UK ICO AI guidance, what organisations need to know in 2026
The Information Commissioner's Office is the UK's primary regulator for AI as far as it involves personal data. While the UK has no standalone AI law, the ICO's enforcement powers under UK GDPR and the Data Protection Act 2018, combined with the Data (Use and Access) Act 2025 reforms, give it substantial authority over AI systems that process personal data.
Key 2025-2026 developments
DUAA reforms (5 February 2026). Section 80 replaced Article 22 with Articles 22A-D, broadening the circumstances under which solely automated decision-making is permitted. The stricter regime is preserved for special category data (health, ethnicity, biometrics). The ICO gained expanded investigation and enforcement tools including document production notices.
ADM guidance consultation (31 March - 29 May 2026). The ICO launched consultation on draft updated automated decision-making guidance. The draft emphasises enabling responsible ADM rather than treating it as exceptional. Final guidance expected summer 2026. Organisations should engage with the consultation and plan for compliance with the final guidance.
ICO AI Toolkit. The ICO's published AI and data protection guidance covers: fairness in AI; transparency in AI; accountability and governance in AI; and lawfulness and purpose limitation in AI. This toolkit remains the primary practical reference for UK organisations deploying AI that processes personal data.
Enforcement posture. The ICO can impose fines up to £17.5 million or 4% of global annual turnover under UK GDPR. The DUAA increased PECR penalties to match UK GDPR levels. The ICO has been active on AI enforcement, the Clearview AI joint investigation, AI-related complaint investigations, and engagement with AI-specific concerns demonstrate regulatory willingness to act.
What the ICO expects from organisations
Lawful basis. AI processing personal data needs a lawful basis under UK GDPR Article 6. For AI training on personal data, the DUAA's reformed purpose limitation rules (Article 5(1)(b)) give more latitude to repurpose data, but lawful basis, transparency, and fairness requirements remain.
Data Protection Impact Assessment. Required for high-risk processing, which includes systematic evaluation of individuals, automated decision-making with significant effects, large-scale processing of special category data, and innovative use of technology. Most consequential AI deployments trigger DPIA requirements.
Transparency. Individuals must be informed about AI use in decisions affecting them. Privacy notices should disclose automated processing, the logic involved, and the significance and envisaged consequences.
Individual rights. Right of access (Article 15), including meaningful information about the logic involved in automated decisions. Right to rectification where AI processes inaccurate data. Right to erasure where applicable. Right to object to profiling.
DRCF coordination
The ICO sits within the Digital Regulation Cooperation Forum alongside Ofcom, FCA (Financial Conduct Authority), and CMA, chaired by CMA CEO Sarah Cardell for 2025/26. The DRCF published an October 2025 call for views on agentic AI. For organisations regulated by multiple UK regulators, the DRCF provides coordinated guidance that reduces conflicting expectations.
Primary sources: ICO, ADM Rights Guidance · ICO, AI and Data Protection Guidance · Data (Use and Access) Act 2025
Related reading
- UK AI Governance: The Pro-Innovation Approach, ICO Guidance, FCA Expectations, and What It Means Post-Brexit
- AI Governance for UK Small Businesses: What the ICO, ACAS, and UK GDPR Actually Require
- AI in the NHS: Your Rights as a Patient When Algorithms Inform Your Care
- AI in Hiring and Employment Decisions: What UK Employers Must Do to Stay Compliant