Assistant icon
Can I help you? What type of test are you looking for?

Luke SIGMUND Consultant

×
Assistant avatar
Can I help you? What type of test are you looking for?
HR and Psychometrics Blog
HUMAN RESOURCES BLOG & EXPERTISE

HR and Psychometrics Blog

Optimize your recruitment processes
Master psychometric tests
Modernize your skills assessments
Revolutionize annual appraisals
Leverage aptitude tests
Best HR & management practices

Psychometric Testing Legal Compliance: 2026 Guide for HR

Jun 6, 2026, 17:19 by Sam Martin

2. UK Compliance: GDPR, Equality Act 2010 & ICO Guidance

UK GDPR Post-Brexit

The UK GDPR, as retained and amended post-Brexit, governs how employers collect, store and process psychometric test data. Key obligations include:

Requirement | UK GDPR Obligation

Lawful basis for processing | Most employers rely on "legitimate interests" or "consent". The ICO advises that consent must be freely given — not coerced as a condition of employment.

Special category data | Psychological profiles may constitute data concerning "health" or "mental health" — requiring explicit consent or substantial public interest basis.

Data minimisation | Only collect test data necessary for the specific assessment purpose.

Retention limits | ICO guidance recommends retaining psychometric test data no longer than 6-12 months post-recruitment, unless required for ongoing employment.

Subject access requests (SARs) | Candidates can request access to their test results and algorithmic scoring logic.

Automated decision-making | Article 22 UK GDPR restricts solely automated decisions producing legal effects — including automated rejection based on test scores.

Equality Act 2010

The Equality Act 2010 prohibits discrimination based on nine protected characteristics. When using psychometric tests:

  • Reasonable adjustments: Employers must adjust testing for candidates with disabilities (e.g., extra time, screen-reader compatible formats, alternative test formats).
  • Indirect discrimination: An apparently neutral test requirement may indirectly disadvantage a protected group. Example: a verbal reasoning test that disadvantages non-native English speakers.
  • Job-relatedness: Tests must measure bona fide occupational requirements — personality traits relevant to the specific role, not general characteristics.

ICO Guidance on AI in Recruitment (2025 Update)

The Information Commissioner's Office published updated guidance in 2025 specifically addressing AI-driven psychometric assessments:

  • Fairness by design: Employers must audit training data for historical bias.
  • Transparency: Candidates must be told if AI is scoring their test and how.
  • Human oversight: Automated decisions must have meaningful human review.
  • Data Protection Impact Assessments (DPIAs): Required for any AI-scored testing tool.

3. US Compliance: EEOC Uniform Guidelines & Adverse Impact

Title VII of the Civil Rights Act

Title VII prohibits employment discrimination based on race, colour, religion, sex and national origin. Psychometric tests — as "selection procedures" — fall under its scope.

Uniform Guidelines on Employee Selection Procedures (1978)

The EEOC's Uniform Guidelines remain the foundational US framework for testing compliance. Despite being nearly 50 years old, they are actively enforced:

Three key principles:

  1. Adverse impact analysis: Employers must calculate whether a test disproportionately screens out a protected group.
  2. Validation: Any test with adverse impact must be validated for the specific job. Three accepted methods: criterion-related, content, and construct validity.
  3. Alternative procedures: If a validated test has adverse impact, employers must consider alternative, less-discriminatory testing methods.

The 4/5ths Rule Explained

The "four-fifths rule" (also called the 80% rule) is the EEOC's practical test for adverse impact:

A selection rate for any protected group that is less than 80% (4/5) of the rate for the group with the highest selection rate constitutes evidence of adverse impact.

Example: If 80% of white candidates pass a cognitive ability test, but only 55% of Black candidates pass, the ratio is 55/80 = 68.75% — below the 80% threshold, triggering an adverse impact finding.

