Use this checklist to verify that your business meets its AI compliance obligations. It covers the key requirements from data protection law, equality law, health and safety law, and the UK's AI regulatory principles.

Work through each section and resolve any gaps before moving on. If you identify areas where you are not compliant, refer to the detailed guidance linked at the end of this checklist.

Data protection

Equality and fairness

Transparency and explainability

Risk and safety

Governance and record-keeping

The UK's five AI regulatory principles

Your compliance arrangements should align with the five principles that guide all UK regulators in their approach to AI.

UK AI regulatory principles

The five cross-cutting principles that existing sector regulators are expected to apply to AI within their remits, as established in the March 2023 AI White Paper and confirmed in the February 2024 government consultation response.

The UK government's AI regulatory framework is based on five cross-cutting principles that existing sector regulators must apply within their remits. These principles were established in the March 2023 White Paper and confirmed in the February 2024 consultation response.

The principles are not currently on a statutory footing. Regulators are expected to apply them but are not legally required to do so. The government has announced that a comprehensive AI Bill (expected second half of 2026) may place these principles on a statutory basis.

Principle 1: Safety, security and robustness — AI systems should function in a robust, secure and safe way throughout their lifecycle
Principle 2: Appropriate transparency and explainability — people should be able to access information about AI systems that affect them
Principle 3: Fairness — AI systems should not undermine legal rights, discriminate unfairly, or create unfair market outcomes
Principle 4: Accountability and governance — governance measures should ensure effective oversight with clear lines of accountability
Principle 5: Contestability and redress — people should be able to contest AI outcomes where rights have been violated or harm has occurred
Statutory basis: Non-statutory (regulators expected to apply, not legally required)
White Paper published: 29 March 2023
Consultation response: 6 February 2024
DSIT regulator support funding: 10 million GBP to boost regulator AI capabilities

Enforcement and penalties

Multiple regulators can take enforcement action if your AI systems breach their requirements. The penalties vary by regulator and the severity of the breach.

AI enforcement penalties by UK regulator

Maximum penalties each UK regulator can impose for AI-related non-compliance.

AI non-compliance can trigger enforcement from multiple regulators, each with distinct penalty frameworks. The regulator that acts depends on which aspect of AI use causes the breach.

ICO (data protection): Up to 17.5 million GBP or 4% of annual worldwide turnover (whichever higher)
Ofcom (online safety): Up to 10% of qualifying worldwide revenue or 18 million GBP (whichever greater)
CMA (digital markets): Up to 10% of global turnover for SMS conduct requirement breaches
FCA (financial services): Unlimited (determined by FCA enforcement policy)
MHRA (medical devices): Unlimited fine and/or imprisonment (criminal offence)
HSE (workplace safety): Unlimited fine and/or imprisonment for serious offences
EHRC (equality): Employment Tribunal awards, EHRC investigation and enforcement action
EU AI Act (if serving EU market): Up to 35 million EUR or 7% of global turnover for prohibited AI practices

⚠️ Act on compliance gaps immediately

If you identified gaps in any section, address them as a priority. AI compliance failures can trigger enforcement action from multiple regulators simultaneously. The ICO, EHRC, FCA, HSE, and CMA all have powers to investigate and sanction businesses that fail to manage AI responsibly. Do not wait for a complaint or investigation to act — regulators expect proactive compliance.

Related guidance

Assess your AI compliance obligations for a step-by-step assessment of which obligations apply to your business
Set up an AI governance framework for detailed guidance on accountability, transparency, fairness, and record-keeping
AI transparency and explainability obligations for practical approaches to explaining AI decisions

Official guidance and legislation

ICO: Guidance on AI and data protection
Comprehensive ICO guidance on AI and data protection.
ico.org.uk
EHRC: Equality and Human Rights Commission
EHRC homepage with links to AI and equality guidance.
gov.uk
HSE: Regulatory approach to artificial intelligence
HSE statement on regulating AI in workplace safety.
hse.gov.uk
UK General Data Protection Regulation (legislation.gov.uk)
Full text of UK GDPR.
legislation
Equality Act 2010 (legislation.gov.uk)
Full text of the Equality Act 2010.
legislation
Health and Safety at Work etc. Act 1974 (legislation.gov.uk)
Full text of HSWA 1974.
legislation

Legal basis

Primary legislation

Other legislation

Official guidance

Regulator guidance to help you understand your obligations.

UNDER CONSTRUCTION

Content Graph

Guvnor

AI compliance checklist

Data protection

Equality and fairness

Transparency and explainability

Risk and safety

Governance and record-keeping

The UK's five AI regulatory principles

Enforcement and penalties

⚠️ Act on compliance gaps immediately

Related guidance

Compliance Assistant

🚧 UNDER CONSTRUCTION

◉ Content Graph

Data protection

Equality and fairness

Transparency and explainability

Risk and safety

Governance and record-keeping

The UK's five AI regulatory principles

Enforcement and penalties

⚠️ Act on compliance gaps immediately

Related guidance

Related guides in Compliance & Legal

UNDER CONSTRUCTION

Content Graph