Skip to content

Does the GDPR Allow My Business to Use Automated Decision Making in the UK?

Table of Contents

The introduction of the General Data Protection Regulation caused businesses in the UK to rethink how they handled personal information. However, due to media attention mainly focusing on the ability of the Information Commissioner’s Office (ICO) to fine organisations up to £17.5m, some businesses remain unaware of the more technical parts of the UK GDPR. One such example includes the restrictions on solely automated decision-making by companies in the UK. This article will explore what constitutes automated decision-making and the restrictions placed upon doing so by the GDPR to ensure your business does not risk a hefty financial penalty from the ICO.

What is Automated Decision-Making?

The ICO defines this as constituting a decision-making process that is ‘totally automated’ and absent ‘human influence on the outcome’. This relates to processes involving handling an individual’s personal data.

However, there are more straightforward definitions to unwrap, so let us explore both phrases in more detail.

‘Totally automated’ means a process within which the information is processed by a system or piece of electronic software. Therefore, it does not matter whether the information is imputed into the system by a human (typing the data into the system) or through software (via a website form). Instead, it matters whether a human or automated system considers the information to create an outcome.

Similarly, the ‘human influence on the outcome’ wording demonstrates that the definition relies on whether a human is involved in the end decision.

Example

So, let us consider the two different systems below. The first system will meet the definition of automated decision-making, whilst the second will not.

System 1

Your company’s website invites individuals to fill out an online application form for a vacancy. You have set the form to automatically filter out individuals who have placed a high figure in the ‘preferred salary’ section. Those individuals have their applications deleted before sight by HR (and HR never learns of any deleted applicants).

System 2

Your organisation’s website has the same online application form for a job vacancy. However, the form does not delete itself if some answers are not preferable. Instead, it marks the application in red when it reaches HR. The red marking shows that some answers were not ideal, but HR has the final decision on whether to invite the applicant to interview.

In the first scenario, the electronic system automatically dictates the outcome without any oversight or double-checking by HR. However, in the second example, there is a human influence on the outcome because an individual in HR can overrule the system (for example, by concluding that the increased salary expectations are sensible given the high experience of the job candidate).

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Does the GDPR Cover All Automated Decisions?

No, the GDPR acknowledges that minor decisions do not require its protection. Instead, it only covers automated decision-making that ‘produces legal effects’ concerning individuals or ‘similarly affects’ individuals.

What does it mean for a decision to ‘produce legal effects’ or ‘similarly affect’ a data subject?  Let us explore these in more detail below.

The GDPR classes a decision as producing ‘legal effects’ if it affects an individual’s legal status or legal rights.  

So, for example, an individual has the legal right to apply for a job without discriminatory decision-making. This means that any job application process involving an automatic decision absent any human input will have a ‘legal effect’ and must comply with GDPR rules.

The ICO states that this is a decision that has an impact equivalent to one that affects an individual’s legal status. So, for example, any automatic system that impacts the well-being of children (say, a social media website that learns a child’s viewing habits and suggests further content) will have a ‘similar’ effect.

Other examples include decisions made by automated means that can impact an individual concerning any of the following:

  • their health;
  • their financial position; 
  • their employment status; or
  • their ability to access an essential service.

How Does the GDPR Restrict Automated Decision-Making?

The GDPR bans businesses in England from automating decision-making when:

  • there is no human involvement or oversight regarding the outcome of the decision-making process; and
  • the decision has a legal effect (or similarly significant effect) on the individual.

If these conditions do not apply, you can use automated decision-making. However, if these conditions apply, you must not do so.

Overall, you can put a largely automated system in place as long as a human makes the final decision. If you are unsure whether the two critical questions at (a) and (b) are met, you should consider obtaining legal advice.  Any failure to do so may result in a fine from the ICO of up to £17.5m, so it pays to be sure.

Key Takeaways

The GDPR aims to protect individuals against unfair decisions made without human intervention.  However, it only seeks to protect individuals from solely automated decisions that significantly impact them.  Many business owners will run any automated decision-making process through an expert lawyer before implementing it.  This is a sensible step to lower the risk of a hefty future fine for a breach of data protection law from the ICO.

If you need help safely introducing an automated decision process, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why does the GDPR restrict artificial intelligence in this way?

Because there is a belief that human oversight is necessary when decisions seriously impact an individual’s life.

Would an automatic system with a human review at the end meet GDPR rules?

Yes, as long as the human review was genuine and that person had the ability and power to overturn the system rather than simply carrying out the automatic decision.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards