Psychometric Testing and GDPR: A Practical Guide for HR Professionals

You use psychometric tests in hiring. That is legal. The problem: most companies using them right now are not fully compliant — and they do not know it.

psychometric tests and GDPR information for HR managers

Psychometric Test Legal Compliance: Why HR Gets This Wrong

Here is the real situation. A hiring manager finds a psychometric test. It looks credible. It measures personality or cognitive ability. The test goes into the recruitment process. No one asks the legal question. The process runs for months — sometimes years — before anyone raises a compliance concern.

This is not negligence. It is a knowledge gap. Psychometric test legal requirements sit at the intersection of employment law, privacy regulation, and HR practice. Most HR professionals are trained in none of the three in depth.

The result: real legal exposure, for both the company and the individuals making hiring decisions.

Attention: UK GDPR and US privacy law both apply from the moment a candidate starts a psychometric test. Data protection obligations begin at first data collection — not at contract signature. Waiting until onboarding to think about compliance is already too late.

The Scale of the Problem

Psychometric assessments are widely used. According to the Society for Human Resource Management, more than 18% of US employers use personality tests as part of the hiring process, and that figure rises significantly for management-level roles. In the UK, the use of assessments in graduate and executive hiring is standard practice.

Yet the compliance infrastructure around these tools rarely matches their adoption rate. Most organisations collect candidate data through tests without a documented legal basis, a proper information notice, or a defined retention schedule.

"92% of HR leaders consider engagement and retention very important — but regulatory compliance remains the least prioritised area of HR operations." — Deel, HR Guide 2026

What "Non-Compliant" Actually Means in Practice

Non-compliance is not abstract. It takes concrete forms that HR teams encounter every week without recognising the risk:

No legal basis documented for processing candidate personality data
Consent obtained incorrectly — buried in general terms, not specific to the test
Results retained indefinitely after the recruitment process closes
No response process for candidate subject access requests
Test data transferred to a third-party platform without a data processing agreement
No adverse impact analysis conducted on test results — creating EEOC exposure in the US

Each of these gaps creates a different category of risk. Together, they create a compliance picture that few HR departments would want to defend in front of the ICO — or in an employment tribunal.

Why This Guide Exists

Most resources on this topic fall into one of two categories. Legal briefs written for lawyers. Or vendor pages that confirm a tool is "GDPR compliant" without explaining what that means for the HR professional using it.

This guide is neither. It is written for the HR manager who needs to understand psychometric test GDPR compliance well enough to make decisions, ask the right questions, and build a process that holds up to scrutiny.

By the end, you will know exactly:

Which legal basis applies to your specific recruitment context
What candidate information you must provide before the test starts
How long you can legally retain psychometric results
What candidate rights look like in practice — and how to respond to them
What financial and legal sanctions are at stake if you get this wrong

What Psychometric Tests Actually Measure — and Why That Matters Legally

Not all test data carries the same legal weight. Understanding what a psychometric assessment measures determines which compliance rules apply — and how strictly.

Three Categories of Psychometric Data

A well-designed psychometric assessment typically measures one or more of the following:

Cognitive ability — reasoning speed, numerical aptitude, verbal comprehension, abstract thinking
Personality traits — Big Five dimensions, behavioural preferences, interpersonal style
Work style preferences — decision-making patterns, communication tendencies, stress responses

Under UK GDPR and US privacy frameworks, all three categories constitute personal data the moment they can be linked to an identifiable individual. This triggers data protection obligations from the first response submitted.

Key point: Personality and emotional stability data may qualify as special category data under UK GDPR Article 9 if the results could reveal health-related information — including mental health indicators. This triggers a higher level of protection and a stricter legal basis requirement. The ICO has confirmed this in its employment practices guidance.

The ADA Risk Hidden in Cognitive Testing

In the United States, cognitive ability tests carry a specific legal risk that many HR teams underestimate. According to RKW Law Group, personality and cognitive tests can be considered disability-related inquiries under the Americans with Disabilities Act if they are designed or normed in a way that screens out individuals with protected conditions.

This does not mean cognitive tests are prohibited. It means they require careful selection and a documented rationale. A test that has not been validated for adverse impact across protected groups creates EEOC exposure — regardless of the employer's intent.

