ComplianceMarch 20269 min read

All 8 UK Recruitment Compliance Frameworks, Automated

AWR, Conduct Regs, GDPR, HMRC, IR35, Modern Slavery, Right to Work, and Umbrella due diligence — all eight UK compliance frameworks built into the recruitment workflow. Here is what each one covers and how automation changes the risk profile.

UK recruitment compliance is not a single framework. It is eight overlapping regulatory obligations, each with different triggers, different documentation requirements, and different consequences for non-compliance. Most agencies track them on a combination of spreadsheets, calendar reminders, and good intentions.

That works until it does not. A qualifying period missed. A Right to Work check expired. IR35 documentation not completed before a contractor engagement. The compliance failures that result in regulatory action or legal claims are almost always process failures, not deliberate omissions. The right checks were known about — they just were not triggered at the right time.

This is the problem compliance automation solves. Not awareness of the obligations — most agency directors know what they need to do. But execution: making sure the right check happens at the right point in every workflow, every time, without relying on a human to remember.

The eight frameworks

1. Agency Workers Regulations 2010

AWR gives temporary workers the right to equal treatment on pay and working conditions after a 12-week qualifying period with the same hirer in the same role. It also creates day-one rights (access to collective facilities, information about permanent vacancies).

What goes wrong manually: The 12-week milestone is missed. Equal treatment is not triggered. A worker who is entitled to pay parity does not receive it. The claim comes later.

What automation does: The qualifying period is tracked from the first day of assignment. At week 12, the equal treatment review is triggered automatically. Day-one rights are confirmed at onboarding. The placement cannot progress past the relevant milestones without confirmation that the checks are complete.

2. Conduct Regulations 2003

The Conduct of Employment Agencies and Employment Businesses Regulations 2003 set out the obligations of agencies for both perm and temp placements: information requirements, terms of business, client and candidate rights.

What goes wrong manually: Terms of business are not sent before work commences. Required information about the assignment is not provided to the worker. Records of the terms agreed are not maintained.

What automation does: Terms of business compliance is checked before any placement progresses. Required information fields are enforced — a placement cannot be created without them. Records are maintained automatically for every assignment.

3. UK GDPR and Data Protection Act 2018

Recruitment agencies process significant amounts of personal data. Candidate consent, data retention, right to erasure, breach notification — all of these obligations apply to the candidate database that is the core asset of any agency.

What goes wrong manually: Consent is not recorded. Candidates whose data has been held for years past the retention period are never deleted. A right to erasure request takes weeks to process. A data breach is not logged.

What automation does: Consent is captured and recorded at first contact. Retention schedules are enforced — records are flagged for review or deletion at the relevant interval. Right to erasure requests generate a workflow that processes the request systematically. Breach logging is built in.

4. HMRC Intermediaries Reporting

Agencies using intermediaries (umbrella companies, personal service companies) for contractor placements have quarterly reporting obligations to HMRC under the intermediaries reporting regime.

What goes wrong manually: The quarterly deadline is missed. Worker classification data is not maintained in a format suitable for HMRC reporting. Records are scattered across the CRM and accounting system.

What automation does: Quarterly deadlines are tracked with automatic reminders. Worker classification is maintained against each contractor record. The reporting data is maintained in HMRC submission-ready format throughout the quarter.

5. IR35 Off-Payroll Working Rules

IR35 requires agencies and hirers to assess whether a contractor engaged through a personal service company would be an employee if engaged directly. If they would, the deemed employer (typically the hirer or the fee-payer in the chain) is responsible for deducting income tax and NICs.

What goes wrong manually: The Status Determination Statement is not completed before engagement begins. The fee-payer chain is not documented. SDS records are not stored in a retrievable format. A HMRC review finds documentation gaps.

What automation does: SDS creation is required before any contractor engagement can proceed. The fee-payer chain is documented and stored. SDS records are linked to contractor records and retained. No engagement progresses past the SDS milestone without completion.

6. Modern Slavery Act 2015

Agencies above the turnover threshold are required to publish an annual transparency statement. All agencies have an implicit due diligence obligation in their supply chains — including umbrella companies and labour supply chains.

What goes wrong manually: Supplier due diligence is not conducted systematically. Red flags in supply chains are not identified. The annual transparency statement is published late or without adequate content.

What automation does: Due diligence workflows are embedded in supplier onboarding. Red flags are identified and logged. The transparency statement management includes annual review scheduling. Audit trail for all due diligence activity is maintained.

7. Right to Work

Employers and employment businesses have an obligation to check that workers have the right to work in the UK before engagement. For time-limited rights (Biometric Residence Permits, visas), follow-up checks are required before expiry.

What goes wrong manually: The initial check is not completed before placement. For time-limited rights, the expiry date is missed. A worker continues to be placed past their visa expiry date.

What automation does: Document verification is required before any placement can be confirmed. Time-limited right to work statuses are tracked with expiry reminders sent in advance. Repeat check scheduling is automatic. A placement for a worker with an expiring right to work cannot proceed past the expiry date without a fresh check.

8. Umbrella Company Due Diligence

Following the off-payroll working rules changes and HMRC's ongoing scrutiny of umbrella companies, agencies face an obligation to conduct due diligence on the umbrella companies they use in their supply chains — and to ensure workers are not being engaged through non-compliant mini umbrella structures.

What goes wrong manually: Approved supplier lists are not maintained. Umbrella companies are used without formal due diligence. Worker deduction transparency is not verified. HMRC's definition of a mini umbrella structure is not applied systematically.

What automation does: Approved umbrella supplier lists are maintained in the platform. Each umbrella engagement triggers a due diligence check against the approved list and HMRC guidance. Worker deduction transparency is verified before engagement. Annual review scheduling is automatic.

The Event Grid: compliance built into the workflow

All eight frameworks are managed through Event Grid, the compliance engine that sits inside every workflow. Rather than a separate compliance module you run periodically, Event Grid monitors workflow events in real time and triggers the appropriate compliance checks at the right moment.

A candidate is added: GDPR consent is required. A contractor placement is created: IR35 SDS and Right to Work are required before it can proceed. An assignment passes 12 weeks: AWR equal treatment review is triggered. A right to work document approaches expiry: repeat check is scheduled.

The compliance happens because the workflow enforces it, not because someone remembered to check.

Audit readiness

Every compliance event is logged with a timestamp, the user who confirmed it, and the record it relates to. If HMRC, the ICO, or a legal team asks for documentation, it can be produced immediately. The audit trail is complete by construction — not something you need to prepare for an audit.

Compliance that runs itself and leaves a complete record is qualitatively different from compliance that depends on individual diligence. The risk profile is different. The liability exposure is different. The peace of mind is different.

For agencies carrying significant contractor volumes or operating in regulated sectors, the compliance module alone justifies the platform cost many times over. One IR35 misclassification or Right to Work failure is an expensive lesson. A compliance system that prevents them systematically is straightforwardly worth the investment.

Related pages
Compliance module detailThe full platform
Previous
Why AI-Native Is Different from AI-Enabled (And Why It Matters for Your Agency)
See it live

Every feature described on this blog is available in a 45-minute demo. We show it live — not slides.

Book a demo →All articles