2025-2026 Policy Developments

Under the current administration, the EEOC has:

  • Strengthened enforcement of disparate impact claims
  • Published updated technical assistance on AI hiring tools (2025)
  • Signaled increased focus on testing validation documentation
  • Maintained the 4/5ths rule as the primary screening metric

State-Level Developments

State | Law | Impact on Testing

New York City | Local Law 144 (2023→2026) | Mandatory bias audits for AI-scored assessments; penalties up to $1,500/violation/day

California | CCPA + proposed AI hiring law | Testing data as personal information; proposed bill would require validation disclosure

Illinois | Artificial Intelligence Video Interview Act | Requires disclosure of AI analysis and consent for recorded interviews

Maryland | HB 1202 (2020) | Bans use of facial recognition in pre-employment assessment without consent

4. NYC Local Law 144: The Benchmark for AI Testing Regulation

New York City Local Law 144 — formally the "Automated Employment Decision Tools" (AEDT) law — has become the template for AI hiring regulation:

Who it applies to: Employers using AEDTs to hire employees based in NYC.

What it requires:

Requirement | Detail

Bias audit | Annual independent audit for race/ethnicity and gender impact

Public disclosure | Audit results must be published on the employer's website

Notice to candidates | Notice of AEDT use 10+ business days before assessment

Alternative process | Candidates can request reasonable accommodation or alternative assessment

Penalties | Up to $1,500 per violation per day

2026 enforcement reality: While the law passed in 2023, enforcement has expanded significantly in 2026. AWS, Indeed and HireVue have all been subject to compliance challenges. Any AI-scored psychometric test used for NYC-based candidates likely qualifies as an AEDT.

5. EU GDPR: Data Protection for Psychometric Testing

For employers hiring in the EU, the GDPR (Regulation (EU) 2016/679) imposes additional — and in some areas stricter — requirements than UK GDPR.

Key Differences from UK GDPR

Element | EU GDPR | UK GDPR

Data sovereignty | Data must stay in EEA or covered adequacy jurisdiction | Separate adequacy framework

Automated decisions | Article 22 - broader interpretation of "legal effects" | Similar but evolving case law

One-stop shop | Lead supervisory authority for cross-border processing | No equivalent mechanism

Fines | Up to €20M or 4% global turnover | Up to £17.5M or 4% global turnover

Psychological Data as Special Category

The EU's Article 29 Working Party (now EDPB) has explicitly stated that psychological test profiles can constitute data concerning health — requiring:

  • Explicit consent or substantial public interest basis
  • Data Protection Impact Assessment (DPIA)
  • Documented necessity for the specific role
  • Limited retention (typically maximum 6 months post-recruitment decision)

EU AI Act: The New Frontier

The EU AI Act (effective August 2024, with phased enforcement through 2027) classifies many psychometric assessment tools as high-risk AI systems:

Compliance Requirement | Deadline

Risk classification documentation | 2025 (complete)

Conformity assessment (CE marking) | Mid-2026

Human oversight and transparency | Ongoing

Training data governance | Ongoing

6. Cross-Border Compliance: Global Employers' Checklist

Side-by-Side Comparison

Requirement | UK | US (Federal) | EU

Primary law | UK GDPR + Equality Act 2010 | Title VII + EEOC Uniform Guidelines | GDPR + EU AI Act

Bias testing required? | Indirect discrimination analysis | 4/5ths adverse impact calculation | DPIA required

AI-specific regulation | ICO AI guidance (2025) | NYC LL144 + state laws | EU AI Act (high-risk)

Data retention limit | 6-12 months recommended | No federal limit (state varies) | 6 months maximum

Candidate consent | Implied or explicit | Not always required (advised) | Explicit for special category

Fines | Up to £17.5M or 4% turnover | EEOC remedies (back pay, damages, injunctions) | Up to €20M or 4% turnover

Validation requirement | Job-relatedness + reasonable adjustments | Job-relatedness + business necessity | Necessity + proportionality

Multi-Jurisdiction Data Transfer

For employers running psychometric tests across borders:

  1. UK→EU transfers: UK adequacy decision remains in place (renewed 2025)
  2. UK→US transfers: UK International Data Transfer Agreement (IDTA) + Transfer Risk Assessments
  3. EU→US transfers: Data Privacy Framework (DPF) certification required
  4. All jurisdictions: EU Standard Contractual Clauses (SCCs) as fallback

Choosing a Compliant Platform

When selecting a psychometric testing platform for cross-border use, verify:

  • ISO 27001 certification (information security)
  • GDPR-by-design architecture (data sovereignty options)
  • Built-in adverse impact reporting (4/5ths rule calculator)
  • Bias audit readiness (NYC LL144 support)
  • SOC 2 Type II certification (US data security standard)

7. Key Legal Risks & How to Mitigate Them

Risk | Jurisdiction | Mitigation

Adverse impact class action | US | Run regular 4/5ths rule analysis; validate tests per role; document alternative procedure searches

GDPR data breach or SAR | UK/EU | Implement data retention policies; encrypt test data; prepare template SAR responses

Disability discrimination | UK/EU/US | Offer reasonable adjustments proactively; use accessible test formats; document accommodation requests

AI bias allegation | US (NYC), EU | Conduct bias audits; publish results; maintain human review trail

Cross-border data transfer violation | UK→US, EU→US | Sign SCCs/IDTA; complete transfer risk assessments; use data-sovereign platform

Automated decision challenge | UK/EU (Article 22) | Maintain human-in-the-loop review; document override process; provide candidate appeal mechanism

8. Compliance Checklist: 10 Steps Before Deploying Psychometric Tests

  1. Conduct a job analysis: Identify the specific competencies and traits required for the role.
  2. Validate your test: Ensure the test measures what it claims to measure for the specific job (criterion-related or content validity).
  3. Document adverse impact: Run the 4/5ths rule calculation on your test results by race/ethnicity and gender.
  4. Complete a DPIA: Required for UK GDPR and EU GDPR when processing psychological data or using AI scoring.
  5. Establish data retention policy: Delete test data 6-12 months post-recruitment decision. Document in your privacy notice.
  6. Prepare reasonable adjustments: Offer alternative formats, extra time, and alternative assessments for candidates with disabilities.
  7. Provide transparency: Tell candidates what tests they will take, how results are scored, and whether AI is involved.
  8. Set human oversight: Ensure no fully automated rejection based on test scores alone.
  9. Publish bias audit (if NYC): For NYC-based hiring, annual bias audit and public disclosure are legally required.
  10. Review annually: Regulations change — review your compliance posture at least once per year.

9. Frequently Asked Questions

Is psychometric testing legal in the UK?

Yes, psychometric testing is legal in the UK when conducted in compliance with the UK GDPR, Equality Act 2010, and ICO guidance. Key requirements include: using validated tests, providing reasonable adjustments for disabled candidates, not making solely automated decisions, and retaining test data only as long as necessary.

What is the 4/5ths rule for adverse impact?

The 4/5ths (80%) rule is the EEOC's practical test for adverse impact in the US. If a protected group's selection rate is less than 80% of the group with the highest selection rate, it indicates potential adverse impact — triggering the need for job-validation evidence.

Can candidates refuse a psychometric test?

In the UK and EU, candidates can generally refuse, but employers are not obligated to proceed with the application. However, the GDPR requires that consent be freely given — a "refuse = no job" framing may invalidate consent. In the US, refusal is typically considered at-will for private employers.

How long can employers keep psychometric test results?

Best practice: UK—6 months for unsuccessful candidates, duration of employment for hired candidates (with documented necessity). EU—maximum 6 months. US—no federal limit, but state laws vary; 12 months recommended for adverse impact record-keeping. NYC LL144 requires retaining bias audit data for 3 years.

Do AI-scored psychometric tests need bias audits?

In New York City (Local Law 144), yes — an annual independent bias audit is legally required. Under the EU AI Act, high-risk AI systems (including most AI-scored psychometric tools) require conformity assessment and ongoing monitoring. The UK ICO recommends but does not yet mandate bias audits, though this is expected to change.

Author Bio

This guide was prepared by the SIGMUND content team, drawing on publicly available regulatory guidance from the EEOC, ICO, EDPB, and NYC Department of Consumer and Worker Protection. For jurisdiction-specific compliance requirements, consult a qualified employment attorney.

Last updated: May 27, 2026

10.

