UK GDPR and AI: What Businesses Need to Know

How UK GDPR applies to AI systems that process personal data.

·7 min read
UK GDPR applies to any AI system that processes personal data — which includes most business AI tools used to draft communications, analyse customer data, or assist with HR decisions. Key obligations: Article 22 gives individuals rights regarding automated decision-making; Article 5 data minimisation applies to data fed into AI systems; the ICO's AI guidance requires documenting the lawful basis for AI processing. Most UK SME AI use (drafting emails, summarising documents) doesn't trigger Article 22 provisions, but sharing personal data with third-party AI services requires a lawful basis and appropriate safeguards.

When UK GDPR applies to AI

UK GDPR applies whenever an AI system processes personal data — information that identifies or could identify a living person. This includes:

  • Entering customer names or email addresses into ChatGPT
  • Using AI to analyse employee performance data
  • AI chatbots that collect user information
  • AI tools that access your email, calendar, or contacts via OAuth

Article 22: automated decision-making

Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect them. This means:

  • AI-assisted hiring (CV screening, interview scoring) must include meaningful human oversight
  • Automated credit decisions must offer a human review mechanism
  • AI-driven customer service decisions that affect access to services need a human escalation path

Most SME AI use (content drafting, data analysis, meeting notes) does not trigger Article 22 because it doesn't make decisions that significantly affect individuals.

Data minimisation for AI

Article 5(1)(c) requires that personal data is adequate, relevant, and limited to what is necessary. When using AI tools:

  • Don't paste entire customer records into AI — only the data needed for the task
  • Anonymise or pseudonymise personal data before AI processing where possible
  • Don't use personal data for AI training without explicit consent or a legitimate interest assessment

Lawful basis for AI processing

Every use of personal data with AI needs a lawful basis under Article 6. The most common for businesses:

  • Legitimate interests (Article 6(1)(f)): most common for internal business AI use — must be balanced against individual rights
  • Consent (Article 6(1)(a)): needed for AI processing that goes beyond reasonable expectations
  • Contract performance (Article 6(1)(b)): where AI processing is necessary to fulfil a contract

ICO guidance on AI

The ICO recommends:

  • Document your AI processing activities in your records of processing
  • Conduct DPIAs for AI systems that process personal data at scale or make automated decisions
  • Be transparent — tell individuals when AI is used in decisions that affect them
  • Ensure fairness — test AI outputs for bias, particularly in recruitment and service access

Practical steps for UK SMEs

  1. Audit which AI tools process personal data (Governably automates this)
  2. Document the lawful basis for each AI processing activity
  3. Add AI processing to your privacy notices
  4. Implement human oversight for any AI-assisted decisions affecting individuals
  5. Review data processing agreements with AI tool providers

Does UK GDPR apply to AI?

Yes — to any AI processing personal data.

What is Article 22?

The right not to be subject to solely automated decisions with significant effects.

Do I need a DPIA for AI?

Yes, when AI processing is likely to result in high risk to individuals.

Can employees use ChatGPT with customer data?

Only with lawful basis, DPA, and appropriate safeguards.

What does the ICO say?

Document AI processing, conduct DPIAs for high-risk uses, ensure transparency.