Does the GDPR Allow My Business to Use Automated Decision Making in the UK?

The introduction of the General Data Protection Regulation caused businesses in the UK to rethink how they handled personal information. However, due to media attention mainly focusing on the ability of the Information Commissioner’s Office (ICO) to fine organisations up to £17.5m, some businesses remain unaware of the more technical parts of the UK GDPR. One such example includes the restrictions on solely automated decision-making by companies in the UK. This article will explore what constitutes automated decision-making and the restrictions placed upon doing so by the GDPR to ensure your business does not risk a hefty financial penalty from the ICO.

What is Automated Decision-Making?

The ICO defines this as constituting a decision-making process that is ‘totally automated’ and absent ‘human influence on the outcome’. This relates to processes involving handling an individual’s personal data.

However, there are more straightforward definitions to unwrap, so let us explore both phrases in more detail.

‘Totally automated’ means a process within which the information is processed by a system or piece of electronic software. Therefore, it does not matter whether the information is imputed into the system by a human (typing the data into the system) or through software (via a website form). Instead, it matters whether a human or automated system considers the information to create an outcome.

Example

So, let us consider the two different systems below. The first system will meet the definition of automated decision-making, whilst the second will not.

System 1

Your company’s website invites individuals to fill out an online application form for a vacancy. You have set the form to automatically filter out individuals who have placed a high figure in the ‘preferred salary’ section. Those individuals have their applications deleted before sight by HR (and HR never learns of any deleted applicants).

System 2

Your organisation’s website has the same online application form for a job vacancy. However, the form does not delete itself if some answers are not preferable. Instead, it marks the application in red when it reaches HR. The red marking shows that some answers were not ideal, but HR has the final decision on whether to invite the applicant to interview.

In the first scenario, the electronic system automatically dictates the outcome without any oversight or double-checking by HR. However, in the second example, there is a human influence on the outcome because an individual in HR can overrule the system (for example, by concluding that the increased salary expectations are sensible given the high experience of the job candidate).

Does the GDPR Cover All Automated Decisions?

No, the GDPR acknowledges that minor decisions do not require its protection. Instead, it only covers automated decision-making that ‘produces legal effects’ concerning individuals or ‘similarly affects’ individuals.

What does it mean for a decision to ‘produce legal effects’ or ‘similarly affect’ a data subject?  Let us explore these in more detail below.

Decisions Producing Legal Effects

The GDPR classes a decision as producing ‘legal effects’ if it affects an individual’s legal status or legal rights.  

So, for example, an individual has the legal right to apply for a job without discriminatory decision-making. This means that any job application process involving an automatic decision absent any human input will have a ‘legal effect’ and must comply with GDPR rules.

Decisions With Similar Effects to Those Affecting Legal Status

The ICO states that this is a decision that has an impact equivalent to one that affects an individual’s legal status. So, for example, any automatic system that impacts the well-being of children (say, a social media website that learns a child’s viewing habits and suggests further content) will have a ‘similar’ effect.

Other examples include decisions made by automated means that can impact an individual concerning any of the following:

• their health;
• their financial position; 
• their employment status; or
• their ability to access an essential service.

How Does the GDPR Restrict Automated Decision-Making?

The GDPR bans businesses in England from automating decision-making when:

• there is no human involvement or oversight regarding the outcome of the decision-making process; and
• the decision has a legal effect (or similarly significant effect) on the individual.

If these conditions do not apply, you can use automated decision-making. However, if these conditions apply, you must not do so.

Overall, you can put a largely automated system in place as long as a human makes the final decision. If you are unsure whether the two critical questions at (a) and (b) are met, you should consider obtaining legal advice.  Any failure to do so may result in a fine from the ICO of up to £17.5m, so it pays to be sure.

Key Takeaways

The GDPR aims to protect individuals against unfair decisions made without human intervention.  However, it only seeks to protect individuals from solely automated decisions that significantly impact them.  Many business owners will run any automated decision-making process through an expert lawyer before implementing it.  This is a sensible step to lower the risk of a hefty future fine for a breach of data protection law from the ICO.

If you need help safely introducing an automated decision process, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions