2. UK Compliance: GDPR, Equality Act 2010 & ICO Guidance
UK GDPR Post-Brexit
The UK GDPR, as retained and amended post-Brexit, governs how employers collect, store and process psychometric test data. Key obligations include:
Requirement | UK GDPR Obligation
Lawful basis for processing | Most employers rely on "legitimate interests" or "consent". The ICO advises that consent must be freely given — not coerced as a condition of employment.
Special category data | Psychological profiles may constitute data concerning "health" or "mental health" — requiring explicit consent or substantial public interest basis.
Data minimisation | Only collect test data necessary for the specific assessment purpose.
Retention limits | ICO guidance recommends retaining psychometric test data no longer than 6-12 months post-recruitment, unless required for ongoing employment.
Subject access requests (SARs) | Candidates can request access to their test results and algorithmic scoring logic.
Automated decision-making | Article 22 UK GDPR restricts solely automated decisions producing legal effects — including automated rejection based on test scores.
Equality Act 2010
The Equality Act 2010 prohibits discrimination based on nine protected characteristics. When using psychometric tests:
- Reasonable adjustments: Employers must adjust testing for candidates with disabilities (e.g., extra time, screen-reader compatible formats, alternative test formats).
- Indirect discrimination: An apparently neutral test requirement may indirectly disadvantage a protected group. Example: a verbal reasoning test that disadvantages non-native English speakers.
- Job-relatedness: Tests must measure bona fide occupational requirements — personality traits relevant to the specific role, not general characteristics.
ICO Guidance on AI in Recruitment (2025 Update)
The Information Commissioner's Office published updated guidance in 2025 specifically addressing AI-driven psychometric assessments:
- Fairness by design: Employers must audit training data for historical bias.
- Transparency: Candidates must be told if AI is scoring their test and how.
- Human oversight: Automated decisions must have meaningful human review.
- Data Protection Impact Assessments (DPIAs): Required for any AI-scored testing tool.
3. US Compliance: EEOC Uniform Guidelines & Adverse Impact
Title VII of the Civil Rights Act
Title VII prohibits employment discrimination based on race, colour, religion, sex and national origin. Psychometric tests — as "selection procedures" — fall under its scope.
Uniform Guidelines on Employee Selection Procedures (1978)
The EEOC's Uniform Guidelines remain the foundational US framework for testing compliance. Despite being nearly 50 years old, they are actively enforced:
Three key principles:
- Adverse impact analysis: Employers must calculate whether a test disproportionately screens out a protected group.
- Validation: Any test with adverse impact must be validated for the specific job. Three accepted methods: criterion-related, content, and construct validity.
- Alternative procedures: If a validated test has adverse impact, employers must consider alternative, less-discriminatory testing methods.
The 4/5ths Rule Explained
The "four-fifths rule" (also called the 80% rule) is the EEOC's practical test for adverse impact:
A selection rate for any protected group that is less than 80% (4/5) of the rate for the group with the highest selection rate constitutes evidence of adverse impact.
Example: If 80% of white candidates pass a cognitive ability test, but only 55% of Black candidates pass, the ratio is 55/80 = 68.75% — below the 80% threshold, triggering an adverse impact finding.
2025-2026 Policy Developments
Under the current administration, the EEOC has:
- Strengthened enforcement of disparate impact claims
- Published updated technical assistance on AI hiring tools (2025)
- Signaled increased focus on testing validation documentation
- Maintained the 4/5ths rule as the primary screening metric
State-Level Developments
State | Law | Impact on Testing
New York City | Local Law 144 (2023→2026) | Mandatory bias audits for AI-scored assessments; penalties up to $1,500/violation/day
California | CCPA + proposed AI hiring law | Testing data as personal information; proposed bill would require validation disclosure
Illinois | Artificial Intelligence Video Interview Act | Requires disclosure of AI analysis and consent for recorded interviews
Maryland | HB 1202 (2020) | Bans use of facial recognition in pre-employment assessment without consent
4. NYC Local Law 144: The Benchmark for AI Testing Regulation
New York City Local Law 144 — formally the "Automated Employment Decision Tools" (AEDT) law — has become the template for AI hiring regulation:
Who it applies to: Employers using AEDTs to hire employees based in NYC.
