ICO Artificial Intelligence: Data Protection Rules & Enforcement

Updated: June 2026

The UK’s Information Commissioner’s Office (ICO) is the primary data protection regulator for AI in the UK. Its rules apply to any organisation that uses AI to process personal data, from building foundation models to deploying automated hiring tools or facial recognition systems.

Key Takeaways

• The Data (Use and Access) Act 2025, which came into law on 19 June 2025, changes how UK GDPR applies to automated decision-making, creating a more permissive framework but with new individual rights safeguards.

• The ICO is developing a statutory Code of Practice on AI and Automated Decision-Making, required under the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026. Final guidance is expected in Summer 2026.

• The ICO is actively engaging with 11 major AI foundation model developers and has taken enforcement action against organisations using biometric technologies without adequate legal grounds, including Clearview AI and Serco Leisure.

What is the ICO’s role in regulating artificial intelligence?

The ICO is the UK’s independent supervisory authority for data protection, and its jurisdiction over AI comes directly from this remit. Any AI system that processes the personal data of UK residents falls under UK GDPR and the Data Protection Act 2018, both of which the ICO enforces.

The ICO does not regulate AI as a technology in general. Its authority is tied specifically to personal data. When an AI system trains on personal data, generates outputs containing personal data, or makes decisions about individuals, those activities must comply with data protection law. The ICO sets expectations, issues guidance, and can fine organisations that fall short.

The ICO’s current strategy, titled “Preventing harm, promoting trust,” covers its AI and biometrics work through 2026. Priority areas include generative AI, foundation models, automated decision-making, agentic AI, AI and children, AI and online safety, police use of biometric technologies, and recommender systems.

What does the Data (Use and Access) Act 2025 change for AI?

The Data (Use and Access) Act (DUAA) became law on 19 June 2025. It amends but does not replace the UK GDPR, the Data Protection Act 2018, and PECR.

For AI, the most significant change is to the automated decision-making regime. The DUAA creates a more permissive framework for organisations to make decisions based solely on automated processing that have legal or similarly significant effects on individuals. This relaxes some restrictions under Article 22 of the UK GDPR but introduces new safeguards, including clearer rights for individuals to obtain human review and to contest automated decisions.

The first DUAA provisions came into force on 20 August 2025. Key automated decision-making provisions in Part 2 of the Act came into force on 1 December 2025. The ICO’s AI and data protection guidance is currently under review to reflect these changes. Organisations should check the ICO’s website for updated guidance before finalising their AI compliance frameworks.

The DUAA also created the statutory basis for the ICO’s Code of Practice on AI and Automated Decision-Making, formally required by the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026.

What does the ICO’s AI and data protection guidance require?

The ICO’s detailed guidance on AI and data protection explains how UK GDPR’s core principles apply to AI systems throughout their lifecycle, from training data to deployment. This guidance covers lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and security as they apply in AI contexts.

What lawful basis do organisations need to process data in AI systems?

Every use of personal data in an AI system requires a lawful basis under UK GDPR. The appropriate basis can differ between the development phase (training a model) and the deployment phase (running the model on live data). Organisations must identify and document the correct basis for each processing activity.

Consent is generally unsuitable for AI training data at scale. Most organisations rely on legitimate interests, which requires a documented legitimate interests assessment (LIA) to demonstrate that the organisation’s interests do not override the rights of the individuals whose data is used.

Special category data, such as biometric data, health information, or data about ethnicity, requires both a lawful basis and a separate Article 9 condition. The ICO’s biometric recognition guidance covers these requirements in detail and is particularly relevant to organisations that use facial, voice, or fingerprint recognition systems.

What does the ICO say about generative AI and foundation models?

In 2024, the ICO ran a five-part consultation series on generative AI and data protection, covering lawful basis, purpose limitation, accuracy, individual rights, and how to engineer individual rights directly into generative AI models. The ICO published its response to the full consultation series, setting out how data protection law applies to generative AI development and use, and committed to updating guidance to reflect the findings.

