Making HR AI compliant: a six-phase roadmap

Short answer: Making HR AI compliant is not a one-off legal check but a six-phase journey. You first inventory all HR AI systems, classify them by risk, run a DPIA and — for high-risk — a FRIA, inform workers and involve the works council, set up human oversight, logging and bias monitoring, and finally lock down your supplier arrangements. Start with the inventory: without an overview you can demonstrate nothing.

Phase 1 — Inventory all HR AI systems

First, draw up a complete list of every system that uses AI around staff: CV screening, recruitment chatbots, assessments, scheduling and rostering tools, performance monitoring, talent marketplaces. Don't forget the "hidden" AI — features your supplier quietly added, or generic tools HR uses informally. Record for each system: purpose, supplier, which personal data, and who operates it. This inventory is the foundation for everything that follows and your key piece of evidence towards the regulator and the works council. See also AI in the workplace for the overview of what falls on the employer.

Phase 2 — Classify by risk

Determine the regime per system. AI used in recruitment, selection, evaluation, promotion, dismissal or task allocation falls under Annex III and is high-risk. Monitoring that feeds into decisions can be too; emotion recognition in the workplace has been banned since 2 February 2025. A simple chatbot with no selecting function usually is not high-risk, but does carry a transparency duty. The high-risk obligations overview lists exactly what a high-risk classification brings with it.

Phase 3 — DPIA and FRIA

For high-risk HR AI processing personal data, a data protection impact assessment (DPIA, Art. 35 GDPR) is almost always required. On top of that, the AI Act requires employers that are public bodies — and in many cases private employers too — to carry out a fundamental rights assessment. The FRIA fundamental rights assessment (Art. 27) describes who must do it and what it should contain: the groups affected, the risks of discrimination and the mitigating measures. Do both before deployment, not afterwards.

Phase 4 — Inform workers and involve the works council

Article 26(7) of the AI Act requires you to inform workers and their representatives before a high-risk AI system is put into use. Separately, deploying staff-monitoring systems may fall under the works council's right of consent. Run these two tracks in parallel: informing is an AI Act duty, consent is a co-determination right. Early involvement avoids delay and builds support.

Phase 5 — Human oversight, logging and bias monitoring

High-risk systems must be subject to meaningful human oversight: a person who can review, override or reverse the outcome — not a rubber stamp. Retain the automatically generated logs so you can reconstruct afterwards what the system did. Monitor structurally for bias: measure outcomes per relevant group and adjust where differences cannot be justified. Record the overseer's tasks and powers in writing.

Phase 6 — Supplier arrangements

Most employers do not build HR AI themselves but buy it in. As deployer you remain liable for correct use, so contractually enforcing that the provider meets its duties is essential. Ask for the declaration of conformity, the instructions for use, and access to logging and updates. Agree who does what in the event of incidents and changes — because a substantial modification can turn you into a provider.

Compliance is not a project with an end date but a cycle: inventory, assess, adjust and repeat — every time a system changes or a new one is added.