What it requires:
Requirement | Detail
Bias audit | Annual independent audit for race/ethnicity and gender impact
Public disclosure | Audit results must be published on the employer's website
Notice to candidates | Notice of AEDT use 10+ business days before assessment
Alternative process | Candidates can request reasonable accommodation or alternative assessment
Penalties | Up to $1,500 per violation per day
2026 enforcement reality: While the law passed in 2023, enforcement has expanded significantly in 2026. AWS, Indeed and HireVue have all been subject to compliance challenges. Any AI-scored psychometric test used for NYC-based candidates likely qualifies as an AEDT.
5. EU GDPR: Data Protection for Psychometric Testing
For employers hiring in the EU, the GDPR (Regulation (EU) 2016/679) imposes additional — and in some areas stricter — requirements than UK GDPR.
Key Differences from UK GDPR
Element | EU GDPR | UK GDPR
Data sovereignty | Data must stay in EEA or covered adequacy jurisdiction | Separate adequacy framework
Automated decisions | Article 22 - broader interpretation of "legal effects" | Similar but evolving case law
One-stop shop | Lead supervisory authority for cross-border processing | No equivalent mechanism
Fines | Up to €20M or 4% global turnover | Up to £17.5M or 4% global turnover
Psychological Data as Special Category
The EU's Article 29 Working Party (now EDPB) has explicitly stated that psychological test profiles can constitute data concerning health — requiring:
- Explicit consent or substantial public interest basis
- Data Protection Impact Assessment (DPIA)
- Documented necessity for the specific role
- Limited retention (typically maximum 6 months post-recruitment decision)
EU AI Act: The New Frontier
The EU AI Act (effective August 2024, with phased enforcement through 2027) classifies many psychometric assessment tools as high-risk AI systems:
Compliance Requirement | Deadline
Risk classification documentation | 2025 (complete)
Conformity assessment (CE marking) | Mid-2026
Human oversight and transparency | Ongoing
Training data governance | Ongoing
6. Cross-Border Compliance: Global Employers' Checklist
Side-by-Side Comparison
Requirement | UK | US (Federal) | EU
Primary law | UK GDPR + Equality Act 2010 | Title VII + EEOC Uniform Guidelines | GDPR + EU AI Act
Bias testing required? | Indirect discrimination analysis | 4/5ths adverse impact calculation | DPIA required
AI-specific regulation | ICO AI guidance (2025) | NYC LL144 + state laws | EU AI Act (high-risk)
Data retention limit | 6-12 months recommended | No federal limit (state varies) | 6 months maximum
Candidate consent | Implied or explicit | Not always required (advised) | Explicit for special category
Fines | Up to £17.5M or 4% turnover | EEOC remedies (back pay, damages, injunctions) | Up to €20M or 4% turnover
Validation requirement | Job-relatedness + reasonable adjustments | Job-relatedness + business necessity | Necessity + proportionality
Multi-Jurisdiction Data Transfer
For employers running psychometric tests across borders:
- UK→EU transfers: UK adequacy decision remains in place (renewed 2025)
- UK→US transfers: UK International Data Transfer Agreement (IDTA) + Transfer Risk Assessments
- EU→US transfers: Data Privacy Framework (DPF) certification required
- All jurisdictions: EU Standard Contractual Clauses (SCCs) as fallback
Choosing a Compliant Platform
When selecting a psychometric testing platform for cross-border use, verify:
- ISO 27001 certification (information security)
- GDPR-by-design architecture (data sovereignty options)
- Built-in adverse impact reporting (4/5ths rule calculator)
- Bias audit readiness (NYC LL144 support)
- SOC 2 Type II certification (US data security standard)
7. Key Legal Risks & How to Mitigate Them
Risk | Jurisdiction | Mitigation
Adverse impact class action | US | Run regular 4/5ths rule analysis; validate tests per role; document alternative procedure searches
GDPR data breach or SAR | UK/EU | Implement data retention policies; encrypt test data; prepare template SAR responses
Disability discrimination | UK/EU/US | Offer reasonable adjustments proactively; use accessible test formats; document accommodation requests
AI bias allegation | US (NYC), EU | Conduct bias audits; publish results; maintain human review trail
Cross-border data transfer violation | UK→US, EU→US | Sign SCCs/IDTA; complete transfer risk assessments; use data-sovereign platform
Automated decision challenge | UK/EU (Article 22) | Maintain human-in-the-loop review; document override process; provide candidate appeal mechanism
8. Compliance Checklist: 10 Steps Before Deploying Psychometric Tests
- Conduct a job analysis: Identify the specific competencies and traits required for the role.