The practical question to ask about every test in your process: Has this assessment been validated for the role, and has an adverse impact analysis been conducted on the results?

What Structured Assessments Prevent

This is worth stating directly. Psychometric tests, when properly selected and legally administered, reduce bias in hiring decisions. An unstructured interview is subject to halo effects, affinity bias, and inconsistent questioning. A validated assessment applies the same measurement to every candidate.

The structured HR assessments used in modern recruitment platforms are designed precisely for this purpose: objective measurement, documented scoring, and results that can be reviewed, contested, and explained to a candidate on request.

That last point — the ability to explain results to a candidate — is not optional. It is a legal requirement under both UK GDPR and US employment law. More on this in Part 2.

The Compliance Gap: Where Most Employers Currently Stand

The gap between how psychometric tests are used and how they should be used is specific and measurable. These are not theoretical failures. They show up in ICO enforcement notices and EEOC litigation records.

What the Data Shows

Consider these figures:

£17.5 million — maximum fine the ICO can issue under UK GDPR for serious data protection failures (or 4% of global annual turnover, whichever is higher)
30 days — the UK GDPR deadline for responding to a subject access request from a candidate
72 hours — the window to notify the ICO of a personal data breach
$100,000+ — average cost of defending a single EEOC discrimination claim in the US, before settlement
2 years — recommended maximum retention period for candidate psychometric data under most EU and UK guidance

"Pre-hire personality tests are setting legal challenges for employers — particularly when tests have not been validated for job-relatedness or when adverse impact has not been assessed." — Bloomberg Law

The Question HR Teams Are Not Asking

How many HR professionals, before deploying a psychometric test, ask the vendor for their data processing agreement? How many check whether the test data is stored on EU servers — or transferred to the United States under a mechanism that meets UK GDPR adequacy standards?

These are not abstract questions. They are the questions a data protection officer asks after an incident. The goal of this guide is to make them part of the procurement conversation instead.

Attention: Using a psychometric test vendor based outside the UK or EU does not transfer your legal responsibility. As the data controller, your organisation remains accountable for how candidate data is processed — regardless of where the platform sits. Vendor compliance is necessary but not sufficient.

A Practical Starting Point

Before reading the remaining sections of this guide, run a quick audit of your current psychometric testing practice. Answer these four questions honestly:

Do you have a documented legal basis for processing each category of psychometric data you collect?
Does your candidate information notice mention the test specifically — its purpose, the data collected, and how results are used?
Do you have a defined retention period for test results, and is it enforced automatically or manually?
Has your test been validated for adverse impact across the candidate populations you assess?

If the answer to any of these is "no" or "I'm not sure," the following sections will give you the exact steps to fix it. Exploring a compliant test catalogue built with these requirements in mind is a practical place to start.

Key point: Compliance is not a one-time checkbox. It is a process. The organisations that manage it well are those that have embedded legal requirements into their standard HR workflow — not treated them as an afterthought. That is exactly what the next sections of this guide are designed to help you do.

Candidate Rights Under GDPR: What HR Must Have Ready Before the First Test

GDPR creates a two-sided relationship. For every right a candidate holds, your HR team needs a working procedure — not a good intention. Here are the five rights that apply directly to psychometric testing, and what each one demands from your organization.

Right of Access (Art. 15)

A candidate can request a complete copy of their data — including raw test scores — at any time. Your deadline: 30 days. The response must be written and free of charge. If your testing platform cannot export individual candidate data on demand, you have a structural compliance problem. Not a minor gap. A structural one.

According to the ICO's official guidance on subject access requests, organizations must provide data in a commonly used, machine-readable format when requested.

Right to Erasure (Art. 17)

Once the purpose of the test is fulfilled — the hiring decision is made — the candidate can request deletion of their data. You must comply, unless a legal retention obligation applies. Many employers confuse "we might hire them later" with a legal basis for keeping data. It is not. Retention must be justified. It must be documented. It must have an end date.

Right to Portability (Art. 20) and Rectification (Art. 16)

Portability applies only when your legal basis is explicit consent. The candidate can then request their data in a machine-readable format — JSON, CSV, or equivalent. If you are using legitimate interest as your legal basis, portability does not apply. Confusing the two creates procedural errors that are entirely avoidable.

