On 31 March 2026 the Information Commissioner's Office published a consultation package on solely automated decision-making, with a focus on recruitment use cases. An updated draft of the guidance was issued for consultation on 8 April 2026. The instrument is in draft form. The consultation closes on 29 May 2026.
The Draft Guidance interprets the changes that the Data (Use and Access) Act 2025 introduced to Article 22 UK GDPR. The DUAA replaces the general prohibition on solely automated decisions with a permissive, safeguard-led approach. Controllers may rely on any Article 6 lawful basis when carrying out solely automated decisions. The Draft Guidance identifies three points where information must be provided: at first collection of personal data, on a data subject access request, and at the point of an automated decision. Safeguards include transparency, risk assessments, record-keeping, and rights to human review and challenge.
Recruitment platforms running CV screening or video assessment must document lawful basis, conduct data protection impact assessments and offer meaningful human review. Insurers, lenders and AI deployers using profiling at the point of contract formation fall directly within scope. AI vendors selling decision support to UK controllers should expect contractual flow-down of the new safeguards. HR functions running internal performance scoring tools must update privacy notices and meet the three information triggers identified in the guidance.
The Draft Guidance is non-binding and may evolve before the statutory code of practice on AI and ADM, which the ICO expects to publish later in 2026. The guidance keeps the existing high threshold for what qualifies as a solely automated decision producing legal effects on the data subject or other materially equivalent effects. Children's data and special category data continue to attract heightened protections. The interaction with the Equality Act 2010 in recruitment use cases remains an active area of ICO supervisory focus.
We advise on UK GDPR compliance, ADM governance and recruitment AI deployment, and we maintain a partner network in the UK and EU for cross-jurisdictional reviews. Contact us to scope an ADM readiness review or to draft a consultation response. Work we undertake includes data protection impact assessments, ADM governance policies, recruitment AI audits, controller-processor agreements, and consultation submissions to the ICO.
Source: Information Commissioner's Office, ICO consultation on the draft guidance about automated decision-making, including profiling, opened 31 March 2026, closing 29 May 2026, https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2026/03/ico-consultation-on-the-draft-guidance-about-automated-decision-making-including-profiling/. Date confirmed: 8 May 2026.
The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.