Automated Decision-Making Rules for AI in the UK (2026)

Automated decision-making is where AI and UK data-protection law collide most sharply — and the rules changed under the DUAA. Here’s what applies in 2026, cited to official sources. (dgm implements osFoundry as an independent partner. General information, not legal advice.)

The rules changed in 2026

The Data (Use and Access) Act 2025 replaced Article 22 UK GDPR with new Articles 22A–22D (via Section 80). The provisions came into effect on 5 February 2026.

The shift in plain terms:

• More permissive for ordinary data — solely-automated decisions with legal or similarly significant effects are now allowed in wider circumstances for non-special-category data, if safeguards are met.
• Special-category data ADM stays restricted (subject to limited conditions).

What counts as “solely automated” and “significant”

Article 22A defines a “solely automated” decision as one with no meaningful human involvement that produces a legal or similarly significant effect. Examples: automated hiring rejections, credit decisions, eligibility determinations. If a human meaningfully reviews and can change the outcome, it isn’t “solely automated” — which is exactly the design lever you have.

The mandatory safeguards

Where the ADM regime applies, you must:

1. inform individuals about the significant automated decision;
2. let them make representations;
3. let them contest the decision; and
4. provide human intervention.

The ICO is consulting on updated ADM guidance (final expected ~Summer 2026), including a worked hiring example — automated decisions can streamline hiring with the right safeguards.

The practical design choice

The cleanest way to manage ADM risk is often to keep meaningful human involvement in significant decisions — so the decision isn’t “solely automated” at all, and the strict regime is avoided while you still get AI’s speed. Where you do run solely-automated significant decisions, build the four safeguards in and bias-test.

Where osFoundry and dgm fit

dgm designs AI so significant decisions keep a human in the loop — a reviewer who sees the AI’s recommendation and can change it, plus clear routes for individuals to be informed, make representations and contest. We implement on osFoundry, which supports human-review steps in workflows and full audit logging, with data control via self-hosting or an EU region (it publishes US/EU/JP regions, not a UK one). See our human-in-the-loop guide for the design pattern.

dgm is an independent integration partner with zero integrations so far, and not a law firm. Confirm with your DPO and the ICO’s ADM guidance. To scope an ADM-safe AI project, book a consultation with dgm.