Automated decision-making, where a system reaches an outcome about a person with no human weighing in, used to sit on the wrong side of the default rule. The Data (Use and Access) Act 2025 has turned that default around. Since 5 February 2026 the reformed regime treats a solely automated decision as permitted, subject to safeguards, rather than prohibited save for narrow exceptions. For a firm putting AI into client intake, screening or pricing, that is a real change in what the law lets you build.

The rule as it stood

Under the old Article 22 of the UK GDPR, a person held the right not to be subject to a decision based solely on automated processing that produced legal effects or something similarly significant. In practice that read as a general ban. A firm relying on software to decide, with no person of judgment in the loop, needed to fit one of three narrow gates. The decision had to be necessary for a contract, or the person had to give explicit consent, or a specific law had to allow it. For most client work none of those sat comfortably, so firms kept a fee earner in the decision and treated full automation as off limits.

What the reform did

The Act rebuilt that structure. For ordinary personal data, a solely automated decision with legal or similarly significant effect is now allowed on any lawful basis under Article 6, including the firm's legitimate interests, provided the required safeguards sit around it. The starting point moved from prohibition to permission. One limit holds firm. Where the decision runs on special category data, the sensitive information that fills so many legal files, health, criminal matters, beliefs and the like, the tighter conditions stay in force and full automation is confined to a much narrower set of grounds.

Where your firm meets this

The change applies wherever a tool decides rather than assists. Intake systems that accept or turn away an enquiry on a score. Conflict and eligibility screens that pass or fail a prospective client with no person reading the result. Pricing engines that set a quote and send it. Merits or claims tools that grade a case and route it one way or another. If a fee earner reads the output and makes the call, the decision is not solely automated and the old worry does not arise. If the tool decides and staff pass it on unchecked, you are in scope, and the reform now offers a lawful route that did not exist before, on condition you meet what comes with it.

The safeguards that come with it

Permission comes tied to duties owed to the person affected. You have to tell them a solely automated decision has been made. You have to let them make representations, ask for a human to look again, and contest the outcome. A human review that only signs off what the machine produced will not answer this. The person doing it needs the authority and the competence to change the decision, not a screen to click past. Build those routes before the tool goes live, not after a client complains that a computer decided their matter and no one would explain it.

Start by finding where in your firm a system already settles something about a client with no real human judgment between the data and the outcome. Decide whether you want that, and if you do, put the safeguards around it and record the lawful basis you rely on. Keep special category data out of full automation unless you have taken advice on the narrow conditions that still bind it. The ICO consulted on updated guidance that closed at the end of May, and a statutory code of practice on AI and automated decision-making is expected later this year, so the detail will settle further as the year runs on.

The regulator's draft position is set out in its consultation on automated decision-making and profiling.

If you cannot say for certain whether any tool in your firm has crossed from assisting into deciding, that line is one of the first things our compliance check looks for: see how it works.