AI Regulation Framework
The UK takes a principles-based, sector-specific approach to AI regulation. There is no single AI law. Instead, existing …
AI regulation
AI compliance checklist
Quick verification checklist covering all major AI compliance obligations. Use this checklist to confirm your business meets its data protection, equality, transparency, oversight, and record-keeping obligations when using AI systems.
UK-wide
Guide summary
Check your business follows the rules when using AI systems. You must protect data, treat people fairly, explain how your AI works, and keep records. If you break the rules, regulators can fine you.
- Check your AI follows data protection laws
- Ensure your AI decisions are fair and not biased
- Explain how your AI makes decisions when asked
- Assess and reduce risks from using AI
- Keep records of how you use AI
- Follow the UK's 5 AI principles for safety and fairness
- Fines can be up to £17.5 million for data breaches
- Other regulators can impose unlimited fines
- Use the linked guides for more detailed help
- Rules may become law by 2026
On this page
UK-wide
Related guides in Compliance & Legal
Assess your AI compliance obligations
Step-by-step guide to assessing what AI compliance obligations apply to your business. Covers inventorying AI systems, identifying personal …
Set up an AI governance framework
How to establish accountability structures, risk processes, and oversight for AI systems in your business. Covers accountability and …
UK AI regulation: how it works
Comprehensive overview of UK AI regulation. The UK has no single AI law. Instead, existing sector regulators apply …
Which regulator covers your AI system
Decision-tree reference guide mapping AI use cases to the UK regulators responsible for oversight. Covers the ICO, FCA, …
Use this checklist to verify that your business meets its AI compliance obligations. It covers the key requirements from data protection law, equality law, health and safety law, and the UK's AI regulatory principles.
Work through each section and resolve any gaps before moving on. If you identify areas where you are not compliant, refer to the detailed guidance linked at the end of this checklist.
Data protection
-
1
Data Protection Impact Assessment completed for each AI system that processes personal data
A DPIA is mandatory for AI systems involving automated decision-making, profiling, large-scale processing of special category data, or systematic monitoring. Complete the DPIA before the processing begins.
-
2
Lawful basis identified and documented for AI processing of personal data
Record the lawful basis (consent, legitimate interest, contract, legal obligation, vital interests, or public task) for each AI system that processes personal data. If relying on legitimate interests, complete a legitimate interests assessment.
-
3
Privacy notices updated to disclose AI and automated decision-making
Your privacy notices must tell individuals about the existence of automated decision-making, meaningful information about the logic involved, and the significance and envisaged consequences for them.
-
4
Data minimisation applied to AI training and input data
Only use personal data that is necessary for the AI system's purpose. Review whether the AI can achieve the same results with less data, anonymised data, or synthetic data.
-
5
Data retention periods defined for AI-related personal data
Set and document retention periods for training data, input data, output data, and model parameters. Delete personal data when it is no longer needed for the stated purpose.
Equality and fairness
-
1
Equality impact assessment completed for AI decisions affecting people
Assess whether your AI system could directly or indirectly discriminate on any of the nine protected characteristics under the Equality Act 2010. Document your assessment and any mitigating measures.
-
2
Bias testing conducted across protected characteristics before deployment
Test your AI outputs for disparate impact across age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation.
-
3
Ongoing bias monitoring in place for live AI systems
Monitor AI decisions in production for emerging bias patterns. Set thresholds that trigger investigation and remediation. Document monitoring results.
Transparency and explainability
-
1
Individuals informed when they are interacting with or subject to AI decisions
Tell people when they are dealing with an AI system and when AI is used to make or support decisions about them. This applies to customer-facing chatbots, automated recruitment screening, credit decisions, and any other AI that affects individuals.
-
2
Meaningful explanations available for AI decisions that affect individuals
You must be able to explain how a specific AI decision was reached in terms the affected person can understand. Design explainability into your AI systems from the start. Counterfactual and feature-importance explanations are both acceptable approaches.
-
3
Process for human review and contestation of AI decisions in place
Individuals have the right to obtain human intervention, express their point of view, and contest automated decisions that produce legal or similarly significant effects. Ensure you have a clear, accessible process for this.
Risk and safety
-
1
Risk assessment includes AI-specific risks for safety-critical applications
If your AI controls or influences safety-critical processes (machinery, vehicles, medical devices, building systems), your risk assessment under the Health and Safety at Work etc. Act 1974 must specifically address AI failure modes, including unexpected outputs, data quality issues, and adversarial attacks.
-
2
Human oversight proportionate to the risk level of each AI system
Higher-risk AI decisions require more human oversight. Fully automated decisions with significant consequences should have a human-in-the-loop who can intervene. Lower-risk decisions may use human-on-the-loop monitoring with escalation triggers.
-
3
Incident response plan covers AI failures and harmful outputs
Your incident response plan should include procedures for AI systems producing harmful, biased, or incorrect outputs. Define who is responsible, how affected individuals are notified, and how the AI system is corrected or suspended.
Governance and record-keeping
-
1
Named person accountable for each AI system
Assign a named individual with authority and responsibility for each AI system. This person must be able to explain what the AI does, what risks it poses, and what safeguards are in place.
-
2
AI system inventory maintained and kept current
Maintain a register of all AI systems in use, including third-party AI services. For each system, record its purpose, data inputs, decision outputs, affected individuals, relevant regulators, and governance arrangements.
-
3
Records of AI decisions, testing, and governance maintained
Keep records of AI decisions and the rationale behind them, bias testing results, DPIAs, complaints and outcomes, and governance meeting minutes. Retain records for at least the life of the AI system plus any relevant limitation period.
-
4
Regular review of AI systems and governance framework scheduled
Review each AI system and your overall governance framework at least annually, or when you deploy a new AI system, significantly change an existing one, or become aware of new regulatory guidance.
The UK's five AI regulatory principles
Your compliance arrangements should align with the five principles that guide all UK regulators in their approach to AI.
Enforcement and penalties
Multiple regulators can take enforcement action if your AI systems breach their requirements. The penalties vary by regulator and the severity of the breach.
Act on compliance gaps immediately
If you identified gaps in any section, address them as a priority. AI compliance failures can trigger enforcement action from multiple regulators simultaneously. The ICO, EHRC, FCA, HSE, and CMA all have powers to investigate and sanction businesses that fail to manage AI responsibly. Do not wait for a complaint or investigation to act — regulators expect proactive compliance.
Related guidance
- Assess your AI compliance obligations for a step-by-step assessment of which obligations apply to your business
- Set up an AI governance framework for detailed guidance on accountability, transparency, fairness, and record-keeping
- AI transparency and explainability obligations for practical approaches to explaining AI decisions
Official guidance and legislation
-
ICO: Guidance on AI and data protection (opens in a new tab)
Comprehensive ICO guidance on AI and data protection.
ico.org.uk -
EHRC: Equality and Human Rights Commission (opens in a new tab)
EHRC homepage with links to AI and equality guidance.
gov.uk -
HSE: Regulatory approach to artificial intelligence (opens in a new tab)
HSE statement on regulating AI in workplace safety.
hse.gov.uk -
UK General Data Protection Regulation (legislation.gov.uk) (opens in a new tab)
Full text of UK GDPR.
legislation -
Equality Act 2010 (legislation.gov.uk) (opens in a new tab)
Full text of the Equality Act 2010.
legislation -
Health and Safety at Work etc. Act 1974 (legislation.gov.uk) (opens in a new tab)
Full text of HSWA 1974.
legislation