Agentic AI data protection: where the ICO’s draft Article 22 guidance leaves UK data controllers
In short: Agentic AI data protection in the UK is governed by UK GDPR Articles 22A to 22D, which permit solely automated significant decisions subject to the Article 22C safeguards. The safeguards apply at every sub-agent step. The data controller must control which sub-agents the orchestrator calls, hold a controller-to-processor contract under Article 28 for each, and run a DPIA that covers the orchestration. The ICO consultation closes on 29 May 2026.
Building an agentic AI pipeline today exposes a UK data controller to direct enforcement and claim risk under UK GDPR Articles 22A to 22D, substituted by Data (Use and Access) Act 2025 section 80 and in force from 5 February 2026. The UK rules permit solely automated significant decisions subject to safeguards; the EU rules prohibit them subject to three narrow conditions. The UK safeguards apply at every step in the pipeline that takes a solely automated significant decision, not just at the orchestrator output. To comply, the data controller must run a DPIA and put in place the controller-to-processor contracts that Article 28 UK GDPR requires at each agent step. Agentic systems run on autonomous orchestration: the orchestrator chooses which sub-agents to call at runtime, based on the input. If the data controller cannot show that the compliance package covers the runtime chain, the agentic AI data protection deployment may be unlawful processing. The ICO consultation on the draft Article 22 guidance closes on 29 May 2026; the final guidance follows in summer 2026.
The UK permits automated decisions subject to safeguards; the EU does not
DUAA 2025 section 80 substituted UK GDPR Article 22 with new Articles 22A to 22D, in force from 5 February 2026 by SI 2026/82. Article 22A redefines the thresholds: a decision is solely automated where there is no meaningful human involvement, and significant where it produces a legal or similarly significant effect for the data subject. Article 22B restricts solely automated decisions involving Article 9 special category data or the new Article 6(1)(ea) recognised legitimate interests ground. Article 22C lists the safeguards the data controller must put in place: information about the decision, the ability to make representations, human intervention and the right to contest. Article 22D empowers the Secretary of State to specify by regulation what counts as meaningful human involvement.
The unchanged EU GDPR Article 22 prohibits such decisions subject to three narrow conditions: contract, authorisation by EU or Member State law, or explicit consent. The UK has departed from that position. Articles 22A to 22D permit such decisions where the data controller applies the Article 22C safeguards. The UK has liberalised at the lawful-basis level; the EU has not.
Over the EU GDPR sits the EU AI Act, Regulation (EU) 2024/1689. The Act phases in from 2 February 2025 (Article 5 prohibitions) through 2 August 2025 (general-purpose AI obligations) and 2 August 2026 (most high-risk obligations). The Annex III high-risk list (employment, credit scoring, law enforcement, biometric identification, education, essential public and private services) overlaps the use cases that trigger Article 22 analysis. AI Act Article 14 (human oversight), Article 26 (deployer obligations) and Article 50 (transparency) apply in addition to Article 22, not as a substitute. EU agentic deployments engage both regimes; UK agentic deployments engage only Articles 22A to 22D plus any sector regulator overlay, including the ICO biometrics Code of Practice under SI 2026/425 from 12 May 2026.
Agentic AI data protection safeguards apply at each agent step
An agentic AI system is not a single model. An orchestrator calls sub-agents in sequence: retrieval tools, code executors, third-party APIs and further large language models. Each step processes personal data; the Article 22A test applies independently at each step that meets the threshold.
Take three examples. A consumer credit orchestrator that calls a fraud-scoring sub-agent before refusing the application: the sub-agent score is the load-bearing factor and Article 22A bites at the sub-agent step, not at the orchestrator. A recruitment orchestrator that calls a CV-ranking sub-agent to build the shortlist: Article 22A bites at the ranking step. An insurance underwriting orchestrator that calls several risk-scoring sub-agents in parallel: each may meet the Article 22A threshold on its own contribution.
