← Back to Regulatory Updates

Regulatory Update • May 2026

ICO Consults On Automated Decision-Making And Profiling Guidance

Published: May 2026 Topic: Automated Decision-Making / Profiling Source: ICO Consultation

The ICO is consulting on updated guidance about automated decision-making and profiling, including how organisations should assess when Article 22 UK GDPR may apply.

The consultation is relevant for organisations using AI tools, scoring systems, profiling, segmentation, automated approvals, recruitment screening or similar technologies that influence decisions about people.

Reading time 2 minutes

What changed

The ICO is consulting on draft guidance about automated decision-making and profiling. The consultation is open until 29 May 2026 and focuses on how organisations should understand and apply UK GDPR requirements when using systems that make or support decisions about people.

The draft guidance looks at when automated decision-making may fall within Article 22 UK GDPR, how profiling should be understood, and what organisations need to consider around transparency, fairness, safeguards, and meaningful human involvement.

What is automated decision-making?

Automated decision-making happens when a decision is made by technological means without meaningful human involvement. Profiling is related, but broader. It involves using personal data to evaluate or predict things about a person, such as behaviour, preferences, performance, reliability, location, interests or risk.

Why this matters

This matters because automated decision-making and profiling are becoming more common in ordinary business tools, not just specialist AI systems. Recruitment tools, customer scoring, fraud checks, CRM segmentation, marketing personalisation, lending decisions and automated approvals can all raise data protection questions.

Organisations need to understand whether their systems merely support human decision-making or whether they are producing decisions in a way that may trigger Article 22 UK GDPR protections. For wider updates across privacy, AI, marketing and data protection, see our Regulatory Updates page.

What organisations should do

Organisations using AI, scoring, profiling, segmentation or automated approval tools should treat this consultation as a prompt to review how decisions are made and explained.

  • Identify where automated tools, scoring models or profiling are used across the organisation.
  • Check whether decisions are made solely by automation or whether there is meaningful human involvement.
  • Review whether individuals are told clearly about profiling or automated decision-making in privacy information.
  • Assess whether appropriate safeguards, review routes and human intervention options are in place where needed.
  • Consider whether DPIAs, data mapping records and internal AI governance documents need updating.

Practical takeaway

Organisations should not wait for highly technical AI regulation before reviewing automated decision-making and profiling. If a system evaluates people, scores them, segments them or influences important outcomes, it should be mapped, explained and reviewed through a data protection lens.

Grounded in

ICO consultation on draft guidance about automated decision-making and profiling, open until 29 May 2026, including Article 22 UK GDPR, profiling, safeguards, transparency and human involvement considerations.

Sources