UK Data Protection Act 2018 — Automated Decision-Making — Obligations, Requirements & Enforcement - EveryAILaw.com

UK Data Protection Act 2018 — Automated Decision-Making

Jurisdiction:

United Kingdom

enforcing

Effective:

May 25, 2018

Authority:

Information Commissioner's Office

Official text Verified May 15, 2026

Obligations Covered

Human Oversight Transparency & Disclosure

Provisions (2)

Automated Decision-Making Rights (Articles 22A-22D UK GDPR) #

Obligation:

Human Oversight

enforcing

Effective:

Feb 5, 2026

Risk tier:

all

Scope:

deployers

Requirements

Requirement	Details
ADM definition	Decisions based solely on automated processing (including profiling) with legal or similarly significant effects
Permitted bases	ADM allowed on any Article 6 basis except Recognised Legitimate Interests; stricter rules for special category data
Right to information	Individuals must be clearly informed when ADM is used and the logic/criteria in meaningful terms
Right to human intervention	Right to obtain genuine human review of automated decisions
Right to contest	Right to make representations and challenge automated decisions
Suitable safeguards	Controllers must implement safeguards including transparency, practical exercise of rights, and DPIA for high-risk ADM
Special category restriction	ADM using special category data (health, biometrics, etc.) remains prohibited except under narrow conditions

Penalties

Violation	Fine
Non-compliance	Up to GBP 17.5M or 4% global turnover

Transparency in Automated Processing #

Obligation:

enforcing

Effective:

May 25, 2018

Risk tier:

all

Scope:

deployers

Requirements

Requirement	Details
Logic disclosure	Must provide meaningful information about the logic of automated decision-making
Significance and consequences	Must explain the significance and envisaged consequences of processing
Privacy notice	Must include ADM information in privacy notices

Penalties

Violation	Fine
Non-compliance	Up to GBP 17.5M or 4% global turnover