Further Reading

Conclusion: Future-Proof Your Hiring Compliance

The compliance landscape for psychometric testing is converging toward three universal requirements: transparency, validation, and human oversight. Whether you hire in London, New York, or Berlin, the trend is clear — regulators expect employers to understand and document how their assessment tools work, impact different groups, and protect candidate data.

Key takeaways for 2026 and beyond:

  • If you hire in multiple jurisdictions, adopt the strictest standard (currently NYC LL144 for AI bias, EU GDPR for data protection).
  • Validation is no longer optional — regulators increasingly expect criterion-related validity evidence for every test-job pairing.
  • Documentation is your defence — DPIAs, bias audits, and data retention policies are your strongest protection against regulatory action.
  • Choose a platform that embeds complianceSIGMUND's platform is designed with data sovereignty, ISO 27001, and built-in adverse impact reporting to help employers navigate these complex requirements.

Related Reading

⬜ - SIGMUND's Psychometric Testing and GDPR Guide

⬜ - Top Psychometric Testing Platforms in 2026

⬜ - Complete Guide to Psychometric Testing for Recruitment

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Employers should consult qualified legal counsel for jurisdiction-specific compliance guidance.

JSON-LD Structured Data

Article Schema

"@context": "https://schema.org",

"@type": "Article",

"headline": "Psychometric Testing Legal Compliance: UK, US & EU Employer's Guide (2026)",

"description": "Complete guide to psychometric testing compliance across the UK, US and EU. Covers GDPR, EEOC Uniform Guidelines, adverse impact rules, AI hiring laws, and cross-border risk management for HR teams.",

"datePublished": "2026-05-27",

"dateModified": "2026-05-27",

"author": {

"@type": "Organization",

"name": "SIGMUND",

"url": "https://sigmundtest.com/en"

"publisher": {

"@type": "Organization",

"name": "SIGMUND"

"about": {

"@type": "Thing",

"name": "Psychometric testing legal compliance",

"sameAs": "https://en.wikipedia.org/wiki/Psychometrics"

FAQPage Schema

"@context": "https://schema.org",

"@type": "FAQPage",

"mainEntity": [

"@type": "Question",

"name": "Is psychometric testing legal in the UK?",

"acceptedAnswer": {

"@type": "Answer",

"text": "Yes, psychometric testing is legal in the UK when conducted in compliance with the UK GDPR, Equality Act 2010, and ICO guidance. Key requirements include using validated tests, providing reasonable adjustments, not making solely automated decisions, and retaining test data only as long as necessary."

"@type": "Question",

"name": "What is the 4/5ths rule for adverse impact?",

"acceptedAnswer": {

"@type": "Answer",

"text": "The 4/5ths (80%) rule is the EEOC's practical test for adverse impact in the US. If a protected group's selection rate is less than 80% of the group with the highest selection rate, it indicates potential adverse impact, triggering the need for job-validation evidence."

"@type": "Question",

"name": "Can candidates refuse a psychometric test?",

"acceptedAnswer": {

"@type": "Answer",

"text": "In the UK and EU, candidates can generally refuse, but employers are not obligated to proceed with the application. However, the GDPR requires that consent be freely given. In the US, refusal is typically considered at-will for private employers."

"@type": "Question",

"name": "How long can employers keep psychometric test results?",

"acceptedAnswer": {

"@type": "Answer",

"text": "Best practice varies by jurisdiction: UK — 6 months for unsuccessful candidates; EU — maximum 6 months; US — no federal limit, 12 months recommended. NYC Local Law 144 requires retaining bias audit data for 3 years."

"@type": "Question",

"name": "Do AI-scored psychometric tests need bias audits?",

"acceptedAnswer": {

"@type": "Answer",

"text": "In New York City (Local Law 144), yes — annual independent bias audit is required. Under the EU AI Act, high-risk AI systems require conformity assessment. The UK ICO recommends but does not yet mandate bias audits."

Production Notes

H2 sections: 10

FAQ: 5 Q&As with JSON-LD

Internal links to add: SIGMUND GDPR article + platforms comparison + AI testing article

Gate target: ≥85/100 CORE-EEAT

Load more comments
New code

Explore the SIGMUND Test Catalog

Discover our comprehensive range of scientifically validated psychometric tests