Most UK compliance teams know about GDPR Article 22 — the original rule on automated decision-making. But as of 5 February 2026, that rule was replaced. The Data (Use and Access) Act 2025 introduced a new framework: Articles 22A through 22D. The obligations are different. The conditions are different. And most organisations have not assessed their position under the new rules. This article explains what changed and what you need to do about it.
What Was Article 22 and Why Was It Replaced?
Article 22 of the UK GDPR gave individuals the right not to be subject to solely automated decisions that significantly affected them. The Data (Use and Access) Act 2025 replaced this with a new conditions-based framework. Under Articles 22A through 22D, automated decisions are now permitted in specific circumstances — but with new transparency, notification, and human review obligations that most organisations have not yet implemented.
The New Framework: Articles 22A–22D Explained
Article 22A sets out when automated decisions are permitted — covering contractual necessity, legal authorisation, and explicit consent. Article 22B requires organisations to notify individuals when an automated decision has been made about them. Article 22C gives individuals the right to request human review of automated decisions. Article 22D sets specific rules for sensitive data categories. Together, these create a more structured regime than the old Article 22 — but one that requires deliberate implementation.
Which Organisations Are Affected?
Any UK organisation that uses automated systems to make decisions about individuals is potentially in scope. This includes employers using AI to screen job applicants, lenders using algorithms to assess creditworthiness, insurers using automated underwriting, retailers using AI-driven customer profiling, and any organisation using AI in fraud detection or risk scoring. If your system makes a decision that affects a person — and does so without meaningful human involvement — you need to assess your position under the new framework.
Your Immediate Compliance Checklist
Map every AI or algorithmic system your organisation uses to make decisions about individuals. 2. Assess whether each system makes solely automated decisions with legal or significant effects. 3. Check that you have a valid condition under Article 22A for each automated decision process. 4. Implement notification procedures — individuals must be informed when automated decisions are made about them. 5. Create a human review process for individuals who request it under Article 22C. 6. Review your privacy notices to ensure they reflect the new ADM framework.
How Wishory Can Help
Wishory’s UK ADM Compliance Review assesses your organisation’s automated decision-making processes against the new Articles 22A–22D framework. We identify your exposure, review your existing policies, and deliver a clear remediation plan. From £2,000. Book a free 30-minute discovery call at wishory.com/book to discuss your position.