What does the UK GDPR say about ADM?

Contents

Latest updates - 31 March 2026

31 March 2026 - We have updated this draft guidance to reflect changes to the UK GDPR following the Data (Use and Access) Act 2025 (DUAA).

We’ve added content about how you can determine whether the processing you undertake falls within the scope of the UK GDPR’s article 22A provisions that relate to solely automated decisions with significant effects. We use the short-hand automated decision-making (ADM) across this guidance when we refer to this kind of processing.
We’ve also clarified when your ability to undertake ADM has certain restrictions and what conditions you must satisfy in these cases.
We’ve created a new section about the safeguards you must put in place, as well as the rights people have about the ADM that affects them.

When do the ADM provisions apply?

Many of your business practices may involve automated processing to help make or support decisions. But this doesn’t mean the ADM provisions apply to all of these practices or the decisions based on them.

They only apply when three factors are present:

you are using a system that is making a decision (or decisions) about a person;
the decision is a significant decision (meaning the decision has legal or similarly significant effects); and
the decision is solely automated (meaning there is no meaningful human involvement).

What is a decision?

The UK GDPR doesn’t define the term ‘decision’. In the context of ADM, we consider the term to have a broad meaning. It refers to a conclusion or outcome, reached after consideration or analysis, where that conclusion may:

impact or influence actions taken; or
engage a person’s rights.

Not everything an automated system produces counts as a decision. Decisions need to involve some kind of evaluation or analysis of personal information, not just applying a rule that a human has already set. In some situations, a human can set a simple rule that is applied automatically, but the system is not actually making its own separate decision.

For example, a business may decide in advance which payment cards it accepts. The automated system then simply applies that rule by accepting or rejecting cards. In this case, the decision was made by a human, not the system.

Example

A lettings platform uses an automated system to assess whether someone is eligible to let high-value properties. The system analyses the person’s previous letting history, ratings from previous landlords, payment behaviour, and behavioural signals. Based on this analysis, it automatically decides whether to allow or prevent the lease.

In this case, the outcome depends on an evaluation of personal information, and the system is making a judgement about the person (eg that they present a higher or lower risk). This is a decision.

What is a ‘significant decision’?

The UK GDPR says that:

“a decision is a significant decision, in relation to a data subject, if—

(i) it produces a legal effect for the data subject, or

(ii) it has a similarly significant effect for the data subject.”

A decision that has a legal effect is one that affects a person’s legal status or their legal rights, for example:

approving or refusing access to a public service, benefit or licence (eg housing support, a visa, a permit);
determining tax liabilities due; and
enforcement actions, such as issuing a penalty, fine, or charge.

A decision that has a similarly significant effect is one that has an equivalent impact on someone’s circumstances, behaviour, opportunities, or choices.

In extreme cases, significant decisions might exclude or discriminate against people. Also, decisions that might have little impact generally could have a significant effect for people in situations where they are at risk, such as children. Context is key in understanding a decision’s significance.

Example

A social security processing activity automatically evaluates whether someone is entitled to a benefit and how much to pay them based on profiling. This is a decision ‘based solely on automated processing’, without meaningful human involvement for the purposes of the ADM provisions.

As well as having a legal effect, the amount of benefit they receive could affect a person’s livelihood or ability to buy or rent a home, so this decision also has a ‘similarly significant effect’.

Other similarly significant effects include:

automatic refusal of an online credit application; or
e-recruiting practices without meaningful human involvement.

By contrast, the following example is less likely to have a significant effect on someone:

Example

A video-on-demand service uses an automated system to recommend new content to a person based on their previous viewing habits. The choice of content it recommends is a decision based solely on automated processing because it has no meaningful human involvement. It relies entirely on profiling and algorithmic analysis.

While the decision may influence what the person chooses to watch next, this is typically not to the same level as something that impacts their legal rights or has a similarly significant effect on their behaviour, circumstances, opportunities or choices.

There can be contextual differences that determine whether a decision has a significant effect. When processing at scale, it is possible that similar decisions have a significant impact on some people and not on others. Unless you are confident that you can accurately separate out the people who will experience legal or similarly significant effects from those who will not, you should apply the safeguards to all the decisions you make.

Example

An automated decision results in a freeze on someone’s bank account based on potential fraudulent activity.

This can be a significant decision because it impacts that person’s financial circumstances, and may have knock-on effects elsewhere.

If you are unsure whether a decision has a similarly significant effect on someone, you should consider the extent to which it impacts their:

financial circumstances (including creditworthiness, bank account access, and evaluation, provision or denial of insurance or benefits);
employment opportunities and circumstances (eg recruitment, promotion);
health (eg access to or allocation of medical interventions);
access to education and relevant opportunities (eg awarding grades, personalised learning);
access to housing;
access to essential public and private services;
reputation (eg automated scoring systems that influence trust ratings or professional standing);
behaviour (eg nudging teenagers to adopt unhealthy eating habits via recommendations that are based on profiling that determines they are more susceptible); or
choices (eg dynamic pricing or discriminatory offers).