Rectification is simpler: if a data entry error exists — wrong name, misattributed test result — you correct it. Immediately. No deliberation required.

Right to Object (Art. 21)

When your legal basis is legitimate interest, a candidate can object to the processing of their data. At that point, you must demonstrate a compelling overriding reason to continue. If you cannot, you stop. Note: if your legal basis is explicit consent, this right does not apply. The candidate simply withdraws consent — and processing stops immediately. Two different procedures. Two different legal bases. Do not mix them.

Attention: The ICO can audit your ability to respond to a subject access request within 30 days. This is not a paperwork question. It is a technical and organizational requirement. If your HR team cannot locate, compile, and send a candidate's complete data in time, your process is non-compliant — regardless of your intentions.

The Concrete Checklist: What to Put in Place Before Running Any Test

Rights on paper mean nothing without operational procedures behind them. Here is the minimum required to be compliant today:

Designate a single contact point for all GDPR-related requests — your DPO or a trained HR manager
Maintain a request log with timestamps for every incoming request and every response sent
Prepare response templates for each right: access, erasure, portability, rectification, objection
Train every recruiter to recognize a GDPR request — even when it arrives informally by email, with no legal language
Verify your testing tool can export individual candidate data on demand, in a structured format
Document your legal basis in writing before each testing campaign — not after a complaint arrives

Key point: A 2023 study by the IAPP found that 68% of organizations that received a regulatory inquiry were unable to demonstrate a documented response procedure for subject access requests. Having the right to say you are compliant is not the same as being able to prove it.

Data protection and psychometrics in balance.

Transparency and Data Security: What Candidates Must Know Before They Click "Start"

Transparency is not a courtesy. Under UK GDPR Article 13, it is a legal obligation. Before any candidate begins a psychometric test, specific information must be communicated — clearly, in plain language, and in advance. Not buried in a 12-page privacy policy. Not sent after the test is completed.

What Must Be Communicated Before the Test

The ICO specifies that candidates must be informed of the following before data collection begins:

The identity of the data controller — your organization, not the testing vendor
The purpose of the test — what it measures and how results will be used in the hiring decision
The legal basis for processing — explicit consent or legitimate interest, stated clearly
The retention period — how long data is kept and under what conditions it is deleted
Third-party access — whether results are shared with other systems, platforms, or decision-makers
How to exercise their rights — a direct contact point, not a generic privacy email

"The requirement is not just to inform — it is to inform in a way that a reasonable candidate, with no legal background, can understand." — ICO, Guide to the UK GDPR, Article 13 Commentary

One practical way to demonstrate this process is to review how a compliant platform handles candidate communication end to end. SIGMUND's GDPR compliance page illustrates what a transparent pre-test information flow looks like in practice — before the first question is displayed.

Data Storage, Retention Periods, and International Transfers

Where is your candidate data stored? Who can access it? What happens to it after a hiring decision is made?

These are not IT questions. They are compliance questions — and the answers must be documented before you run a single test.

The ICO recommends a retention period proportional to the purpose. For recruitment, the general standard is 6 to 12 months after the end of the process, unless a specific legal obligation extends that period. Keeping data "just in case" is not a valid justification under UK GDPR.

Storage location: If data is stored on servers outside the UK or EU, a transfer mechanism is required — Standard Contractual Clauses (SCCs) or an adequacy decision
Anonymization vs. pseudonymization: Anonymized data is no longer subject to GDPR. Pseudonymized data still is — do not confuse them when planning your retention strategy
Access controls: Only personnel directly involved in the hiring decision should be able to view test results. Broad internal access is a compliance risk
Vendor agreements: Your testing platform is a data processor. You need a Data Processing Agreement (DPA) in place — in writing, before processing begins

Key point: Under UK GDPR, the data controller — your organization — remains responsible for how the data processor (your testing vendor) handles candidate data. A vendor's claim of compliance does not transfer liability away from you. You must verify it. You must document it.

Can You Require a Candidate to Take a Psychometric Test?

This question surfaces in almost every HR compliance discussion. The answer is nuanced — but it exists clearly in both US and UK frameworks.

In the UK: yes, you can make a psychometric test a condition of your recruitment process. Provided the test is job-relevant, the candidate is informed in advance, and the data is processed lawfully. The Lexology employment law review confirms this principle applies across most common law jurisdictions.

