Automated Decision‑Making: Staying Compliant with GDPR

Alex Solo
byAlex Solo8 min read
Regulatory ComplianceData & Privacy
Contents

Have you ever wondered how some businesses make split-second decisions about customers, loans, or even job applications, all with the click of a button? Automated decision-making systems are everywhere, powering everything from credit checks to personalised marketing. But while they offer efficiency and innovation, they also bring specific responsibilities under UK data protection law.

If your business is even thinking about using-or already relies on-automated tools to make decisions about people, there are some crucial rules you can’t afford to ignore. Breaching these rules under the UK GDPR can risk not just reputational damage but also hefty fines from the Information Commissioner’s Office (ICO).

Don’t stress-while the world of GDPR and automated decision-making might seem complicated at first, we’re here to break it down for you in everyday language. By the end of this guide, you’ll understand what counts as “automated decision-making”, what the law says you need to do, and most importantly, how to keep your business (and your customers’ trust) protected.

Let’s get started!

What Is Automated Decision-Making Under GDPR?

First things first: What do we actually mean by "automated decision-making"? According to the ICO, this is when a decision is made about an individual entirely by automated means-so, by a computer or algorithm, without any active human input at the decision point itself.

  • Totally automated: The decision is reached using software or a machine, based solely on the personal data provided. No human checks the outcome before it’s delivered.
  • Input doesn’t matter: It doesn’t matter if a human enters the data or sets the parameters-the important thing is that once the system runs, the decision is made and implemented without anyone stepping in.
  • Examples: An online loan application processed automatically, a recruitment platform that filters and rejects CVs based purely on keywords (without any human review), or an insurance claim automatically accepted or denied by a computer.

On the other hand, if a person reviews the system’s suggestion, considers the facts, and then approves or changes the outcome, this isn’t "automated decision-making" under the GDPR. Some would call this “semi-automated,” but for GDPR, only fully automated systems trigger the special requirements.

Why Does Automated Decision-Making Matter for My Business?

It’s easy to think of automated decisions as something only big banks or social networks need to worry about, but actually, they crop up in all kinds of places-marketing, e-commerce, HR platforms, even small business apps. If you use (or are considering using) systems that make decisions about people, even if it’s just recommending products, it’s vital you know when the GDPR’s stricter rules kick in.

  • Protection of individuals: Automated systems can have a big impact on people’s lives-think job offers, lending, or access to services-so the law steps in to ensure basic fairness and oversight.
  • Tough penalties: The ICO can issue serious fines for getting things wrong, and data subjects have the right to contest unfair or harmful automated decisions.
  • Building customer trust: Being transparent about how decisions are made helps you maintain a positive relationship with your customers and avoid complaints.

What Does Article 22 of UK GDPR Say About Automated Decision-Making?

The centrepiece here is Article 22 of the UK GDPR. This rule says that people have the right not to be subject to a decision based solely on automated processing-including profiling-if that decision has a legal effect (like approving or declining a loan, contract, or job) or similarly significant effect on them.

The bar here is pretty high. It typically means decisions that affect your customer’s legal rights or have a major impact-such as:

  • Refusing a loan or other form of credit
  • Terminating an employment contract or declining a job application
  • Approving or denying access to services or benefits

So, recommending a song or sending a marketing email probably wouldn’t count. But anything that has the potential to affect someone’s finances, livelihood, legal status, or ability to access services will almost always fall in scope.

Are There Any Exceptions Where Automated Decision-Making Is Allowed?

Yes-Article 22 lets you use fully automated decisions with legal or similarly significant effects in three situations:

  1. It’s necessary for a contract: For example, an instant mortgage approval system, if the customer specifically requests this evaluation.
  2. It’s authorised by law: If a statute or regulation allows-or even requires-certain decisions to be automated (not common for most SMEs).
  3. Explicit consent: The customer has given their clear, deliberate agreement for their data to be processed this way.

Even if you meet one of these exceptions, you must still implement certain safeguards (more on this below).

What Counts As “Meaningful Human Intervention”?

GDPR isn’t just about paperwork: If your process technically involves a person, but they are just rubber-stamping what the system says (without real thought or discretion), that’s not enough. For meaningful human intervention, the person reviewing the decision must:

  • Have the authority to override or change the outcome
  • Actively consider all available information (not just “tick a box”)
  • Document their reasons for agreeing or disagreeing with the algorithm

If your process flows like this, you’re not caught by Article 22’s restrictions. But if the human’s only role is to press “approve” without considering context or extra facts, that’s still “automated” in the eyes of the law.

Real-World Examples: Automated vs Human-Involved Decisions

  • Example 1: Automated Bank Loan Decision
    A customer applies for a loan online. The software cross-checks their details with credit records, runs affordability checks, and gives a yes/no answer in moments, with no human stepping in. This is a fully automated decision.
  • Example 2: Recruitment Platform
    CVs are filtered by software, but then a manager reads the shortlist and decides who to interview. This is not fully automated (the human’s judgement counts).
  • Example 3: Insurance Claim
    A claim is submitted and the system either pays out or rejects it instantly, with no further review. This is automated decision-making under GDPR.
  • Example 4: Retail Website Recommendations
    A customer is shown recommended products based on their purchase history. Generally, this won’t have a legal or significant effect (the rules probably won’t apply).

For more on typical scenarios and compliance tips in the digital business space, see our guide Online Business: Legal Requirements.

What Rights Do Individuals Have Over Automated Decisions?

