Big data and algorithmic decision-making created a category of responsibility that did not exist a generation ago. We have watched it emerge over three decades, from a time when the binding constraint was how little data and compute we had, to a present in which institutions hold more information about individuals than those individuals hold about themselves, and act on it automatically at a scale no human process could match. The question worth discussing, and the one we raise with students from A-level upward, is no longer whether we can mine and decide at this scale. We plainly can. The question is what we owe the people whose lives sit inside the data, and whether our habits of foresight have kept pace with our capacity to act.

The frameworks we built, and their limits

Regulation has matured, and the maturation is real. Privacy law extended to the new scale, most visibly through the General Data Protection Regulation in 2018, which gave individuals rights over their data and placed limits on decisions made about them by machines alone. The European Union’s Artificial Intelligence Act, in force since 2024 and phasing in over the following years, went further, the first comprehensive law of its kind, sorting systems by the risk they pose and attaching obligations of transparency, human oversight, and explainability where the stakes are highest. A generation ago none of this existed. Overall, the frameworks have grown more sophisticated and more aware of algorithmic harm than anything available when these methods were new.

These frameworks have limits worth being honest about. Law lags the technology it governs, and it does not move in one direction. The United Kingdom’s Data (Use and Access) Act 2025 recalibrated the national rules, easing the general restriction on solely automated decisions while keeping safeguards such as human intervention and the right to contest, and the result is that the UK and the EU now diverge on how far a machine may decide a person’s case unaided. A framework that shifts, and that differs across borders, is a floor that moves. Treating it as the whole of one’s duty is a mistake.

Compliance is a floor, not a ceiling

What follows is the argument we most want to make. Compliance is a floor, not a ceiling. Responsibility carried by the people who build these systems, the developers, the data-mining firms, the customer-facing companies that hold the records, extends beyond the letter of whatever law currently applies, to the foreseeable effect of what they build and mine on the people represented in the data. Most of those people never agreed to be modelled. They did not choose to become a row in a training set, a score in a risk model, or a segment in a retention strategy. That they can be is a fact of the infrastructure. Whether they should be, and on what terms, is a judgement the law only partly settles and that the practitioner cannot fully delegate to it.

The lesson of the past

What we draw from the past is a lesson about the order in which problems were addressed. For most of the period we have watched, harms were dealt with after they surfaced. A misuse of data came to light, public concern followed, and regulation arrived to close the gap the misuse had revealed. That pattern was reactive, and each cycle left real damage behind before the correction came. A mature stance, and the one the field is slowly learning, is foresight: asking what a system could do to the people it touches before it is deployed, building in the ability to explain and to contest a decision from the start, and treating the privacy and fairness of individuals as design constraints rather than as liabilities to be managed once they become visible. Anticipation is harder than reaction. It is also the only approach that prevents the harm rather than apologising for it.

What we have learned, and where to go

We have become stronger on this, and the progress deserves honest acknowledgement. These protections, the rights to explanation and contestation, the requirements of transparency and oversight, did not exist when the methods were young, and their arrival has improved the position of the individual against the institution. Deeper progress, where it has happened, has been cultural rather than legal: a growing recognition among the people who build these systems that the impact of their work on the people in the data is part of their professional responsibility, not a compliance department’s problem. That recognition is uneven, and it is the thing most worth strengthening.

This is the discussion we have with students from A-level upward, and we have it early on purpose. The next generation of developers and analysts will hold more data, and more power to act on it, than any before them. If they learn from the start that foresight is part of the craft, that the question is not only whether something can be done but what it does to the people it touches, they will build differently from the generations that learned those lessons in hindsight. Our capacity to mine and decide at scale is settled. What comes with it, the responsibility, is the part still being learned, and the part worth teaching first.