- Validate your test: Ensure the test measures what it claims to measure for the specific job (criterion-related or content validity).
- Document adverse impact: Run the 4/5ths rule calculation on your test results by race/ethnicity and gender.
- Complete a DPIA: Required for UK GDPR and EU GDPR when processing psychological data or using AI scoring.
- Establish data retention policy: Delete test data 6-12 months post-recruitment decision. Document in your privacy notice.
- Prepare reasonable adjustments: Offer alternative formats, extra time, and alternative assessments for candidates with disabilities.
- Provide transparency: Tell candidates what tests they will take, how results are scored, and whether AI is involved.
- Set human oversight: Ensure no fully automated rejection based on test scores alone.
- Publish bias audit (if NYC): For NYC-based hiring, annual bias audit and public disclosure are legally required.
- Review annually: Regulations change — review your compliance posture at least once per year.
9. Frequently Asked Questions
Is psychometric testing legal in the UK?
Yes, psychometric testing is legal in the UK when conducted in compliance with the UK GDPR, Equality Act 2010, and ICO guidance. Key requirements include: using validated tests, providing reasonable adjustments for disabled candidates, not making solely automated decisions, and retaining test data only as long as necessary.
What is the 4/5ths rule for adverse impact?
The 4/5ths (80%) rule is the EEOC's practical test for adverse impact in the US. If a protected group's selection rate is less than 80% of the group with the highest selection rate, it indicates potential adverse impact — triggering the need for job-validation evidence.
Can candidates refuse a psychometric test?
In the UK and EU, candidates can generally refuse, but employers are not obligated to proceed with the application. However, the GDPR requires that consent be freely given — a "refuse = no job" framing may invalidate consent. In the US, refusal is typically considered at-will for private employers.
How long can employers keep psychometric test results?
Best practice: UK—6 months for unsuccessful candidates, duration of employment for hired candidates (with documented necessity). EU—maximum 6 months. US—no federal limit, but state laws vary; 12 months recommended for adverse impact record-keeping. NYC LL144 requires retaining bias audit data for 3 years.
Do AI-scored psychometric tests need bias audits?
In New York City (Local Law 144), yes — an annual independent bias audit is legally required. Under the EU AI Act, high-risk AI systems (including most AI-scored psychometric tools) require conformity assessment and ongoing monitoring. The UK ICO recommends but does not yet mandate bias audits, though this is expected to change.
Author Bio
This guide was prepared by the SIGMUND content team, drawing on publicly available regulatory guidance from the EEOC, ICO, EDPB, and NYC Department of Consumer and Worker Protection. For jurisdiction-specific compliance requirements, consult a qualified employment attorney.
Last updated: May 27, 2026
10.
