AI and Automated Decision-Making in the UK (Part I): The new rules and regulatory guidance

The UK's new ADM framework

The previous Article 22 of the UK GDPR operated as a near-prohibition on solely automated decision-making that produced legal or similarly significant effects on individuals, permitting it only under narrow exceptions: explicit consent, contractual necessity, or where authorised by law.

The DUAA replaces this with a fundamentally different model. Organisations can now carry out ADM using any lawful basis, including legitimate interests, provided mandatory safeguards are in place. Those safeguards, set out in the new Article 22C of DUAA, require controllers to:

• provide the data subject with information about the decision;
• enable the data subject to make representations;
• enable the data subject to obtain genuine human intervention; and
• enable the data subject to contest the decision.

The stricter regime is preserved only where special category data is involved. ADM based on such data remains prohibited unless the individual has given explicit consent, or the processing is necessary for contractual or legal reasons alongside substantial public interest grounds.

This is not a relaxation across the board but rather a structural shift from a prohibition-with-exceptions model to a permission-with-safeguards model. The practical consequence is that the threshold question changes - rather than asking "do we have a basis to justify ADM at all?", UK organisations may now ask "are our safeguards robust enough?"

The ICO's draft ADM guidance

The ICO launched a public consultation on draft updated ADM guidance on 31 March 2026, which remains open until 29 May 2026 with the final guidance expected in summer 2026. The draft guidance emphasises the law’s approach to enable use of ADM and AI, provided organisations can demonstrate compliance, rather than treating ADM as something exceptional or inherently problematic.

However, it is also clear from the guidance that there an expectation of compliance. In particular, the ICO draws attention to the following:

• Organisations will still need to carefully determine whether they are actually carrying out the type of ADM that is specifically regulated: a decision based solely on automated processing with no meaningful human involvement that produces a legal or similarly significant effect.
• The Article 22C safeguards are central and must be visibly implemented in practice. In particular, individuals must be provided with decision-specific information explaining how and why the outcome was reached, be able to make representations, obtain genuine human intervention from a reviewer with authority on a case by case basis, competence and discretion to change the outcome, and contest the decision through an accessible process.
• The distinction between the concept of ‘human intervention’ and ‘human involvement’ is critical. Human intervention refers to the safeguard that applies after a solely automated significant decision about a person is made. Human involvement refers to the role humans have during the decision-making process. It is one of the key factors in deciding whether the ADM provisions apply in the first place. If a decision includes meaningful human involvement, it is not solely automated. This is the case even if the decision has significant effects on someone.

In addition to its guidance, the ICO is in the process of developing a statutory code of practice on AI and ADM as part of its broader AI and biometrics strategy, which aims to ensure organisations can deploy these technologies with confidence while safeguarding individuals from harm (see the ICO’s plan of action). The code is expected to provide more detailed, operational guidance on issues such as transparency and explainability, rights and redress, and is likely to play a central role in shaping how the DUAA’s permission-with-safeguards model is applied in practice.

The AI-friendly reform of purpose limitation

The DUAA also reforms purpose limitation under Article 5(1)(b) of the UK GDPR. It introduces statutory compatibility conditions and a new provision (Article 8A) governing further processing, creating what is effectively a two-tier model.

Certain categories of further processing, particularly for scientific research, archiving, or statistical purposes, are now deemed automatically compatible with the original collection purpose. Critically, the definition of scientific research has been broadened to include commercially funded, private-sector research. This gives UK-based organisations considerably more latitude to repurpose personal data for AI training and development than is available under the EU GDPR, where the EDPB and CJEU continue to take a narrower, more contextual approach to compatibility.

That said, the ICO is not abandoning purpose limitation entirely. Its recent tech futures paper on agentic AI continues to stress the importance of this principle. According to the ICO, organisations must be clear and transparent about why they are collecting personal data and ensure that their intended use aligns with people's reasonable expectations. It cautions against the risk of defining purposes too broadly to capture all potential operations of an agentic system.

The EU’s different trajectory

The EU retains Article 22 of the EU GDPR as a default prohibition on solely automated decision-making. The CJEU's ruling in Dun & Bradstreet Austria (C-203/22, 27 February 2025) reinforces individuals' right to a genuine explanation of the logic and results of automated decisions and makes clear that providing a complex algorithmic description alone does not constitute a concise and comprehensible explanation.

Although the EU's Digital Omnibus may eventually introduce some clarifications to the ADM rules, it is not expected to converge with the UK's more permissive approach. Indeed, regulators in the EU are moving towards more granular expectations around explanations and transparency. The Dutch DPA, for example, published draft guidance on the right to explanation in ADM on 21 April 2026 (open for consultation until 26 May 2026), which distinguishes between general and decision-specific explanations and requires explainability-by-design from the outset.

The importance of DPIAs and possible approaches

An overarching message emerging from the legislative changes in the UK and the ICO’s guidance is that in relation to AI and ADM, accountability practices are key. Therefore, the processing of personal data in this context should always be preceded by a DPIA, as this is a common expectation by all European regulators.

For organisations with operations or data subjects in both the UK and the EU, there is a choice between two approaches when completing DPIAs:

Harmonised approach: Default to the higher EU standard across both jurisdictions. This provides simplicity and reduces operational complexity, but limits the organisation's ability to take advantage of the UK reforms.

Jurisdiction-specific approach: Maintain distinct UK and EU compliance frameworks, accepting the operational complexity in exchange for greater flexibility in the UK, particularly around the use of ADM for non-special category data and the broader research exemptions for purpose limitation.

Irrespective of the approach followed and to apply as much consistency as possible even when adopting the Jurisdiction-specific approach, DPIAs should document:

• the lawful basis relied upon in each jurisdiction;
• whether the processing involves special category data;
• the safeguards in place (noting the different requirements in the UK and EU);
• a distinct risk assessment reflecting the different thresholds; and
• how purpose limitation and compatibility have been assessed for any secondary processing, including AI training.

What organisations should do now

Although the ICO's final ADM guidance is still pending, the new statutory framework is already in force. Organisations should consider the following steps:

• Audit ADM use cases. Identify all current and pipeline uses of solely automated decision-making, recording the data types involved, lawful bases, decision logic, and safeguards for each jurisdiction.
• Assess safeguards. Ensure the Article 22C safeguards are genuinely operational as part of a thorough DPIA, with particular attention to whether human intervention is meaningful and whether contestation processes are accessible.
• Review purpose limitation. Where personal data is being repurposed for AI development, assess whether the new UK compatibility framework applies and document the basis for further processing.
• Update privacy notices. Ensure ADM is described in clear, specific terms and that individuals are informed of their rights to make representations, obtain human intervention, and contest decisions.
• Engage with the ICO consultation. The consultation on draft ADM guidance closes on 29 May 2026 and offers a strategic opportunity to seek clarification on feasibility and operational issues.
• Monitor the EU landscape. Track the Digital Omnibus proposals, the Dutch DPA's forthcoming final guidance on explanation, and the EU AI Act's transparency obligations applying from 2 August 2026 to ensure your compliance framework remains current across both jurisdictions.

For more on the ICO's approach, see the draft guidance on automated decision-making. For EU developments, see our recent article on Dutch DPA draft guidelines on the right to explanation in ADM.

Authored by Eduardo Ustaran, Katie McMullan, and Alina Podolyak.