Whenever a significant automated decision is made, the individual affected has these key rights:

  • To be informed: You must tell people clearly and specifically when their personal data is being used for automated decisions.
  • To request human intervention: Individuals can request that a human reviews the automated decision.
  • To challenge the decision: They have the right to contest the decision and put forward their point of view.

These aren’t just box-ticking exercises. You’ll need to have processes in place to deal with these situations, respond promptly, and keep records in case the ICO investigates.

What Practical Steps Can My Business Take to Stay GDPR Compliant?

Whether you’re already using automated tools or just thinking about adopting them, the following steps are vital:

1. Map and Review Your Processes

  • Audit what personal data you’re collecting and how it’s being used.
  • Identify which decisions (if any) are made fully by machines, and whether they could have a significant impact on people’s rights or finances.

2. Conduct a Data Protection Impact Assessment (DPIA)

  • For high-risk processing (which includes most significant automated decisions), a DPIA is mandatory.
  • This helps you spot and mitigate risks-and is something the ICO will expect to see if they ever investigate.

3. Ensure Transparency and Individual Rights

  • Be upfront in your Privacy Policy about how you use automated decisions-don’t bury it in legalese.
  • Make it easy for people to find out what’s happening and how it might affect them.
  • Provide clear contact details and information about how to request human intervention or challenge outcomes.

4. Build Human Review Processes

  • Ensure that individuals can actually request a human to review their case, and have a real shot at changing the outcome if appropriate.
  • Train your staff so that reviews are genuine, not just a “rubber stamp”.
  • Document these procedures and be ready to demonstrate them.
  • If you’re relying on “explicit consent” to make fully automated decisions, make sure you collect this consent in a clear, specific, and informed way-no pre-ticked boxes or vague terms.

For practical tips on making your site or app privacy-compliant, check out our Quick GDPR Compliance Tips and our in-depth guide to data privacy consent forms.

Automated Decision-Making and Small Business: Do I Really Need to Worry?

You might be thinking, “This all sounds complicated-should I just stay away from automated tools altogether?” Not necessarily! Used properly, automation can make your life much easier and help you serve your customers better. The key is to set up the right legal foundations and put safeguards in place.

If you’re:

  • Using AI or algorithms to make important decisions about customers or staff
  • Offering services with instant automated approval/rejection
  • Planning to roll out a new tool or platform involving automatic assessments

…you’ll want to address the GDPR requirements from day one.

And remember, non-compliance can mean complaints, ICO investigations, and even fines. But with the right approach, you’ll not only protect your business-you’ll win customer trust and future-proof your processes as technology evolves.

Key Takeaways: Staying Compliant with Automated Decision-Making Under GDPR

  • Understand what counts: Only fully automated decisions with legal or significant effects are subject to Article 22 GDPR-make sure you know which of your systems qualify.
  • Offer transparency: Clearly inform individuals when you use automated decision-making, and explain their rights in simple language.
  • Provide human review and contestation rights: People must be able to request a real human review and challenge decisions that affect them.
  • Conduct DPIAs for high-risk processing: Assess (and reduce) privacy risks before rolling out significant automated systems.
  • Be ready to demonstrate compliance: Keep robust documentation in case of ICO queries or complaints-showing you’ve considered, communicated, and protected individual rights.
  • Get expert support where needed: GDPR compliance is not “one size fits all”-getting a lawyer to review your setup can help you avoid costly pitfalls.

Need Help Making Sure Your Automated Systems Are GDPR Compliant?

When it comes to automation, a proactive legal health check can save you future headaches. If you’re unsure about your risk, need to update your policies, or want compliance support for your new tool, Sprintlaw UK is here to help.

Reach out to us on 08081347754 or email team@sprintlaw.co.uk for a free, no-obligation chat about protecting your business and keeping your automation hassle-free and legal.

Want to read more? Check out our guides to GDPR essentials, customer data protection, or find out how to move your business online-legally.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Privacy Notices and Consent in UK Market Research Projects

Privacy Notices and Consent in UK Market Research Projects

UK market research projects often need both a privacy notice and a consent form, but they do different jobs. This guide explains when consent is required

14 May 2026
Read more
Website Terms and Privacy for Drone Service Businesses in the UK

Website Terms and Privacy for Drone Service Businesses in the UK

Drone service businesses in the UK often need more than generic website terms and a basic privacy policy. This guide explains how to set up website terms

13 May 2026
Read more
Website Terms and Privacy for Event Venue Websites in the UK

Website Terms and Privacy for Event Venue Websites in the UK

Event venue websites often collect enquiries, deposits and customer data long before a formal hire contract is signed. This guide explains how UK venues

13 May 2026
Read more
Privacy Notices and Consent Forms for UK Social Media Agencies

Privacy Notices and Consent Forms for UK Social Media Agencies

UK social media agencies often need both a privacy notice and separate consent forms, but the two documents do different jobs. This guide explains when

11 May 2026
Read more
Privacy Notices for UK B2B SaaS Startups

Privacy Notices for UK B2B SaaS Startups

A practical guide to privacy notices for UK B2B SaaS startups, including what to include, when issues come up, and the common mistakes that can slow down

11 May 2026
Read more
Privacy and Data Collection Rules for UK Quantity Surveying Firms

Privacy and Data Collection Rules for UK Quantity Surveying Firms

UK quantity surveying firms often collect more personal data than they expect through tenders, project files, recruitment, billing and marketing. This

11 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call