Automated decision-making, including profiling
We are consulting on the Data (Use and Access) Act updates to this guidance.
The previous version of this ADM guidance is available as a PDF. We will withdraw this when we’ve finalised the updated guidance after the consultation.
Latest updates - 31 March 2026
31 March 2026 - We have updated this draft guidance to reflect changes to the UK GDPR following the Data (Use and Access) Act 2025 (DUAA).
- We’ve added content about how you can determine whether the processing you undertake falls within the scope of the UK GDPR’s article 22A provisions that relate to solely automated decisions with significant effects. We use the short-hand automated decision-making (ADM) across this guidance when we refer to this kind of processing.
- We’ve also clarified when your ability to undertake ADM has certain restrictions and what conditions you must satisfy in these cases.
- We’ve created a new section about the safeguards you must put in place, as well as the rights people have about the ADM that affects them.
About this guidance
These chapters sit alongside our brief guidance and provide more detailed guidance for organisations on ADM, including profiling.
If you haven’t yet read the brief guidance, read that first. It introduces this topic and sets out the key points you need to know.
When we use the term ‘ADM’ in this guidance, we specifically refer to automated decision-making as defined in article 22A of the UK GDPR. This is where a decision:
- is “based solely on automated processing”, including profiling (ie there is no meaningful human involvement in the decision); and
- has a “legal or similarly significant effect” on a person (which the UK GDPR refers to as a 'significant decision').
We also use the term ‘the ADM provisions’ to describe articles 22A-22D of the UK GDPR.
Read this detailed guidance if you have questions not answered in the brief guidance, or if you need more information to help you apply the rules relating to ADM in practice.
This guidance will inform the statutory code of practice on artificial intelligence (AI) and ADM that we will develop.
Why have you produced this guidance?
The purpose of this guidance is to help organisations understand and meet your obligations when you carry out ADM. It explains the relevant provisions of the UK GDPR and provides advice on good practice. Read it to understand the law, our interpretation, and recommendations for compliance.
This guidance is not an exhaustive manual. It focuses on the ADM provisions. While it addresses the key considerations, you remain responsible for ensuring you comply with any other provisions that apply to your processing, as well as any other applicable laws and regulations.
Who is this guidance for?
This guidance is aimed at you if you are planning to carry out ADM. This includes deploying in-house-developed ADM tools or solutions offered by external vendors.
This guidance is aimed at data protection officers, compliance professionals, and technical leads with oversight of your organisation’s use or procurement of ADM systems.
The DPA 2018 contains similar provisions in part 3 (law enforcement processing) and part 4 (intelligence services processing). This guidance is specifically about the ADM provisions in the UK GDPR. If part 3 or part 4 apply to your processing, read our guide to law enforcement processing or our guide to intelligence services processing.
Contents
What is ADM?
- What is automated decision-making about people?
- What is profiling?
- What is AI and how does it relate to ADM and profiling?
- What are the benefits of ADM?
- What are the risks?
What does the UK GDPR say about ADM?
- When do the ADM provisions apply?
- What is a decision?
- What is a ‘significant decision’?
- What is a ‘solely’ automated decision?
- Can we carry out ADM?
How do we carry out ADM lawfully?
- What does it mean for our ADM to be lawful?
- When can we rely on consent?
- When can we rely on contract?
- When can we rely on public task?
- When can we rely on legitimate interests?
- What about the other lawful bases?
When can we use special category data in our ADM?
- What is special category data?
- What are the special category data conditions for ADM?
- When can we rely on the ‘explicit consent’ condition for ADM?
- When can we rely on the ‘contract’ condition for ADM?
- When can we rely on the ‘required or authorised by law’ condition for ADM?
What are the ADM safeguards?
- What are the safeguards in the ADM provisions?
- What ‘information about decisions’ do we have to provide?
- How do we enable people to make representations?
- What is ‘human intervention’?
- How do we enable people to contest decisions?
- What do we do if someone exercises their rights under the ADM provisions?
What rights do people have?
- What do we need to tell people and when?
- What do we need to tell people under the right to be informed?
- What do we need to tell people under the right of access?
- What do we need to tell people under the ADM safeguards?
- How should the information be delivered?
What else do we need to consider?
- Do we have to do a data protection impact assessment (DPIA)?
- Do we need to make any other changes to our systems?