Practical AI and SaaS for Business

UK GDPR Automated Decision Human Review

If an AI tool makes a decision about a customer with legal or similarly significant effect, they have a right to ask for a real human to look at it again. This guide explains what UK GDPR actually requires when that request lands on your desk, and what counts as a genuine human review rather than a rubber stamp.

Last verified: 17 July 2026. References checked against current legislation.

Editorial Perspective

You manage customer operations at a 20-person insurance broker, and your AI tool auto-declines small claims that don't meet the criteria. The problem lands when a declined customer emails asking for a person to look at their case again, and you're not sure what you're actually obligated to do. This guide explains exactly what UK GDPR requires, and what a genuine human review looks like versus one that doesn't count. No legal background needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

If your AI tool makes a decision about someone with a legal or similarly significant effect, and no real person was meaningfully involved, that person has specific rights under UK GDPR, including the right to ask for a human to look at it again. These rights were substantially updated in early 2026, and the rules on what counts as a genuine human review are stricter than a lot of businesses assume.

In short: Where a decision with legal or similarly significant effect is made solely or predominantly by an automated system, UK GDPR requires you to tell the person, offer a genuine human review on request, accept their input, and let them contest the outcome. A human review only counts if it happens after the automated decision, actually reconsiders the outcome, and isn't just a quick rubber-stamp of what the AI already decided.

The plain-English answer

Using AI to auto-approve or auto-decline decisions is legal, plenty of UK businesses do this for routine, lower-stakes cases. What matters is what happens when the decision has a real effect on someone, financial, legal, or similarly significant, and they ask for a person to look at it. At that point, UK GDPR requires more than a quick second glance from the same system, it requires a genuine human review, someone who can actually change the outcome, not just confirm it.

Why this matters for your business

A 20-person insurance broker auto-declining small claims that don't meet clear criteria is a genuinely reasonable, common use of AI, most declined claims probably are correctly declined. The obligation isn't a judgment on the AI tool's accuracy, it's about giving the person on the other end of a wrong or disputed decision a real path to have it looked at properly, not just a form response confirming the computer's answer.

Getting this wrong has real consequences beyond regulatory risk. A customer whose declined claim was actually correct but who never got a genuine review is likely to escalate to a complaint or an ombudsman referral, both of which cost more time and reputational goodwill than a properly resourced human review process would have in the first place.

What UK GDPR actually requires

The relevant rules were significantly updated on 5 February 2026, when the previous Article 22 UK GDPR was replaced by new Articles 22A to 22D under the Data (Use and Access) Act 2025. Under the current framework, where a decision is made solely or predominantly by automated processing and has a legal or similarly significant effect on someone, your business must give them specified information about the decision, offer a genuine human review on request, accept representations from them, and allow them to contest the outcome. See the ICO's own guidance on automated decision-making rights for the full detail.

The ICO's guidance is specific about what makes a review genuinely "meaningful": human involvement has to come after the automated decision has already been made, it has to relate to the actual outcome for that specific person, and a human simply rubber-stamping the AI's answer without properly reconsidering it doesn't satisfy the requirement, the decision is still treated as solely automated in that case. The threshold for "legal or similarly significant effect" covers things like a declined insurance claim, a credit decision, a rejected job application, and similar outcomes that materially affect someone's circumstances.

What this looks like in practice

Picture the customer operations manager at the insurance broker, receiving an email from a customer whose small claim was auto-declined, asking for someone to look at it again. Before working through the requirement properly, the default instinct might be to re-run the claim through the same system and send back the same answer, technically a second look, but not a genuine human review under the rules.

The compliant version looks different: a real claims handler pulls up the customer's actual case, reviews the specific facts, and reaches an independent judgment, which might confirm the original decision or might overturn it. The manager also sets a clear internal timeframe for responding to these requests and a simple process for customers to ask for a review in the first place, rather than leaving it to be discovered only when someone happens to complain loudly enough.

What you can do about it

A practical setup for any AI tool making decisions with real effects on customers:

  • Identify which of your AI-driven decisions could have a legal or similarly significant effect, declined claims, credit or pricing decisions, and similar are the clearest examples.
  • Tell customers clearly, at the point of the decision, that they can request a human review, don't bury this in general terms and conditions.
  • Assign the review to someone who can genuinely reconsider the case and change the outcome, not just confirm the AI's answer.
  • Set a clear, reasonable timeframe for responding to review requests, and stick to it.
  • Keep a record of review requests and outcomes, this is useful evidence of a genuinely working process, not just a policy on paper.

If your AI decision tool is used in a regulated financial service specifically, additional FCA expectations also apply on top of this. See our guide on AI in UK financial services: what the FCA expects.

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Tool Selector to get a personalised AI tool recommendation for your business.

Try our free AI vs Human Cost Comparison to compare the cost of AI tools against equivalent human time.

Does this apply to every AI-assisted decision, or only ones with a real effect on someone?

Only decisions with a legal or similarly significant effect, a decision that doesn't materially affect someone's circumstances doesn't trigger the human review requirement in the same way. But the threshold is broader than businesses often assume, financial, legal, and access-to-service decisions generally qualify.

Can the same AI system perform the human review, just with a person clicking approve?

No, that doesn't count as meaningful human involvement under the ICO's guidance. The review needs a real person who can actually reconsider and potentially change the outcome, not a formality where a human confirms whatever the system already decided.

What changed with the Data (Use and Access) Act 2025?

It replaced the previous single Article 22 with new Articles 22A to 22D, effective 5 February 2026, restructuring and, in places, clarifying the specific obligations, including the information, human review, representation, and contest rights covered in this guide. If you're working from older guidance that only references "Article 22," check it against the current framework.

How quickly do we have to respond to a human review request?

UK GDPR expects requests to be handled within a reasonable timeframe, without a single fixed number specified for this particular right. Setting and publishing your own clear internal timeframe, and meeting it consistently, is the practical way to demonstrate a genuinely working process.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Using AI for a decision in a regulated financial service specifically?

Check FCA expectations