A decision that affects any of these may have a significant effect on someone. The ADM provisions apply where this is the case, and the decision is based solely on automated processing.

Example

An online game is targeted at children. To generate revenue, the game makes extensive use of strategies to extend user engagement. These include a system that profiles children while they play the game. The system intends to target them with personalised in-game advantages, incentivising them to stay engaged and continue to play.

This use of children’s information is meant to automatically extend their playing time, rather than allow them to make an active choice about whether they want to spend their time this way.

By exploiting behavioural patterns to encourage extended gameplay, the game’s systems significantly influence children’s behaviour. For example, creating a feeling of missing out or of being disadvantaged by playing less.

This manipulation of choices and behaviour is likely to qualify as a significant effect.

What is a ‘solely’ automated decision?

The UK GDPR says that:

“a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision”

So, ‘solely’ automated is about decision-making processes that are automated and don’t reflect real human control over the end result.

Example

A factory worker’s pay is determined by an algorithmic system that makes predictions about their productivity. The system analyses data about the worker’s performance and automatically sets the rate of pay for each shift based on these evaluations. There is no meaningful human involvement in reviewing or adjusting the outcome.

This is an example of solely automated decision-making. Since this can also have significant effects on the worker, it is ADM.

Many decisions that you commonly think of as automated actually involve humans at some point in the process. However, for human involvement to be “meaningful” in the context of the UK GDPR, you must ensure it is active and not just a token gesture.

For there to be meaningful human involvement, a human should:

assess and review the decision at an appropriate point to ensure actual impact on the outcome;
have the ability to influence the outcome;
have discretion and authority to alter the decision;
be suitably trained and qualified to understand the system’s logic, outputs, limitations, and risks; and
take into account the relevant data and factors on which the decision was based.

The human involved in the decisions should apply these non-exhaustive criteria every time they make a decision about a person. Using ad hoc spot-checking isn’t sufficient because some automated decisions won’t receive a check and therefore don’t have meaningful human involvement.

You should keep a record of how the human was involved in the decision.

Example

An organisation issues a warning to an employee about late attendance at work. They do so based on their automated clocking-in system flagging that the employee has been late on a defined number of occasions.

However, although the warning is issued on the basis of the data collected by the employer’s automated system, the decision to issue it is taken by the employer’s HR manager following a review of that data.

This is an example of a decision that has meaningful human involvement.

Another important factor in evaluating whether you’re carrying out ADM is the timing of the human involvement. You must ensure that the involvement comes before you apply the decision to a person and at a time you can still change any recommendation that would otherwise be based on solely automated processing, including profiling. This is so that a human can exercise real influence over the decision by using their discretion and authority to change it where appropriate.

A human merely designing or building an automated system does not count as meaningful human involvement. This is because the design stage happens long before any real-world decisions are made about people, so it cannot directly influence or alter a specific outcome.

Where a human only inputs the data for the system to process and the system then carries out the decision-making, the processing is still in the scope of the ADM provisions if there is a significant effect.

When assessing whether your decision-making includes meaningful human involvement, you must also consider how much it relies on profiling. This is because profiling is often complex, making it difficult for human reviewers to fully explain or challenge the outcome. It’s therefore important to critically assess any profiling you use, especially when it involves children’s personal information.

Example

A retail bank uses customer profiling to deliver personalised credit card offers. The profiling system analyses spending habits and past repayment history.

Based on this profile, the system automatically decides whether to offer a customer a higher credit limit. The decision is made in real time using an algorithm that weighs risk and marketing potential. No human reviews the individual case unless the customer challenges the outcome.

Because the decision is based entirely on profiling and executed automatically, it lacks meaningful human involvement.

Can we carry out ADM?

Yes, subject to some restrictions. The UK GDPR contains two restrictions that prohibit you from carrying out ADM in certain circumstances.

The first restriction is about ADM based entirely or partly on special category data.

You can only do this where one of the following conditions applies:

You base the decision entirely on the person’s explicit consent.
The decision is necessary for a contract between the person and an organisation, and there is a substantial public interest (SPI) condition.
The decision is required or authorised by law, and there is an SPI condition.

(For more information, see When can we use special category data in our automated decision-making?.)

The second restriction is about the recognised legitimate interest lawful basis. Recognised legitimate interest and legitimate interests are two separate lawful bases. A recognised legitimate interest is a pre-approved purpose for using personal information that is in the public interest. Unlike legitimate interests, you don't have to assess the impact on people's rights, interests and freedoms.

However, the UK GDPR says you can’t use this as your lawful basis if you want to carry out ADM. (See ‘How do we carry out ADM lawfully?’.)

Further reading – ICO guidance

What are the substantial public interest conditions?