ICO consults on updated automated decision making and profiling guidance
The Information Commissioner’s Office (ICO) has launched a consultation on its draft updated guidance on automated decision making (ADM), including profiling. The draft guidance reflects changes made to the UK GDPR by the Data (Use and Access) Act 2025 (DUAA) and replaces the ICO’s existing approach to ADM under data protection law.
The updated guidance is intended to help organisations understand when automated decision making is permitted, the restrictions that apply, and the safeguards that must be in place where automated decisions have legal or similarly significant effects on individuals. Responses to the consultation will inform the final guidance when the consultation closes on the 29th of May 2026.
Automated decision making is increasingly used across sectors, including recruitment, credit scoring, fraud detection, eligibility assessments and public services. The changes introduced by the DUAA relax the absolute prohibition on some forms of solely automated decision making but replace it with a more nuanced framework focused on safeguards, transparency and individual rights.
The ICO’s updated guidance signals how it expects organisations to apply this new framework in practice and provides an early indication of regulatory enforcement priorities.
What’s new in the draft guidance?
The draft guidance introduces several important clarifications and additions, including:
When automated decision making rules apply - how controllers should assess whether their processing falls within the scope of the UK GDPR provisions on solely automated decisions with legal or similarly significant effects. This is particularly relevant where automation is embedded into wider decision making processes.
Clarification of restrictions and conditions - when automated decision making is permitted, the restrictions that apply, and the conditions that must be met in those cases. This includes greater clarity around situations where automation is allowed provided certain safeguards are in place and the duties on controllers to ensure compliance.
Stronger focus on safeguards and data subject rights - a new section details:
The safeguards controllers must implement; and
The rights individuals have when they are subject to automated decision making.
This includes expectations around meaningful human intervention, transparency and the ability for individuals to challenge decisions.
Recruitment and employment in focus
Alongside the consultation, the ICO has published a separate report on the fair and responsible use of automation in recruitment, highlighting its expectations for employers using automated tools in hiring decisions.
Key issues include
The need for enhanced transparency with candidates
Consistency where human involvement is used to review automated outcomes; and
Active monitoring for bias and discrimination in automated recruitment tools.
Employment and recruitment use cases are likely to be a particular enforcement focus.
Practical impacts for organisations
Organisations that rely on automated systems should expect increased scrutiny of how those systems are designed, deployed and monitored. In practical terms, the draft guidance is likely to affect:
Procurement and implementation of AI and automation tools, particularly where vendors offer “black box” decision making solutions
Public authorities using automation for eligibility, prioritisation or enforcement decisions
Employers using automated CV screening, aptitude testing or candidate ranking tools
Financial and service providers relying on automated risk or eligibility assessments.
Key takeaways
Automated decision making is not prohibited outright, but it requires careful justification, transparency and safeguards
Organisations should understand precisely when decisions are “solely automated” and when human involvement is genuinely meaningful
Data subject rights are central – individuals must be able to understand, challenge and seek review of automated outcomes
Recruitment and employment use cases are a clear area of regulatory focus.
Practical steps
Practical steps to consider include:
Mapping automated decisions - identify where automated decision making or profiling is used, particularly where decisions have legal or similarly significant effects.
Reviewing human involvement - assess whether human review is meaningful in practice, or whether processes are effectively automated end to end.
Updating transparency information - ensure privacy notices clearly explain the use of ADM, the logic involved (at an appropriate level), and the rights available to individuals.
Strengthening safeguards - review procedures for human review, error correction, bias monitoring and challenge mechanisms.
Engaging with the consultation - organisations with significant use of ADM may wish to respond to the ICO consultation before it closes on 29 May 2026, particularly where the draft guidance raises operational or commercial concerns.
Our views
The finalised guidance will play a key role in shaping how the ICO enforces automated decision making rules under the reformed UK data protection regime as updated by the DUAA. Organisations that act early to align governance, documentation and operational practices with the draft guidance will be better placed to manage regulatory risk and demonstrate compliance.
Get in touch
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
Contact us today
Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.
Get in touch
For general enquiries, please complete this form and we will direct your message to the most appropriate person.