AI GOVERNANCE & COMPLIANCE · SERVICENOW AI CONTROL TOWER · IRM / GRC · ENTERPRISE SERVICE MANAGEMENT · PROCESS RE-ENGINEERING · EU AI ACT · ISO/IEC 42001 · UK GDPR & DPIAs · AI GOVERNANCE & COMPLIANCE · SERVICENOW AI CONTROL TOWER · IRM / GRC · ENTERPRISE SERVICE MANAGEMENT · PROCESS RE-ENGINEERING · EU AI ACT · ISO/IEC 42001 · UK GDPR & DPIAs ·
DUAA · Article 22 · 8 min read

Article 22 and Automated Decisions: What HR, Credit and Insurance Firms Need to Know

Published May 2026 Nimble AI Solutions DUAA 2025, Article 22, Equality Act, UK GDPR

If your business uses AI to screen CVs, score credit applications, price insurance, or make any other significantly-automated decision about a person, the Data (Use and Access) Act 2025 is the rulebook that already applies to you under UK law. This is the field guide to Article 22 automated decisions.

What changed in 2025

The Data (Use and Access) Act 2025 (DUAA) reformed Article 22 of UK GDPR, the rules on "solely-automated decisions with legal or similarly significant effects" on individuals. The reforms tightened how decisions can be made, broadened what counts as "significantly automated", and made meaningful human involvement, contestability and information rights more explicit.

These rules are in force now. They apply whether or not the EU AI Act applies to you. They're enforced by the Information Commissioner's Office, a UK regulator with the power to issue fines, enforcement notices and reputational findings.

When does Article 22 apply?

Three conditions need to be met:

  1. A decision is being made about a person. Not a generic output, but a decision that affects someone specifically.
  2. The decision is solely or significantly automated. If there's a human in the loop but they always rubber-stamp the algorithm's output, that's still treated as automated for these purposes.
  3. The decision has a legal or "similarly significant" effect. Being denied credit, missed for a job interview, charged a higher insurance premium, refused a service, or denied a benefit: all qualify.

If all three are true, you're squarely inside Article 22 territory and you owe the person specific safeguards.

"If your ATS auto-ranks CVs or your recruiters use generative AI to shortlist, you're inside Article 22 and the Equality Act. The EU AI Act stacks on top if you hire across borders."

The four highest-risk use cases we see

1. AI-assisted CV screening and candidate ranking. Applicant tracking systems that auto-score, auto-rank or auto-reject candidates are textbook Article 22. So is using a generative AI tool to summarise CVs into a yes/no shortlist. The Equality Act also bites here: if your model disadvantages a protected characteristic, the unintended-bias defence is weaker than people imagine.

2. Automated credit decisions. Consumer credit, BNPL, business lending, mortgage pre-qualification. These have always been Article 22 country; the DUAA reforms tightened the safeguards and made information rights more explicit. The FCA also has views (see SS1/23). If you operate cross-border, the EU AI Act explicitly classifies credit scoring as high-risk.

3. Insurance underwriting and pricing. Solely-automated risk assessment, automated quote generation, dynamic premium adjustment: all in scope. Add the Equality Act for any factor that proxies for a protected characteristic, plus your PRA expectations on model risk.

4. Dynamic and personalised pricing. If you're an online retailer adjusting prices based on profile signals, you're probably inside Article 22 (the "similarly significant effect" threshold is lower than people think) and you have CMA scrutiny on top.

What you owe the person

If Article 22 applies, you need to be able to demonstrate, on demand and to the ICO:

  • A lawful basis for the automated decision-making (usually contract necessity, explicit consent, or specific legal authorisation).
  • Meaningful information provided to the data subject about the logic involved, the significance, and the envisaged consequences.
  • Safeguards: at minimum, the right to obtain human intervention, the right to express a point of view, and the right to contest the decision.
  • A DPIA documenting the risk assessment and your safeguards, mandatory for any high-risk processing.
  • Equality Act due diligence: evidence that you've tested the model for disparate impact across protected characteristics.

What "meaningful human involvement" actually means

The single most common compliance failure we see is the "rubber stamp" pattern: an algorithm produces a recommendation, a human ticks a box, and the firm claims the decision wasn't solely automated. ICO and the courts have been clear: that doesn't count. Human involvement is only meaningful if the reviewer (a) has the information they need to overrule the algorithm, (b) has the authority to do so, and (c) actually does sometimes override the output in practice. If your reviewers approve the model's recommendation 99.8% of the time, you're effectively running an automated process.

"The 'rubber stamp' defence (a human ticks a box on the algorithm's recommendation) doesn't work. Meaningful human involvement means the reviewer has the information, the authority, and the practice of overriding the model when it's wrong."

The Equality Act overlay

Article 22 protects individuals' procedural rights. The Equality Act protects them from discrimination. Both apply, simultaneously, to AI-driven decisions about people. A model can be procedurally compliant under Article 22 and still produce unlawfully discriminatory outcomes under the Equality Act. In fact, that's the more common failure pattern.

If your model uses any feature that correlates with a protected characteristic (postcode for race, employment-gap features for sex via maternity, voice patterns for disability), you need evidence that you've tested for disparate impact and either eliminated it or have an objective justification. "We didn't know it was biased" is not a defence.

The EU AI Act overlay (for the firms it applies to)

If you screen EU candidates, lend to EU consumers, insure EU policyholders, or operate AI procured from EU vendors, the EU AI Act stacks on top. It explicitly classifies recruitment, credit scoring and employment-decision AI as high-risk, with its own documentation, oversight and registration obligations. Our EU AI Act Rapid Audit covers this for cross-border firms.

What our Article 22 Audit covers

Our Automated Decision-Making Audit is a focused, 2–3 week engagement designed for HR, credit, insurance and pricing teams. We inventory every solely or significantly automated decision your AI makes about a person, assess your safeguards against ICO expectations, stress-test for Equality Act exposure across protected characteristics, and deliver DPIA-aligned documentation plus a contestability process you can actually operate.

If you'd rather start lighter, take the free Scorecard. The questions on automated decisions will surface whether you have Article 22 exposure within minutes.

Book the Article 22 Audit Take the Free Scorecard First

Related reading

Not sure which rules apply to you? Take the free 10-minute AI Readiness Scorecard.