In the US: the legal picture adds a layer of complexity. Under the Americans with Disabilities Act (ADA), any pre-employment test that could reveal a disability — or that functions as a medical examination — is restricted before a conditional job offer. According to NOLO's employment law guidance, personality tests that do not screen for mental disorders generally fall outside ADA medical examination restrictions. But the line is not always obvious. If a test measures traits that could be interpreted as disability-related — anxiety, emotional regulation, impulse control — legal exposure increases.

EEOC guidelines add another requirement: any test used in hiring must not produce adverse impact on a protected class. If a test consistently results in lower pass rates for candidates of a particular race, gender, or national origin, the employer must demonstrate the test is job-related and consistent with business necessity. This is not optional. EEOC enforcement actions resulting from non-validated assessments have cost employers millions in settlements. Bloomberg Law documented several cases where pre-hire personality tests triggered both ADA and Title VII litigation simultaneously.

Attention: The RKW Law Group has explicitly flagged psychometric tests as a potential ADA risk when they probe areas related to mental health conditions. The safest approach: use assessments validated for specific job competencies, not broad personality profiling. And document the validation study behind every test you use.

For HR teams managing both UK and US hiring, structured HR assessments built for compliance provide the documented validity evidence that regulators on both sides of the Atlantic require — before a dispute arises, not after.

The bottom line: you can require the test. You cannot ignore the legal framework around it. The Employment Law Center's analysis of privacy law in the workplace makes this explicit — employer rights to test are real, but they come with procedural obligations that must be met before testing begins, not retrofitted after a complaint is filed.

Data Security: How Long Can You Keep Psychometric Test Results?

Balance between privacy respect and employee evaluation.

Here is a question most HR teams cannot answer confidently: how long do you keep a rejected candidate's psychometric results?

If you do not know the answer, you are exposed. Both under UK GDPR and US state privacy laws, retention without purpose is a violation. The rule is simple: keep data only as long as you have a documented reason to keep it.

Storage: Where the Data Lives Matters

Storing psychometric results on an unsecured shared drive is not a technical detail. It is a liability. Under UK GDPR Article 32, you must implement appropriate technical and organisational measures to protect personal data.

Concretely, that means:

Encryption at rest and in transit — test results must not travel unprotected across systems
Access controls — only the hiring manager and HR lead should see a candidate's results
Audit logs — you must be able to show who accessed what, and when
Breach response plan — you have 72 hours to notify the ICO after discovering a breach

Retention Periods: The Practical HR Answer

There is no single legal number. But there is a clear framework. The ICO recommends defining a retention schedule before you collect the data — not after.

For psychometric test results specifically:

Unsuccessful candidates (UK/EU): 6 to 12 months is standard practice — long enough to defend a discrimination claim, short enough to remain proportionate
Hired candidates: retain for the duration of employment plus a legally defensible period (typically 2 years post-departure)
US context: EEOC regulations require retention of personnel records for at least 1 year from the date the record was made, or from the date of the employment action, whichever is later

Attention: Keeping data "just in case" is not a legal basis. If a candidate asks you why you still hold their results 3 years later, you need a documented answer. If you do not have one, delete the data.

Anonymization vs. Pseudonymization: Know the Difference

These two terms are used interchangeably. They should not be. The legal consequences are different.

Anonymization means the individual can never be re-identified. Once data is truly anonymous, GDPR no longer applies to it. You can retain it indefinitely for benchmarking purposes.

Pseudonymization replaces identifying fields with a code. The original identity can still be recovered with the right key. GDPR still applies. The data is still personal data.

Most psychometric platforms offer pseudonymization, not anonymization. Know which one you are using before making retention decisions.

Key point: Transfers outside the EU/UK require an additional legal mechanism — Standard Contractual Clauses (SCCs) or an adequacy decision. If your psychometric provider stores data on US servers, this question is not optional.

SIGMUND's GDPR-Compliant Process: What Good Practice Looks Like

It is easy to claim compliance. It is harder to demonstrate it. Here is what a genuinely compliant psychometric platform does — and what you should verify with any provider you use.

Privacy by Design, Not Privacy by Checkbox

GDPR Article 25 requires privacy by design. That means compliance is built into the product architecture — not added as a feature after the fact.

