The UK’s long-anticipated journey to overhaul its data protection landscape has culminated, with the passing of the Data (Use and Access) Act 2025 (the DUAA).
The DUAA ushers in a significant change in approach to automated decision-making (ADM), opening new strategic opportunities for businesses to use ADM and AI in the UK.
This blog focuses on the DUAA’s implications for ADM. See our full blog series on the DUAA for further information on other aspects.
The starting point: the GDPR's initial restraint
Since May 2018, the use of ADM concerning individuals in the UK has been regulated under the UK GDPR or the (very similar) EU GDPR that preceded it. Article 22 of the UK GDPR currently imposes broad guardrails on the use of ADM, largely prohibiting decisions based solely (ie without meaningful human intervention) on automated processing when those decisions produce legal effects or similarly significant impacts on individuals.
This stance was rooted in safeguarding individuals from algorithmic outcomes that lack human oversight. Whether it was an online decision to award a loan or an aptitude test used for recruitment, the GDPR's design aimed to ensure human intervention. While narrow exceptions existed for decisions necessary for entering into or performing a contract, where authorised by law, or where based on the data subject’s explicit consent, the prevailing message encouraged a restrained deployment of impactful ADM systems. Where those exceptions applied and solely automated ADM was permitted, the UK GDPR contained rights to contest the decision and obtain human review.
The new ADM landscape: DUAA’s liberalisation with safeguards
The DUAA fundamentally reshapes the UK's ADM environment under provisions that will take effect at a date to be specified by the government. The key changes will be as follows:
- Relaxation of general prohibition: The previous broad prohibition on using personal data in ADM for ‘significant’ decision-making, without meaningful human involvement in the taking of the decision, will be largely removed. This rule will only remain for ’significant’ decisions involving (even partly) special category personal data, which includes a limited defined set of sensitive data categories such as religious beliefs, political opinions, and health data. ’Significant’ decisions are defined as decisions that produce a legal effect or similarly significant effect for the data subject.
- Expanded use of legitimate interests: As a direct consequence of the DUAA’s reforms once they take effect, UK businesses will have significantly greater scope to rely on 'legitimate interests' as their lawful basis for processing (non-special category) personal data for ADM. Relying on ‘legitimate interests’ is often more flexible and practical for businesses than alternative options such as obtaining explicit consent from individuals.
- Mandatory safeguards: The reformed ADM regime introduced by the DUAA will impose specific, mandatory safeguards on businesses for any significant decision made via ADM without meaningful human involvement based on any personal data. These include requirements to inform impacted individuals that ADM is taking place and provide them with rights to make representations, obtain human review, and contest significant decisions. Crucially, these rights empower individuals to proactively challenge a decision after it has been made, shifting from the previous broad prohibition on even using ADM to make that decision to begin with. Businesses will need to ensure they integrate the potential exercise of these rights into their ADM design and compliance processes, although, as the ICO has explained, the safeguards are similar to those under the current law.
The DUAA will therefore provide businesses in the UK with more regulatory freedom to adopt AI and other ADM methods. However, this freedom comes with a clear responsibility to observe the required safeguards and stay abreast of any future guidelines.
These reforms apply solely under UK law. Businesses operating across jurisdictions will need continue to manage personal data in accordance with applicable foreign laws where applicable, including the EU’s GDPR and AI Act.
Looking forward
The DUAA represents a pivotal moment in the UK's data protection journey, offering businesses greater scope for innovation through ADM. For businesses, the focus must now be on unlocking these opportunities once they take legal effect (at a date to confirmed by the government).
The passing of the DUAA necessitates a proactive review of businesses' ADM activities. Internal policies and procedures must be aligned with the DUAA's safeguards, ensuring clear processes for providing information, representations, human review, and contesting decisions are implemented appropriately.
The timeline for the reforms to take effect has not been confirmed by the government, but the ICO expects to publish updated guidance on ADM in Winter 2025/2026.
Businesses should consider where existing ADM systems and processes could leverage fresh opportunities under the DUAA’s more liberal ADM regime.