aigovernance.com

Global AI Regulation & Framework Directory

← Directory
GuidelineUK

UK ICO Guidance on Artificial Intelligence and Data Protection

UK ICO AI Guidance · Information Commissioner's Office (ICO)

The UK ICO's guidance on AI and data protection establishes how the UK GDPR and Data Protection Act 2018 apply to the design, development, and deployment of AI systems that process personal data.

Overview

The UK Information Commissioner's Office published its Guidance on Artificial Intelligence and Data Protection as a practical resource for organisations building or deploying AI systems that involve personal data. The guidance was developed following extensive consultation with industry, civil society, and academic stakeholders. It forms part of the ICO's broader AI and data protection audit framework and is intended to be read alongside the ICO's Explanatory AI (ExAI) guidance on explaining AI decisions. The guidance addresses the full AI lifecycle, from initial project scoping and data collection through to model training, deployment, and ongoing monitoring. It clarifies that existing UK GDPR obligations-including lawful basis, data minimisation, purpose limitation, accuracy, and accountability-apply fully to AI systems and cannot be treated as inapplicable simply because AI introduces probabilistic or opaque decision-making. The ICO emphasises that Data Protection Impact Assessments (DPIAs) are mandatory for high-risk AI processing, and that organisations must be able to demonstrate compliance through appropriate documentation, governance structures, and technical controls. The guidance also addresses specific risks associated with AI, including the potential for discriminatory outputs, security vulnerabilities in machine learning pipelines, and the challenges of meeting transparency and explainability obligations when using complex models such as deep neural networks. Updates have been issued periodically to reflect evolving technology and enforcement priorities, including dedicated sections on generative AI published in 2024.

Key Requirements

  • Identify and document a lawful basis under UK GDPR for all personal data processed in AI training, testing, and inference.
  • Conduct and document a Data Protection Impact Assessment (DPIA) before commencing high-risk AI processing activities.
  • Implement data minimisation and purpose limitation principles throughout the AI development lifecycle.
  • Ensure AI systems meet the UK GDPR accuracy principle; document how model accuracy is assessed and monitored.
  • Provide meaningful transparency to data subjects about automated processing, including in high-stakes automated decision-making contexts.
  • Comply with Article 22 UK GDPR restrictions on solely automated decision-making with significant effects, or establish a valid exemption.
  • Implement appropriate technical and organisational security measures for AI pipelines, including controls against adversarial attacks and data poisoning.
  • Maintain accountability documentation sufficient to demonstrate compliance to the ICO on request.
  • Assess and mitigate risks of discriminatory or biased outputs from AI systems.
  • Apply specific obligations when using generative AI, including assessment of training data sources and output risks.

Who It Affects

UK-established organisations developing or deploying AI systems that process personal data of UK residentsNon-UK organisations offering AI-driven products or services to UK data subjectsData processors providing AI services to UK data controllersTechnology vendors supplying AI components integrated into UK-facing servicesHR and people analytics teams using AI for workforce decisionsFinancial services, healthcare, and public sector organisations using AI for high-stakes decisions

Effective Date

2020-03-01

Official source →