Separately, the ICO is engaging directly with 11 major AI foundation model developers. It is building evidence around their approaches to data protection compliance and seeking assurances that personal data used in model training is properly safeguarded, including controls to prevent the reproduction of sensitive information. The ICO has commissioned research into data protection harms across the foundational model lifecycle. Updated guidance on generative AI is expected following the DUAA 2025 changes.

What is the ICO’s Code of Practice on AI and Automated Decision-Making?

The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 formally require the ICO to produce a statutory Code of Practice on AI and ADM. Once finalised, this code will provide authoritative guidance on what good practice looks like for organisations developing or deploying AI that affects individuals.

The code will cover transparency and explainability, bias and discrimination, and rights and redress.

What does the draft ADM guidance cover?

In March 2026, the ICO launched a public consultation on its draft guidance on automated decision-making, including profiling. The consultation closed in May 2026, and the final guidance is expected in Summer 2026.

The draft guidance reflects the DUAA 2025 changes to the UK GDPR ADM regime. It addresses when automated decisions are permissible, what information individuals must receive, how organisations should handle objections and requests for human review, and what safeguards apply when special category data is involved.

What are the rules for automated decisions in recruitment?

The ICO’s “Recruitment Rewired” project examined how employers use automated decision-making in hiring. Between March 2025 and January 2026, the ICO engaged with over 30 employers and identified recurring problems: insufficient transparency with candidates, inconsistent human oversight, and poor monitoring for bias.

The ICO’s position is that automated decisions in recruitment must be fair, transparent, and contestable. Candidates must be told that automated processing is taking place and what it involves. Any significant decision, such as shortlisting or rejection, must be reviewable by a human on request.

What is agentic AI and how does the ICO regulate it?

Agentic AI refers to AI systems that can act autonomously, pursue goals across multiple steps, and make decisions without ongoing human instruction. In January 2026, the ICO published a “tech futures” report on agentic AI, identifying a range of data protection risks organisations must address.

Key concerns include:

• Difficulties determining who holds data controller and processor responsibilities across the agentic AI supply chain

• A significant increase in automated decision-making as agents carry out complex, multi-step tasks

• Processing purposes set too broadly, making purpose limitation difficult to enforce

• Systems processing more personal data than is necessary for the task

• The potential for unintended processing of special category data

• Reduced transparency, making it harder for individuals to exercise their data rights

• New cybersecurity vulnerabilities arising from the autonomous nature of agentic systems

Dedicated ICO guidance on agentic AI is planned as part of its 2026/27 work programme.

How does the ICO regulate biometric technologies and facial recognition?

Biometric recognition is a high-priority area for the ICO. Its biometric data guidance covers what biometric data is, when it qualifies as special category data requiring heightened protection, and how to demonstrate lawful processing under UK GDPR.

The ICO has been conducting audits of police use of live facial recognition technology, examining whether forces meet their data protection obligations. A public outcomes report from these audits is planned for later in 2026. In March 2026, the ICO published a blog reaffirming that data protection lies at the heart of responsible police use of facial recognition, regardless of any future legislative changes.

The ICO also responded to the Home Office consultation on a new legal framework for law enforcement use of biometric technologies, setting out its expectations for any future legislation in this area.

What enforcement action has the ICO taken on AI?

The ICO has taken enforcement action in several AI and biometrics cases:

Clearview AI – the ICO fined Clearview AI for scraping facial images from the internet to build a facial recognition database, finding that the company had no lawful basis for processing UK residents’ biometric data.

Serco Leisure – the ICO ordered Serco Leisure to stop using facial recognition and fingerprint scanning to monitor employee attendance. The ICO found that Serco had not met the conditions for processing biometric data and had not properly considered less intrusive alternatives.

