Guidance on AI and data protection

Guidance on AI and data protection is the Information Commissioner’s Office central framework on how UK GDPR and the Data Protection Act 2018 apply to AI systems that process personal data. It ‘covers what we think is best practice for data protection-compliant AI,’ and explains how the ICO interprets core principles, lawful bases, fairness, statistical accuracy, security, DPIAs and data subject rights in an AI lifecycle context (About this guidance, At a glance). The guidance combines conceptual chapters, an Annex on fairness in the AI lifecycle, an extensive glossary and a practical AI and data protection risk toolkit to support both ICO audits and organisations’ self-assessment. It is not a statutory code, but it signals how the ICO will assess AI systems and is now explicitly under review in light of the Data (Use and Access) Act 2025.