Table of Contents
In Short
- Article 22 of the UK GDPR restricts decisions based solely on automated processing, especially when they have significant effects on individuals.
- You must have meaningful human involvement if the decision significantly impacts a person’s legal or financial situation.
- Ensure compliance by providing individuals with transparency, the right to contest decisions, and safeguards when automated decision-making is used.
Tips for Businesses
If your business uses automated decision-making, assess whether it falls under Article 22 of the UK GDPR. If so, provide transparency to individuals, explaining how decisions are made and offering a right to request human intervention. Consider performing a Data Protection Impact Assessment to ensure compliance and fairness in your systems.
Automated decision-making is becoming more common as technologies advance rapidly. However, the UK GDPR regulates automated decision-making, and many businesses find this a challenging area of compliance to navigate. When you make decisions without human involvement, which significantly affect someone’s rights, data protection law imposes strict rules that you must follow. Under Article 22 of the UK GDPR, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision has legal or similarly significant effects. If you use automated tools to make decisions about staff, customers, or users, you must understand your legal obligations and the protections individuals are entitled to. This article introduces what automated decision-making means and the key rights of individuals concerning Article 22 of the UK GDPR and the relevant ICO guidance.
What is the Purpose of Article 22?
Under Article 22 of the UK GDPR, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision has legal or similarly significant effects. Suppose you use automated systems to make decisions about individuals, such as staff or customers. In that case, you must always consider how those decisions align with the fundamental principles of the UK GDPR – in particular, the principle of transparency.
Automated individual decision-making means making a decision without any meaningful human involvement. This includes making decisions using technology, algorithms, or machine learning tools without a person reviewing or changing the outcome.
Examples
Examples include:
- automatically refusing a credit application; and
- using online test scores to shortlist job applicants.
This does not include processes where someone meaningfully reviews the outcome and can change it.
Profiling is often used in these systems – this can involve analysing someone’s behaviour, preferences, or characteristics to predict how they may act. Profiling alone is not banned, but if it forms part of a solely automated decision with legal or similarly significant effects, the Article 22 rules apply. The purpose of Article 22 is to ensure fairness and accountability in how you use technology to make decisions about individuals. It protects people from significant decisions made entirely by machines unless you put suitable safeguards in place.
What Does Article 22 Require?
Article 22 restricts decisions made solely by automated means with legal or similarly significant effects on individuals. A decision is solely automated when a machine makes it without meaningful human involvement. If someone in your business reviews and can change the decision, then the rules on solely automated decisions do not apply. Token review is insufficient, though – the person must have real authority to intervene and adjust the outcome.
This definition can be complex to determine in practice, so you should take legal advice if you are unsure whether your business activities could fall within the scope of the Article 22 restriction.
Continue reading this article below the formWhat are the Rights of Individuals?
Under Article 22 of the UK GDPR, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision has legal or similarly significant effects. This right applies when you make decisions without any meaningful human involvement.
You can only make this type of decision if one of the following exceptions applies:
- the decision is necessary for entering into or performing a contract with the individual;
- UK law authorises or requires the decision and provides safeguards; and
- the individual has given their explicit consent.
If you rely on one of these exceptions, you must take specific steps to protect the individual’s rights.
Examples
These include:
- telling the individual that you use solely automated decision-making;
- explaining what data you use, how the decision is made, and what the likely consequences are; and
- giving the individual the right to request human intervention, express their views, and contest the decision
Legal protections are in place to ensure that individuals remain informed and have a way to challenge or change automated decisions that could significantly impact them.
You must build these rights into your processes and ensure that you regularly review your systems for accuracy, bias, and fairness.
Which Other Data Protection Law Rules Apply?
Article 22 is a complex area with strict legal requirements. You should assess whether your decision-making systems fall within its scope. In addition to the rights of individuals, you must meet a range of other obligations when you carry out solely automated decision-making.
Even if your processing falls outside of Article 22, you still must follow broader data protection principles such as transparency, fairness, accuracy, and minimisation. Legal advice from a data protection lawyer can help you identify and comply with your obligations and ensure your activities align with the UK GDPR requirements.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
If you use systems that make significant decisions about individuals without human involvement, your business should assess and comply with Article 22 of the UK GDPR where required. Article 22 of the UK GDPR sets out complex rules which can be challenging for a business to navigate. For example, rules around giving individuals the chance to object to automated decision-making in certain circumstances. If you are unsure about your obligations, you should take legal advice from a data protection solicitor to help avoid risk.
If you need help reviewing your UK GDPR compliance, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
It gives individuals the right not to be subject to a decision based solely on automated processing if the decision has legal or similarly significant effects. You can only carry out this kind of processing if certain exceptions apply and you put appropriate safeguards in place.
Automated decision-making is a legally complex area. You must assess whether Article 22 applies and ensure your systems comply with strict legal advice. Legal advice can help you meet your obligations, reduce risk, and build appropriate safeguards in your processes to help avoid the risk of non-compliance.
We appreciate your feedback – your submission has been successfully received.
