AI hiring law in the UK: no Act yet, but the ICO is already enforcing

There is no UK AI Act. The ICO is acting as if there is.

The honest position in May 2026 is that the UK does not have a comprehensive AI law in force. The Artificial Intelligence (Regulation) Bill that was introduced into the House of Lords on 4 March 2025 is a Private Members' Bill. It received its second reading on 22 March 2025 and is still working its way through the Lords. Private Members' Bills almost never become law in the UK; that is the structural reality. A government-introduced AI bill was expected in the King's Speech in May 2026, which would carry significantly more weight, but as of writing this we are waiting to see what actually appears.

So there is no statute. There is no equivalent of the EU AI Act on the UK books. And yet the Information Commissioner's Office is already enforcing AI hiring practices using powers it already has under existing data protection law. If you run a UK recruitment agency and you are using AI to screen candidates, the ICO is your regulator on this, today, regardless of whether Parliament ever passes a dedicated AI Act.

Other jurisdictions are further along on the legislation. The EU AI Act is on the books and biting from 2026 onward. The full picture across every market is in the parent guide.

What the ICO has actually done

In March 2026 the ICO launched a consultation on draft guidance about automated decision-making and profiling in recruitment. The consultation is open until 29 May 2026 and the final version of the guidance is due to be published in Summer 2026. The consultation document is the clearest indication of what the regulator expects from agencies, even before any Act exists.

More importantly, the ICO has already acted. The regulator has spoken to more than thirty employers about their use of automation in recruitment, and has formally written to sixteen organisations the ICO identified as likely to be using automated decision-making to make decisions about jobseekers. Those sixteen organisations have committed to acting on the ICO's recommendations to improve their practices. This is not theoretical. This is enforcement happening now, using the powers the ICO already has under UK GDPR and the Data Protection Act.

If you think the absence of an AI Act means you have time to wait, that is the wrong mental model. The ICO is using existing law. The Act, if and when it comes, will codify what the ICO is already enforcing.

What the ICO expects from you

From the ICO's published expectations and its broader work on automation in recruitment, the requirements break down into four blocks.

Transparency. Organisations must be transparent with jobseekers about whether automated decision-making is being used in the recruitment process, and must explain how it works. Vague boilerplate does not satisfy this. A jobseeker should be able to understand, in plain English, that AI is involved, what it is doing, and what its role is in the decision.

Right to challenge. Candidates must be told how to exercise their right to challenge an automated decision and request a human review if they believe the decision is incorrect. This has to be a real route, not a buried link. Someone reviewing the request has to be a human with the authority to actually overturn the original decision.

Active bias monitoring. The ICO expects organisations to proactively monitor for bias, to test regularly for biased outputs, and to take steps to mitigate any bias that surfaces. Good practice cited by the ICO includes asking developers about their own bias testing when procuring tools, and considering monthly bias reviews of the systems in use. Annual is not enough for fast-moving AI.

Vendor due diligence. When procuring an AI tool, the ICO expects you to ask the vendor about their bias testing, fairness controls, and how their system meets UK data protection requirements. This is not just contractual hygiene. The ICO sees the buyer as accountable for the choice they made.

Why this is stricter than it sounds

Reading the four blocks above, an agency owner might think the UK position is light touch compared to the EU. It is not. The UK position is functionally similar to what the EU AI Act will demand of deployers, but with one important difference: the ICO is enforcing it now, while the EU's high-risk obligations under Article 6(1) do not bite until August 2027.

UK agencies have spent the last few years assuming the EU got there first and that the UK would follow at a leisurely pace. The data shows the opposite. The ICO has already taken action in 2026. The EU is still waiting for 2027. If you operate in both markets and only one of them gets your compliance attention this year, make it the UK.

The same principle that drives this is the one we covered in our GDPR guide. The ICO does not need new legislation to act. It has had the powers since 2018. AI in recruitment is just the latest topic those powers are being pointed at.

What the AI Bill in the Lords actually proposes

For completeness, the Lord Holmes Bill that is currently working through the Lords would, if passed, establish an AI Authority as a dedicated regulator for AI. The Bill codifies a set of AI principles, requires organisations using AI to designate an "AI officer", and requires the AI Authority to maintain a sandbox for testing AI applications.

The realistic chance of this Bill becoming law as written is low. Private Members' Bills rarely pass without government backing, and the current Labour government's position is that AI should be regulated at the point of use by existing expert regulators rather than via a new horizontal Act. That preserves the ICO's role as the main enforcer on hiring-AI issues, which is what we have already.

The wildcard is the King's Speech. If a government-introduced AI bill appears, the position changes overnight. Watch the May 2026 King's Speech and anything that follows from it. Until then, plan around the ICO.

What I am telling our customers

The biggest mistake I see right now is UK agencies assuming "no Act means no enforcement". The ICO has already written to sixteen organisations. Those sixteen are not random. The regulator picked them because their data and their public profile suggested they were using AI in ways the ICO wanted to scrutinise. If your agency is on a similar public profile, you could be on a similar list.

The second mistake is over-investing in compliance theatre. You do not need a chief AI officer. You do not need a formal AI committee. You do not need a six-figure compliance product. You need three things: a clear inventory of where AI sits in your candidate journey, a written process for the four ICO expectations above, and a named human who has the authority to override an AI decision when a candidate challenges it.

The third mistake is treating the ICO as adversarial. The thirty-plus conversations the ICO has had with employers were not enforcement actions; they were the regulator trying to understand and shape practice. If you engage early, openly, and honestly, the ICO is a workable counterparty. The agencies that get into trouble are the ones who ignore the ICO until they receive a section 142 information notice. By that point, the cooperative posture is gone.

What to do this quarter

Read the ICO consultation document. It is the clearest written statement of what the regulator expects. Even after the consultation closes on 29 May, the document remains a useful reference for what the final guidance will look like in Summer 2026.

Audit your candidate-facing communication. Privacy notice, application page, initial outreach. Does it tell candidates that AI is used in your process, what it does, and how they can request a human review? If any of those is missing or unclear, fix it.

Pick your human reviewer. Whoever in your agency will handle the request-a-human-review case. Make sure they exist as a named person. Make sure they have the authority to overturn the AI's call. Make sure the route to reach them is easy for the candidate.

Ask your vendors the bias question. Every AI tool in your stack should give you a written statement on bias testing. If they do not have one, that is the answer. The Recruitly position on AI features inside our platform is on the AI product page.

Compare positions. The UK approach is enforcement under existing law and a Bill that may or may not pass. The US is a state patchwork without federal law; the US guide walks through it. The full global picture across every market we cover is in the parent guide linked above.

My personal view is that the UK has landed in the right place by accident. A heavy statute would constrain a market that is still figuring out what good AI hiring looks like. A pragmatic regulator using existing data protection law can adapt as the technology changes. Whether the next government keeps that posture or replaces it with a horizontal Act will be the real story of 2026 and 2027 for UK agencies.