AI and GDPR: Where Does Data Protection Stand?

Data protection concerns are advancing as AI applications surge. Discover what regulations are in place and how the UK GDPR needs better provisions for AI.


Artificial intelligence (AI) holds great power but an even bigger risk. It can influence decisions, store personal data, aid cyber crime and put human lives at risk. 

These AI threats will keep advancing – unless we act. So far, we’ve seen some developments in the regulatory space, but are there enough to keep society safe?

Here, we delve into the measures taken to regulate AI and how the UK GDPR can help organisations align with future plans. 

Is AI Regulated Globally?

In March 2024, the United Nations (UN) Global Assembly sanctioned a draft resolution to bridge the technological development divide between and within countries. 

It also urges all states, the private sector, media, researchers and society to “develop and support regulatory and governance approaches and frameworks related to safe, secure and trustworthy use of AI.” – (UN General Assembly).  

This landmark resolution will be a framework for addressing AI challenges and governing it under human rights and freedoms. 

Globally, the EU is leading in regulations with its first-ever AI legal framework. In 2026, the EU AI Act ensures that AI development prioritises individuals’ rights, safety and health while maximising its growth potential. Learn more about the EU AI Act in our previous blog.  

The U.S. has no AI compliance frameworks but published a Blueprint for AI Bill of Rights (2022) to protect its citizens from AI misuse. More recently, the Biden administration formed the US AI Safety Institute in February of this year to develop risk management, safety, and security guidelines.

Other countries, such as China, have also implemented stricter rules on using generative AI in their country. This piece of legislation is nontechnical, placing controls primarily on AI creators. 

Does the UK Have AI Regulations?

In 2021, the government published the National AI Strategy, setting a 10-year plan for maximising artificial intelligence through set rules and governance. Later, in 2023, they expanded the government’s proposals for governing and regulating AI.

In the white paper, the government proposed five principles to inform the development and use of AI in all sectors:

  1. Safety, security and robustness
  2. Appropriate transparency and explainability
  3. Fairness
  4. Accountability and governance
  5. Contestability and redress

Several regulators, including the ICO, have taken action regarding the proposed approach, and many other UK regulators are set to publish updates very shortly. 

While there are no new regulations, the UK government has set up a new central function to identify and assess AI risks, improve regulatory collaboration and fill potential gaps. 

What Impact Will the UK GDPR Have on AI?

The government’s approach to regulating AI is promising, but how can organisations safely use AI technologies now and remain compliant? 

Organisations compliant with the UK GDPR are on a better track, but there needs to be more guidance when protecting personal data with AI. The AI challenges include: 

  • Transparency: While the GDPR grants rights concerning automated decision-making and profiling, it may not ensure transparency across all AI applications.
  • Bias and discrimination: Despite limiting sensitive personal data processing, the GDPR doesn’t directly address potential algorithmic bias present in training data.
  • Accountability and liability: Regulations on data controller and processor responsibilities don’t cover the complexity of AI supply chains, the responsibility for potential harm and the number of parties involved.
  • Sector-specific requirements: The GDPR is a generalised framework for data protection, so it may not adequately address industry-specific risks and challenges.

The ICO has updated its guidance on AI governance and risk management, clarifying fairness requirements for UK businesses in AI. 

Proposed reforms are incoming for the UK GDPR – read our guide on the DPDI Bill to learn more.  

Expert GDPR & Cyber Security Consultants

Navigating new and existing AI and data protection regulations is complex for businesses in all sectors and sizes. At Data Protection People, we offer a range of data protection and cyber security services to keep you compliant. 

From specialist GDPR consultants to proactive cyber security support, we’ll help prepare your business for the future. 

Contact the team to find out more.