Assess your AI compliance obligations

If your business uses artificial intelligence — whether a chatbot handling customer enquiries, an algorithm screening job applicants, or a machine learning model assessing credit risk — you already have compliance obligations. There is no single AI Act in the UK. Instead, existing regulators apply their own rules to AI within their domains.

This means the obligations that apply to you depend on what your AI does, who it affects, and what data it processes. A recruitment AI triggers employment and equality law. A customer-facing AI processing personal data triggers data protection law. An AI controlling safety-critical equipment triggers health and safety law.

This guide walks you through a structured assessment so you can identify which obligations apply, which regulators oversee your use of AI, and what steps you need to take to comply.

The UK's approach to AI regulation

The UK government has adopted a pro-innovation, sector-specific approach to AI regulation. Rather than creating a single AI regulator or a comprehensive AI Act, the government has asked existing regulators to apply five cross-cutting principles to AI within their remits.

This means the ICO regulates AI that processes personal data, the Equality and Human Rights Commission (EHRC) oversees AI that affects equality, and the Health and Safety Executive (HSE) covers AI in safety-critical environments. Understanding which regulators have jurisdiction over your AI systems is the first step in assessing your obligations.

UK AI five principles

The UK government's five cross-cutting principles for AI regulation.

The UK's pro-innovation approach to AI regulation is guided by five cross-cutting principles that existing regulators must apply in their domains:

Principle 1: Safety, security, robustness: AI should function securely and as intended throughout its lifecycle
Principle 2: Transparency and explainability: AI decisions should be understandable and explainable to affected parties
Principle 3: Fairness: AI should not discriminate unfairly or produce biased outcomes
Principle 4: Accountability and governance: Clear ownership of AI outcomes with effective oversight
Principle 5: Contestability and redress: Ability to challenge AI decisions and seek remedies

How it works: Unlike the EU AI Act, the UK has no horizontal AI-specific legislation. Instead:

Existing regulators (FCA, ICO, MHRA, CMA, Ofcom) apply these principles in their sectors
The AI Safety Institute provides guidance on frontier AI models
Sector-specific rules apply (e.g., FCA on algorithmic trading, ICO on automated decisions)

AI Safety Institute

How to assess your AI compliance obligations

Work through these six steps to build a clear picture of what your business must do. Each step builds on the previous one, so complete them in order.

ICO data protection requirements for AI

If your AI processes personal data, the ICO expects you to meet specific requirements beyond standard UK GDPR compliance. These address the particular risks that AI poses to individuals' rights and freedoms.

ICO AI and data protection requirements

Data protection obligations when processing personal data using AI systems, including DPIA requirements and the ICO's developing statutory AI code of practice.

Any AI system that processes personal data must comply with UK GDPR and DPA 2018. The ICO is the primary regulator for AI data protection compliance and is developing a statutory AI code of practice.

Lawful basis required: All AI processing of personal data requires a lawful basis under UK GDPR Article 6 (and Article 9 for special category data)
DPIA mandatory when: AI processing likely to result in high risk to individuals' rights and freedoms (UK GDPR Article 35) — includes profiling, large-scale processing, automated decision-making
Transparency: Privacy notices must describe AI use, including logic involved in automated decisions and their significance (UK GDPR Articles 13-14)
Automated decision-making: DUAA 2025 reforms (from 5 February 2026): significant automated decisions permitted on any lawful basis with safeguards — right to human intervention, right to express views, right to contest
ICO AI code of practice: Government committed during DUAA passage to ask ICO to produce statutory code of practice on AI (consultation expected, no date confirmed)
ICO AI risk toolkit: AI and data protection risk toolkit available for organisations conducting AI-specific DPIAs
Maximum penalty: Up to 17.5 million GBP or 4% of annual worldwide turnover (whichever higher)

DPIA requirements for AI systems

A Data Protection Impact Assessment is mandatory for most AI systems that process personal data. The assessment must be conducted before the processing begins and reviewed whenever the processing changes significantly.

AI-specific DPIA considerations

When and how to conduct a Data Protection Impact Assessment for AI systems processing personal data, including AI-specific considerations.

A Data Protection Impact Assessment (DPIA) is mandatory for AI systems that process personal data in ways likely to result in high risk to individuals' rights and freedoms. The ICO provides AI-specific DPIA guidance.

When mandatory: AI processing involving profiling, large-scale processing of special category data, systematic monitoring of public areas, or automated decision-making with legal/significant effects
AI-specific considerations: Algorithmic fairness, training data quality and representativeness, model accuracy and error rates, explainability, automated decision safeguards, data minimisation in training
ICO risk toolkit: AI and data protection risk toolkit provides structured assessment framework for AI-specific DPIAs
Timing: Must be conducted before AI processing begins — not retrospectively
Consultation: Must consult the ICO if DPIA indicates high risk that cannot be mitigated
Review: DPIAs must be kept under review — reassess when AI system changes significantly (new training data, model updates, expanded use)

Equality and discrimination obligations

The Equality Act 2010 applies to AI in the same way it applies to human decision-making. If your AI produces outcomes that disproportionately disadvantage people with protected characteristics, you may be liable for indirect discrimination even if the algorithm was not designed to discriminate.

ℹ️ Enforcement risk from multiple regulators

Official guidance and legislation

ICO: Guidance on AI and data protection
ICO guidance on using AI whilst complying with data protection law.
ico.org.uk
EHRC: Equality and Human Rights Commission
EHRC homepage with links to AI and equality guidance.
gov.uk
DSIT: AI Regulation White Paper
The UK government's framework for AI regulation.
gov.uk
UK General Data Protection Regulation (legislation.gov.uk)
Full text of UK GDPR.
legislation
Equality Act 2010 (legislation.gov.uk)
Full text of the Equality Act 2010.
legislation

Business Context Testing

Content Graph

Guvnor

Assess your AI compliance obligations

The UK's approach to AI regulation

How to assess your AI compliance obligations

ICO data protection requirements for AI

DPIA requirements for AI systems

Equality and discrimination obligations

ℹ️ Enforcement risk from multiple regulators

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

The UK's approach to AI regulation

How to assess your AI compliance obligations

ICO data protection requirements for AI

DPIA requirements for AI systems

Equality and discrimination obligations

ℹ️ Enforcement risk from multiple regulators

Related guides in Compliance & Legal

Business Context Testing

Content Graph