Data minimisation under Article 5(1)(c) also runs per agent. An agentic pipeline that passes the full user context to every sub-agent breaches the principle even where each step is lawful. The orchestrator must decide what each sub-agent needs; each contract must enforce what each sub-agent may keep.
Data controller and processor allocation under Article 4 and Article 28 also runs per vendor. Where different third parties operate the orchestrator and the sub-agents, each provider determines how it processes data for the steps it carries out. The single-vendor allocation analysis the ICO ran in its Meta smart glasses enquiry does not transfer to a four-vendor agentic chain. The ICO Tech Futures: Agentic AI report of 8 January 2026 names these risks. The EDPS reached similar conclusions in its TechSonar 2025-2026 chapter on agentic AI of 24 November 2025. The draft Article 22 guidance does not address them.
| Risk flagged in the ICO Tech Futures report (8 January 2026) | What the draft Article 22 guidance does on this point |
|---|---|
| Data controller and processor responsibilities through the agentic supply chain | Treats the data controller and processor allocation as a single relationship between one data controller and one processor; does not address the multi-vendor agentic chain |
| Larger volume of automated decision-making from rapid task automation | Sets the Article 22A trigger at the decision and does not address the per-step trigger in an agentic pipeline |
| Purposes for agentic processing set too broadly to support general-purpose agents | Repeats the purpose-limitation requirement under Article 5(1)(b) without per-agent specification |
| Processing of personal data beyond what is necessary for the task | Restates Article 5(1)(c) data minimisation; does not address per-agent scoping |
| Unintended use or inference of special category data | Restates the Article 22B restriction where the processing involves Article 9 data; does not address inferred categories produced inside the pipeline |
Compliance requires per-agent DPIA and controller-to-processor contracts
To meet the Article 22C safeguards across an agentic pipeline, the data controller must run a DPIA under Article 35 UK GDPR and put in place compliant controller-to-processor contracts under Article 28 at each agent step. The DPIA must identify each agent step that processes personal data, each potential Article 22A trigger inside the pipeline, the data minimisation discipline at each handover, and the residual risk of inferred special category data. The Article 28 contract for each sub-agent provider must specify the categories of personal data the sub-agent receives, the purposes for which it may process and retain that data, the technical and organisational measures it applies, the sub-processor terms, and the return or deletion of data at the end of the interaction.
The Article 22C safeguards must attach to each significant decision the pipeline produces. The data controller must give information that covers each agent step the orchestrator relied on, not just the orchestrator output. The route to human intervention must reach the agent step that took the significant decision. The right to contest must apply to the agentic output, with a record of which agent step produced which contribution. The draft Article 22 guidance treats these obligations as belonging to the orchestrator alone. The agentic deployment requires them at each agent step.
The orchestration problem in agentic AI data protection
Agentic systems run on autonomous orchestration. The orchestrator chooses which sub-agents to call at runtime, not in advance. The same instruction may produce a different sub-agent chain on different runs, depending on the orchestrator’s reasoning, the tools available, and the intermediate outputs. The data controller cannot fully enumerate in advance which sub-agents will process which personal data on which decision.
A DPIA written before the system goes live captures the system as designed, but not the chain that actually ran when a particular significant decision was taken. An Article 28 contract package that binds the sub-agents in one expected chain may not bind a sub-agent the orchestrator calls only when the input takes a different path. The information the data controller gives the data subject under Article 22C, the route to human intervention and the contest path all attach to the step that actually drove the outcome; the data controller may not know which step that was without a runtime record.
If the data controller cannot show that the DPIA, the Article 28 contracts and the Article 22C safeguards cover the runtime chain that took the significant decision, the deployment may be unlawful processing under Articles 6 and 22 UK GDPR. The ICO can serve an information notice under section 142 DPA 2018 and a penalty notice under section 155 up to £17.5 million or 4% of worldwide turnover. From 19 June 2026, section 164A DPA 2018 (inserted by DUAA 2025 section 103) requires the data controller to acknowledge a data protection complaint within 30 days and respond without undue delay; the data subject can complain to the ICO under section 165 and seek compensation under UK GDPR Article 82.