Snap – the ICO intervened over data protection concerns related to Snap’s AI chatbot, examining how the feature processed users’ personal data, including that of children.

These cases show that the ICO will act where AI systems process biometric or sensitive data without adequate legal grounds or safeguards, regardless of the size of the organisation involved.

What tools does the ICO provide to help organisations comply?

The ICO provides two practical resources for assessing AI compliance risk:

AI and Data Protection Risk Toolkit – helps organisations identify risks to individual rights in AI and data analytics projects. It generates customised reports with practical recommendations. Consulting a Data Protection Officer when using this toolkit is recommended, particularly for higher-risk AI applications.

Data Analytics Toolkit – creates tailored advice for data analytics projects, covering the main data protection risks that arise when personal data is analysed at scale.

The ICO also publishes detailed guidance on Explaining Decisions Made with AI, which helps organisations communicate how their AI systems work to affected individuals in a way that meets UK GDPR transparency obligations.

What are the ICO’s AI priorities for 2026 and beyond?

The ICO’s March 2026 strategy update sets out its work programme for the year ahead:

• Finalise the AI and ADM Code of Practice following public consultation

• Publish dedicated guidance on agentic AI

• Continue engaging foundation model developers and publish findings

• Complete audits of police facial recognition use and publish outcomes

• Support consumers navigating AI-personalised services and recommender systems

• Respond to the government’s work on safe AI-powered innovation

In May 2026, the ICO submitted its response to the government’s consultation on safe AI-powered innovation, setting out how data protection and AI development are compatible, and that public trust depends on clear rules and consistent enforcement.

The DUAA 2025 guidance updates covering the new ADM regime and the AI Code of Practice will be the dominant compliance development for organisations using AI throughout 2026. Organisations that process personal data through AI systems should monitor updates to ICO guidance closely, as several key documents are expected before the end of the year.

Conclusion

The ICO’s approach to AI is grounded in data protection law. For any organisation that uses AI to process the personal data of UK residents, the UK GDPR and the Data Protection Act 2018 apply, and the ICO is actively developing and enforcing rules in this space.

The Data (Use and Access) Act 2025, the forthcoming Code of Practice on AI and ADM, and the ICO’s ongoing engagement with foundation model developers all point in the same direction: compliance expectations for AI are becoming more specific.

Frequently Asked Questions

What is the ICO’s role in AI regulation?

The ICO regulates AI through its data protection remit. Any AI system that processes the personal data of UK residents must comply with UK GDPR and the Data Protection Act 2018. The ICO sets guidance, conducts audits, and can issue fines for non-compliance.

Does the Data (Use and Access) Act 2025 affect AI compliance?

Yes. The DUAA 2025, which came into law on 19 June 2025, changes the UK GDPR framework for automated decision-making. It creates a more permissive regime for ADM but introduces new individual rights. The ICO is updating its AI guidance to reflect these changes, with final ADM guidance expected in Summer 2026.

What is the ICO Code of Practice on AI and ADM?

The Data Protection Act 2018 (Code of Practice on AI and ADM) Regulations 2026 require the ICO to produce a statutory Code of Practice on AI and Automated Decision-Making. A public consultation on draft guidance ran to May 2026, with the final version expected in Summer 2026. The code will cover transparency, bias mitigation, and individual rights.

How does the ICO address bias in AI systems?

The ICO’s draft ADM guidance and the forthcoming Code of Practice both address bias and discrimination as core requirements. Its “Recruitment Rewired” project, which engaged over 30 employers between March 2025 and January 2026, found widespread gaps in the monitoring of bias in automated hiring tools. Organisations must document how they identify and mitigate bias in AI systems.

What practical tools does the ICO provide for AI compliance?

The ICO provides the AI and Data Protection Risk Toolkit and the Data Analytics Toolkit, both of which are available on its website. It also publishes guidance on how to explain AI decisions to affected individuals. These help organisations assess compliance risks and meet their obligations under UK GDPR.