Brief № 043 · Regulation

The UK automated-decision file SMEs now need

The UK Data Use and Access Act is now in force. SMEs using AI decisions need a small evidence file before they need a governance programme.

By Daniel Brennan 4 min read Last verified

A desk holds stamped documents and office paperwork arranged for review.
Photo: desk with documents and stamps - Ylanite Koppens, Pexels
On this page
  1. The line is meaningful involvement
  2. The file is smaller than the policy
  3. Complaints make it visible
  4. The UK-EU split is now procedural
  5. What to do before winter guidance

The UK’s AI rulebook still looks lighter than the EU’s, but the easy version of that sentence is now misleading.

The Data Use and Access Act reached a live milestone on 19 June 2026, when the ICO marked the 12-month commencement point. For SMEs using automated scoring, triage, pricing, recruitment filters or AI-assisted case routing, the practical question is no longer whether Britain has copied the AI Act. It has not. The practical question is whether the firm can show where an automated decision stops and a human decision begins.

The line is meaningful involvement

Section 80 of the Data (Use and Access) Act 2025 gives the short test. A decision is solely automated if there is no meaningful human involvement in taking it. That sounds simple until it meets an SME workflow.

A customer-support classifier that only sorts tickets is not the same as a system that closes a complaint. A credit-risk score that informs a manager is not the same as one that blocks an application. A hiring tool that ranks CVs is not the same as one that decides who receives an interview. The difference is not the label “AI”. It is who can change the outcome, when, and on what evidence.

The ICO’s draft automated decision-making consultation closed on 29 May 2026. Its technology guidance tracker lists the update as still in drafting, with final guidance due in winter 2026. That leaves a useful gap for SMEs: build the evidence file now, before the final words arrive.

The file is smaller than the policy

The first artefact does not need to be a governance programme. It needs to be a decision file for each workflow where software has practical power over a person.

File itemMinimum question
DecisionWhat outcome can the system change for a person?
DataWhich inputs are used, and which source is authoritative?
AutomationIs the system recommending, ranking, blocking or finalising?
Human roleWho can intervene before the outcome is applied?
Challenge routeHow can the person ask for review or contest the result?
LogsWhat record proves the recommendation, review and final action?

Source: Data (Use and Access) Act 2025, section 80, ICO DUAA pages and ICO automated decision-making consultation. Last verified 2026-07-05.

This is deliberately plain. If a smaller firm cannot answer these six lines, a longer policy will not rescue it. The missing item is usually operational: the review happens in a shared inbox, the override is verbal, the CRM only stores the final status, or nobody has written down which manager is allowed to disagree with the model.

Complaints make it visible

The DUAA also matters because it pushes ordinary data-protection handling closer to the product workflow. The ICO’s organisational guidance points firms to changes around complaints, transparency, research, children and cookies. For automated decisions, the visible pressure point is the complaint or challenge.

If a customer, applicant or employee asks why a decision was made, the company needs more than a model name. It needs the decision path. What data entered the system? What did the automation produce? Did a human see it? Did that person have enough information and authority to change the result? Was the final outcome logged separately from the recommendation?

That evidence is not only for regulators. It is also for the person in the business who has to reopen the case six weeks later. Many SMEs discover too late that the automated part is documented, but the human review is not.

The UK-EU split is now procedural

For cross-Channel firms, the UK remains less prescriptive than the EU AI Act. There is no UK conformity assessment regime for AI systems as a category. There is no CE-style technical file. Enforcement still runs through existing regulators and legal duties.

But that does not make the British side empty. The UK file is procedural: data-protection basis, transparency, meaningful human involvement, contestability and logs. The EU file is broader and more formal for systems caught by the AI Act. A small firm selling or operating in both markets should not treat these as rivals. It should keep one workflow map and attach the UK and EU evidence to the same process.

The lazy failure mode is to write “human in the loop” in a policy and leave the actual loop undefined. The better version names the human, the moment, the authority and the record. That is the difference between a slogan and meaningful involvement.

What to do before winter guidance

The final ICO guidance may change wording, examples and emphasis. It is unlikely to make undocumented decision paths look good.

Start with the three workflows where software has the highest practical effect: hiring, credit or payment, customer access, fraud flags, insurance, complaints, support priority, or staff monitoring. For each one, write the six-line decision file. Then test one real case from input to outcome.

If the review cannot be reconstructed, do not buy a platform first. Fix the workflow. The useful question for an SME is not whether the model is impressive. It is whether a person can still understand, challenge and change the decision when it matters.

Frequently asked questions

Does the UK now have an AI Act?

No. The DUAA changes data-protection rules, including automated decision-making, but it is not a horizontal AI statute.

What should an SME document first?

The decision being made, the data used, who can intervene, how a person can challenge the result, and what logs prove the process.

Is final ICO guidance already published?

No. The ICO lists the automated decision-making guidance update as drafting, after a closed consultation, with final publication due in winter 2026.

Sources

  1. Primary Data (Use and Access) Act 2025, section 80 legislation.gov.uk accessed
  2. Official One year on: marking the 12-month commencement of the Data (Use and Access) Act Information Commissioner's Office accessed
  3. Official ICO consultation on the draft guidance about automated decision-making, including profiling Information Commissioner's Office accessed
  4. Official The Data Use and Access Act 2025: what does it mean for organisations? Information Commissioner's Office accessed
  5. Official Data Use and Access Act 2025: data protection and privacy changes GOV.UK accessed

Image credit: Photo: desk with documents and stamps - Ylanite Koppens, Pexels

Daniel Brennan covers the UK and Ireland tech business beat for Flint Brief.

Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).

Stay in the loop

Now and then, a concrete take on internal tools and practical AI for SMEs. No spam.