SIGMUND's platform is built around this principle. Candidate data is collected only for defined assessment purposes. The legal basis is documented before the test is sent. Consent — when applicable — is captured with a clear, unbundled opt-in. Nothing is pre-ticked.

You can review the full framework on SIGMUND's dedicated GDPR compliance page, which details the technical and organisational measures in place.

Technical and Organisational Measures That Matter

Across all assessments — whether a personality test or a cognitive ability assessment — SIGMUND applies the same data protection standard:

Encrypted data storage — results are never stored in plain text
Role-based access — only authorised HR users see candidate results
Automated deletion workflows — retention periods are enforced by the system, not by manual reminders
Subject access request support — HR teams can respond to candidate requests within the 30-day legal window
Data processing agreement — available to all clients, as required under GDPR Article 28

What This Means for Your HR Team Practically

You do not need to build a compliance process from scratch. You need to choose a provider that has already built it. Then you document your own legal basis and inform candidates properly.

"A psychometric tool is only as compliant as the process around it. The platform handles the technical layer. HR is responsible for the legal layer." — WP29 guidance on automated processing in employment contexts

The WP29 — the predecessor to the European Data Protection Board — explicitly flagged psychometric profiling in employment as an area requiring heightened attention. Relying on a platform with documented compliance measures is not optional. It is your first line of defence.

Sanctions and Legal Risks: What Non-Compliance Actually Costs

This is the section where abstract compliance concerns become concrete numbers. What happens if your psychometric testing process does not meet legal requirements?

UK GDPR: ICO Enforcement Powers

The Information Commissioner's Office has four main enforcement tools:

Reprimands — formal warnings that go on the public record
Enforcement notices — legally binding orders to change practices within a set timeframe
Penalty notices (Tier 1): up to £8.7 million or 2% of global annual turnover, whichever is higher
Penalty notices (Tier 2): up to £17.5 million or 4% of global annual turnover, whichever is higher — for the most serious violations

Psychometric data mishandling — particularly if it involves special category data or systematic profiling without adequate safeguards — falls into the upper tier. The ICO has signalled that employment-related data processing is a regulatory priority for 2025 and 2026.

Attention: ICO fines are not the only exposure. A candidate whose data was mishandled can bring a civil claim for compensation under UK GDPR Article 82 — independently of any ICO action. Two exposure channels, one compliance failure.

US Risks: EEOC Litigation and ADA Exposure

The US framework is different but equally serious. There is no single federal data protection law equivalent to GDPR. But there are three distinct legal risks for employers using psychometric tests:

EEOC adverse impact claims: If a psychometric test produces statistically different pass rates across protected groups — race, sex, national origin — the employer must demonstrate business necessity. EEOC v. employers over pre-employment testing has a documented litigation history dating back to the 1970s. Average EEOC settlement costs exceed $40,000 per charge, with class actions reaching into the millions.
ADA disability-related inquiry risk: As analysed by RKW Law Group, personality tests that probe mental health tendencies may constitute prohibited disability-related inquiries under the Americans with Disabilities Act. The line between personality assessment and medical inquiry is not always clear — and courts do not always rule in the employer's favour.
State privacy law exposure: Illinois (BIPA), California (CCPA/CPRA), and New York are expanding employee data rights rapidly. By 2026, an employer ignoring state-level data protection requirements in these jurisdictions is taking a calculable legal risk.

"Pre-hire personality tests set legal challenges for employers — particularly around disparate impact and disability discrimination claims." — Bloomberg Law, Pre-Hire Personality Tests analysis

The Risk Nobody Talks About: Reputational Exposure

Regulatory fines are quantifiable. Reputational damage is not — but it is often more costly. A candidate who discovers their personality data was retained without justification, shared without consent, or used to make an automated rejection is a candidate who talks.

According to a 2023 Glassdoor survey, 86% of job seekers check employer reviews before applying. A single public complaint about data mishandling in a hiring process generates a candidate experience narrative that is very hard to reverse.

Compliance is not just about avoiding fines. It is about protecting your employer brand at every touchpoint of the hiring process.

Psychometric Tests and Legal Compliance: Your HR Action Checklist

You have read the theory. Now here is what you do on Monday morning.

