Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Analysis

People analytics predicting attrition: why 'flight-risk' scores are legally shaky

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

AI predicting which workers will leave (flight-risk) is legally highly problematic: purpose limitation, proportionality, GDPR Art. 22, and the risk of a self-fulfilling prediction and discrimination. Only aggregated is it sometimes defensible.

Short answer: AI that calculates a per-employee likelihood of leaving ("flight-risk") is โ€” like absence prediction โ€” one of the most sensitive HR applications. At the individual level it collides with purpose limitation, proportionality and the GDPR's protection against profiling, and it carries the real danger of a self-fulfilling prediction and discrimination. Only at an aggregated level is it sometimes defensible.

What such a model actually does

An attrition model combines data such as appraisals, salary progression, leave, email behaviour, tenure and sometimes external signals into a score: how likely is this person to leave within X months? That is profiling within the meaning of the GDPR โ€” the automated evaluation of personal aspects to predict behaviour. The strictest requirements apply at once.

Purpose limitation and proportionality

Data collected for payroll, appraisal or access control may not simply be reused to predict departure. That is a new, different purpose (Art. 5 GDPR). The employer must show the processing is necessary and proportionate โ€” and that is exactly where it pinches: the aim (retaining staff) is legitimate, but the means (permanently screening everyone for loyalty) is almost never the least intrusive option. A good conversation often achieves more than a score.

Article 22 and the human measure

If consequences are attached to a high flight-risk โ€” no promotion, no training, no renewal โ€” this approaches an automated decision with significant effects (Art. 22 GDPR), in principle prohibited without a valid basis and safeguards. And once the score steers decisions about the individual worker, the system can become high-risk under the AI Act as an HR application, with the corresponding obligations.

The self-fulfilling prediction

The most subtle risk is behavioural. Anyone labelled a "flight risk" receives โ€” consciously or not โ€” less investment, less trust, fewer opportunities. That is precisely what pushes people out the door. The prediction makes itself come true and can no longer be falsified. Moreover, many predictive features (age, part-time status, caring duties, origin via language or network proxies) correlate with protected grounds, so discrimination creeps in without anyone intending it.

When (rarely) it is defensible

At an aggregated, non-traceable level turnover analysis can be legitimate: which departments, job groups or pay structures show high attrition, and what organisational causes lie beneath? That targets the system, not the person, and can improve policy. The line is hard: as soon as the outcome is traceable to an individual or weighs in decisions about people, it tips into unlawful.

What to do

  • Do not calculate individual departure scores โ€” purpose limitation and proportionality are almost always missing.
  • Attach no consequences to a predicted flight-risk in promotion, training or renewal.
  • Work aggregated and non-traceable, aimed at causes (workload, pay, leadership).
  • Test for proxy discrimination and involve the works council before deployment.

Reducing turnover is a legitimate aim, but permanently screening every employee for loyalty undermines the very trust that makes people stay. The law and common sense point the same way here.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): purpose limitation (Art. 5), profiling and Art. 22 on automated decision-making.
  2. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): high-risk once the outcome steers decisions about individual workers.

Share on LinkedIn

Read next

A

GDPR Article 88 and employee data: what does it mean for AI at work?

GDPR Article 88 lets Member States set their own rules for processing in the employment context. The Netherlands has no specific Art. 88 law, so the general GDPR plus the Dutch Implementation Act apply. With the weak basis of consent, purpose limitation and the role of works councils.

A

AI productivity scoring and bossware: what may an employer do?

Continuous AI monitoring and performance scoring ("bossware") collides with GDPR proportionality, purpose limitation and transparency, with good employership and with the works council's consent right. Covert or all-encompassing measurement is not allowed.

A

AI fraud detection by government: the lessons after SyRI

After the SyRI ruling (District Court of The Hague, 2020) and the Dutch childcare-benefits scandal, government fraud detection with AI is high-risk under Annex III. The lessons: no opaque risk scores, no proxy discrimination, but proportionality, explainability and a rights assessment.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.