12 Feb 2026 · 6 min read
Why Candidates Don't Answer Your Calls (And What To Do About It)
Read article
Compliance3 Jan 2026 · 6 min read
Compliance and AI: What Recruitment Agencies Need to Know
Using AI for candidate outreach raises questions about GDPR, call recording, and consent. Here's a practical guide to getting it right.
When agencies start exploring AI-powered outreach, compliance is usually the first question — and rightly so. Recruitment involves processing personal data at scale, and adding AI to the mix introduces new considerations around GDPR, consent, and transparency.
Lawful basis for processing
Under GDPR, you need a lawful basis to process personal data. For recruitment agencies, this is typically 'legitimate interest' — you have a genuine business reason to contact candidates on your database about relevant work opportunities. This doesn't change when you use AI to make the contact instead of a human.
However, you should update your privacy notice to explain that you may use AI-powered tools for outreach. Transparency is key — candidates should know how their data is being used.
Call recording and consent
If your AI outreach tool records calls, you need to inform candidates at the start of the conversation. This is standard practice for human calls too, but it's especially important with AI calls. A simple disclosure at the beginning ('This call may be recorded for quality and training purposes') is sufficient in most cases.
Key compliance considerations
- Data processing agreements — ensure your AI vendor has a proper DPA in place.
- Data residency — know where call data is processed and stored. UK data should stay in the UK or adequate jurisdictions.
- Right to opt out — candidates must be able to easily opt out of AI-powered contact.
- Accuracy — AI transcriptions and notes should be reviewable by humans to catch errors.
- Retention — don't keep call recordings longer than necessary. Set clear retention policies.
Choosing a compliant vendor
When evaluating AI outreach tools, ask about their compliance posture. Do they have ISO 27001 certification? Where are their servers located? Can they provide a Data Protection Impact Assessment? Do they have a named DPO? These aren't nice-to-haves — they're essential for any tool processing candidate personal data.
Getting it right
Compliance shouldn't be a barrier to adopting AI — but it should be a factor in how you adopt it. Choose vendors who take it seriously, update your own policies to reflect AI usage, and be transparent with candidates. Done properly, AI outreach can actually improve your compliance posture by creating consistent, auditable records of every interaction.