This checklist covers both UK GDPR and US employment law requirements. Work through it before you send your next assessment.

Before You Send the Test

✓ Legal basis documented: Have you decided whether you are using legitimate interest or explicit consent — and written it down in your records of processing activities?
✓ Candidate information notice sent: Does the candidate know the purpose of the test, how long data is kept, who processes it, and what their rights are — before they start?
✓ Provider DPA signed: Do you have a Data Processing Agreement with your psychometric test provider? If not, you are missing a mandatory GDPR requirement.
✓ ADA review completed (US): Has a qualified employment counsel reviewed whether the test includes items that could constitute disability-related inquiries?
✓ Adverse impact analysis planned: Do you have a process to monitor whether the test produces statistically different outcomes across protected groups?

After the Hiring Decision

✓ Retention schedule applied: Are unsuccessful candidates' results scheduled for deletion at the pre-defined retention date?
✓ Subject access request process ready: If a candidate emails tomorrow asking for their data, can you respond fully within 30 days (UK) or 45 days (US/CCPA)?
✓ Automated decision-making flagged: If the test result is used to filter candidates automatically, have you implemented the safeguards required under GDPR Article 22?
✓ Breach notification plan in place: Does your team know what to do — and who to call — within 72 hours of discovering a data breach?

Key point: None of these steps require a legal degree. They require a documented process and a compliant platform. HR teams that use structured HR assessments with built-in compliance workflows spend less time on legal risk — and more time on hiring decisions that actually matter.

One Final Question Worth Asking

Can you demonstrate — right now — that every psychometric test in your current recruitment process meets the legal requirements outlined in this article?

If the answer is not an immediate yes, you know where to start.

Compliance is not a constraint on good hiring. It is the foundation of it. Tests that are scientifically valid, fairly administered, and legally sound produce better hiring decisions — and protect every person in the process, candidate and employer alike.

The goal was never to use data. The goal was always to hire well. Compliance just ensures you can keep doing it.

Explore the full SIGMUND test catalogue to see how each assessment is designed with both scientific rigour and legal compliance built in from the start.

Ready to assess with confidence?

Discover SIGMUND's evaluation tests — scientifically validated, legally compliant, and immediately actionable for your hiring process.

Explore the tests

Frequently Asked Questions

Psychometric tests are legal under GDPR, but most companies using them are not fully compliant. Compliance requires a documented legal basis, transparent candidate disclosure, and a defined data retention policy. Using a test without these 3 elements in place exposes your organisation to ICO sanctions.

The most commonly used legal bases are legitimate interest and, in some cases, consent. However, consent is problematic in a hiring context because it is rarely freely given. Legitimate interest is generally preferred, but it must be documented through a formal Legitimate Interest Assessment before testing begins.

Under UK GDPR, psychometric results must be deleted once you no longer have a documented purpose for keeping them. For rejected candidates, most organisations retain data for 6 to 12 months to defend potential discrimination claims. Retaining data beyond that period without justification is a direct violation.

Candidates have 5 key rights: the right to be informed before testing, the right to access their results, the right to erasure, the right to object to automated decision-making, and the right to data portability. Failing to honour any of these rights is a reportable GDPR breach under Article 77.

UK GDPR applies a single national framework with ICO enforcement and fines up to £17.5 million. US privacy law is fragmented across states — California's CCPA, Illinois' BIPA, and others impose different obligations. Companies operating in both jurisdictions must comply with both frameworks simultaneously, which significantly increases compliance complexity.

GDPR requires consent to be freely given, specific, and unambiguous. In a hiring context, candidates cannot freely refuse a test without risking rejection. This power imbalance means consent is not considered valid under Article 7 GDPR. The ICO explicitly warns against using consent as a legal basis in employment scenarios.

The ICO can issue fines of up to £17.5 million or 4% of global annual turnover — whichever is higher — for serious UK GDPR violations. Psychometric data qualifies as personal data, and in some cases as special category data, making non-compliance a high-severity breach that regulators actively investigate.

A compliant process includes 6 elements: a documented legal basis, a privacy notice sent before testing, a Data Processing Agreement with your test provider, secure storage with restricted access, a defined retention and deletion schedule, and a clear procedure to respond to candidate data access requests within 30 days.

Luke SIGMUND Consultant