Further Reading
- GDPR-Compliant Psychometric Testing Guide — UK and EU data protection requirements for HR assessments
- EU AI Act Compliance for Psychometric Testing — navigate the 2026 regulatory framework
- Big Five vs MBTI for Hiring — evidence-based personality test comparison
Conclusion: Future-Proof Your Hiring Compliance
The compliance landscape for psychometric testing is converging toward three universal requirements: transparency, validation, and human oversight. Whether you hire in London, New York, or Berlin, the trend is clear — regulators expect employers to understand and document how their assessment tools work, impact different groups, and protect candidate data.
Key takeaways for 2026 and beyond:
- If you hire in multiple jurisdictions, adopt the strictest standard (currently NYC LL144 for AI bias, EU GDPR for data protection).
- Validation is no longer optional — regulators increasingly expect criterion-related validity evidence for every test-job pairing.
- Documentation is your defence — DPIAs, bias audits, and data retention policies are your strongest protection against regulatory action.
- Choose a platform that embeds compliance — SIGMUND's platform is designed with data sovereignty, ISO 27001, and built-in adverse impact reporting to help employers navigate these complex requirements.
Related Reading
⬜ - SIGMUND's Psychometric Testing and GDPR Guide
⬜ - Top Psychometric Testing Platforms in 2026
⬜ - Complete Guide to Psychometric Testing for Recruitment
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Employers should consult qualified legal counsel for jurisdiction-specific compliance guidance.
JSON-LD Structured Data
Article Schema
"@context": "https://schema.org",
"@type": "Article",
"headline": "Psychometric Testing Legal Compliance: UK, US & EU Employer's Guide (2026)",
"description": "Complete guide to psychometric testing compliance across the UK, US and EU. Covers GDPR, EEOC Uniform Guidelines, adverse impact rules, AI hiring laws, and cross-border risk management for HR teams.",
"datePublished": "2026-05-27",
"dateModified": "2026-05-27",
"author": {
"@type": "Organization",
"name": "SIGMUND",
"url": "https://sigmundtest.com/en"
"publisher": {
"@type": "Organization",
"name": "SIGMUND"
"about": {
"@type": "Thing",
"name": "Psychometric testing legal compliance",
"sameAs": "https://en.wikipedia.org/wiki/Psychometrics"
FAQPage Schema
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
"@type": "Question",
"name": "Is psychometric testing legal in the UK?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Yes, psychometric testing is legal in the UK when conducted in compliance with the UK GDPR, Equality Act 2010, and ICO guidance. Key requirements include using validated tests, providing reasonable adjustments, not making solely automated decisions, and retaining test data only as long as necessary."
"@type": "Question",
"name": "What is the 4/5ths rule for adverse impact?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The 4/5ths (80%) rule is the EEOC's practical test for adverse impact in the US. If a protected group's selection rate is less than 80% of the group with the highest selection rate, it indicates potential adverse impact, triggering the need for job-validation evidence."
"@type": "Question",
"name": "Can candidates refuse a psychometric test?",
"acceptedAnswer": {
"@type": "Answer",
"text": "In the UK and EU, candidates can generally refuse, but employers are not obligated to proceed with the application. However, the GDPR requires that consent be freely given. In the US, refusal is typically considered at-will for private employers."
"@type": "Question",
"name": "How long can employers keep psychometric test results?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Best practice varies by jurisdiction: UK — 6 months for unsuccessful candidates; EU — maximum 6 months; US — no federal limit, 12 months recommended. NYC Local Law 144 requires retaining bias audit data for 3 years."
"@type": "Question",
"name": "Do AI-scored psychometric tests need bias audits?",
"acceptedAnswer": {
"@type": "Answer",
"text": "In New York City (Local Law 144), yes — annual independent bias audit is required. Under the EU AI Act, high-risk AI systems require conformity assessment. The UK ICO recommends but does not yet mandate bias audits."
Production Notes
H2 sections: 10
FAQ: 5 Q&As with JSON-LD
Internal links to add: SIGMUND GDPR article + platforms comparison + AI testing article
Gate target: ≥85/100 CORE-EEAT


Leave a commentOrder by
Newest on top Oldest on top