The compliance package therefore has to be designed for the orchestration model, not just the use case. The DPIA must cover the orchestrator’s decision-making logic and the full set of sub-agents it can call. The Article 28 contract package must bind every sub-agent provider the orchestrator is permitted to call. The Article 22C safeguards must attach to the orchestrator’s reasoning trace, so the information, human intervention and contest route can be reconstructed for any specific significant decision after the event. AI and data governance advice on an agentic AI deployment covers these design steps. The same compliance challenge arises in payments under PSRs 2017 regulation 67, where AI agent consent is the open question.
Viewpoint
To deploy agentic AI lawfully under UK GDPR Articles 22A to 22D, the data controller has to do three things. First, control which sub-agents the orchestrator is permitted to call. If the set is unbounded, the compliance package cannot be either. Second, put a controller-to-processor contract under Article 28 in place with every one of those sub-agent providers before they are called. Third, run a DPIA that covers the orchestration itself: the orchestrator’s decision-making logic and the full set of sub-agents the orchestrator may call, not only the use case the system is built for. The UK regime gives the data controller more permission than its EU counterpart but no AI Act overlay to set the operational answers. Closing the gap is the data controller’s job. The ICO consultation closes on 29 May 2026 and the final guidance follows in summer 2026, but the agentic systems are deploying now.
Frequently asked questions about agentic AI data protection
What does the ICO Tech Futures report say about agentic AI?
The ICO published Tech Futures: Agentic AI on 8 January 2026. The report describes agentic AI as the combination of generative AI with tools and new ways of interacting with the world, and names the data protection risks: data controller and processor allocation through the supply chain, larger volumes of automated decision-making, purposes set too broadly, processing beyond what is necessary, inference of special category data, transparency and security in complex chains, and concentration of personal data in personal-assistant agents.
Does the new Article 22 framework under DUAA 2025 apply to agentic AI?
Yes. UK GDPR Articles 22A to 22D, substituted by DUAA 2025 section 80 and in force from 5 February 2026, apply to any decision based solely on automated processing that produces a legal or similarly significant effect for the data subject. The framework applies whether a single model or a multi-agent pipeline produces the decision. Article 22A bites independently at each agent step in the pipeline that meets the threshold.
Can a UK data controller deploy agentic AI lawfully when the orchestrator picks sub-agents at runtime?
Yes, but the compliance package has to be designed for the orchestration model. The DPIA must cover the full set of sub-agents the orchestrator can call, not only the common chain. The controller-to-processor contracts under Article 28 must bind every sub-agent provider the orchestrator is permitted to call. The Article 22C safeguards must attach to the orchestrator’s reasoning trace so the information, human intervention and contest route can be reconstructed for any specific significant decision. If the package does not cover the runtime chain, the deployment may be unlawful processing under Articles 6 and 22 UK GDPR.
When does the ICO ADM consultation close?
The ICO opened the consultation on the draft automated decision-making and profiling guidance on 31 March 2026. It closes on 29 May 2026. The ICO expects to publish final guidance in summer 2026. The draft guidance updates the position to reflect the DUAA 2025 changes and is the ICO’s first substantive interpretation of the new Article 22 framework.
What must a DPIA cover for an agentic AI deployment?
The DPIA under Article 35 UK GDPR must map each agent step that processes personal data, identify each potential Article 22A trigger inside the pipeline, set out the data minimisation discipline at each handover, address the inferred-special-category-data risk the ICO flagged in Tech Futures, describe the Article 22C safeguards, and cover the orchestrator’s decision-making logic and the full set of sub-agents the orchestrator can call.
For advice on agentic AI deployments, the DPIA package for a multi-vendor agentic build, or the controller-to-processor contract layer for sub-agent providers, contact Rob Bratby at Bratby Law.
