quibench, for instance, reformats and redacts CVs but does not score or shortlist candidates, so the decision stays with you and the ADM rules are not engaged.

Security and breach response

Recruitment data is a high-value target — candidate records combine names, contact details, employment history and sometimes special-category data, which is exactly what attackers want. UK GDPR requires "appropriate technical and organisational measures": encryption at rest and in transit, access controls, and secure (authenticated) cloud storage. The ICO's 2023 recruitment reprimand followed a misconfigured, publicly accessible cloud container that exposed 12,000 records — a basic failure, and a clear signal that the sector is under scrutiny.

If a breach is likely to risk individuals' rights, you must notify the ICO within 72 hours of becoming aware — a separate obligation from the breach itself — and document every breach, even those you decide not to report. The full picture, including the fine exposure (up to £17.5M or 4% of turnover), is in UK recruitment agency GDPR risks.

Data retention: the conflict every agency should know

There is a genuine conflict in UK retention rules. The ICO recommends keeping unsuccessful candidates' data for no longer than six months, while the Conduct of Employment Agencies and Employment Businesses Regulations 2003 require agencies to keep certain records for a minimum of one year. The defensible position is to adopt the statutory one-year minimum with a documented justification, then delete automatically after that period. Keeping data indefinitely — common, and risky — fails both minimisation and storage-limitation principles, and stale data increases breach exposure. This is covered in more depth in the GDPR risks guide.

Candidate rights

Candidates have enforceable rights over their data, and you must be able to honour them:

• Right of access: a candidate can request all the personal data you hold on them; you must respond within one calendar month. This is hard without a data map across your ATS, CRM, email and file storage — build it before a request arrives, not after.
• Right to erasure: candidates can ask you to delete their data, subject to your retention obligations.
• Transparency: your privacy notice must tell candidates, in plain terms, what you do with their data — including any AI use and the fact that profiles are shared with clients.

A practical compliance checklist

You do not need a compliance department. You need these controls in place and documented:

1. Privacy notice that accurately describes all processing, including AI use and client data sharing.
2. Documented lawful basis for each activity (usually a recorded legitimate-interest assessment).
3. Redaction before client submission — remove contact details and anything a tool could use to infer protected characteristics.
4. AI audit — map where automated decisions happen; ensure real human involvement on the ones that matter; do a DPIA.
5. Authenticated cloud storage, encryption, and role-based access.
6. Breach response plan that can detect, assess, and notify within 72 hours.
7. Written retention schedule (one-year statutory minimum, then automatic deletion).
8. A data map so you can answer access requests within a month.

Work through it once, document it, and review it as an operational function rather than a one-off — that is what "accountability" under UK GDPR actually means.

Common questions

Are recruitment agencies data controllers under UK GDPR? Yes. Agencies are controllers for the candidate data they collect and process, so all controller obligations apply directly — lawful basis, data minimisation, security, breach notification, retention, and candidate rights. You are not a processor acting only on the employer's behalf.

What are the main UK GDPR obligations for a recruitment agency? Documenting a lawful basis for processing candidate data, minimising what you collect and share, securing it (encryption, access control, 72-hour breach notification), retaining it only as long as justified, being transparent in your privacy notice, honouring candidate access and erasure requests, and — since 2026 — applying safeguards where AI makes automated decisions about candidates.

What lawful basis can agencies use to process candidate CVs? Usually legitimate interest, because consent is difficult to treat as freely given in a hiring context. You must apply and record the ICO's three-part test (legitimate purpose, necessity, balance against the candidate's rights). Note that the DUAA's new "recognised legitimate interest" basis cannot be used for automated decision-making.

How long can a UK recruitment agency keep candidate CVs? There is a conflict: the ICO recommends no longer than six months for unsuccessful candidates, while the Conduct of Employment Agencies and Employment Businesses Regulations 2003 require a one-year minimum for certain records. The defensible approach is to adopt the one-year statutory minimum with a documented justification, then delete automatically.

Do the 2026 AI rules apply to recruitment agencies? Yes. Since 5 February 2026 the DUAA's automated-decision-making framework (Articles 22A–22D) applies to any agency using AI to make significant decisions about candidates without meaningful human involvement, and the ICO's March 2026 "Recruitment Rewired" report set out how it expects the rules to be met. There is no small-agency exemption.

How does CV redaction help with GDPR compliance? Redacting a CV down to what a shortlisting decision needs — and removing names, contact details and data that could reveal protected characteristics — directly supports the data-minimisation principle (Article 5(1)(c)). It also limits breach exposure (a redacted profile contains no personal contact data) and protects your placement fee at the same time.

---

UK GDPR compliance for a recruitment agency is not one big task — it is a handful of controls applied consistently: know your lawful basis, share only what a decision needs, secure what you hold, keep it no longer than justified, honour candidate rights, and keep a human meaningfully in charge of any AI that decides. Each links to a deeper guide above. Get the controls documented and operational, and the accountability the ICO expects follows from them.