Background
Archive
Journal Entry

AI and GDPR: What UK Businesses Need to Know 2026

Documented
Capacity
7 MIN READ
Domain
AI & Automation

Your new AI system processes customer emails, extracts personal data, and makes routing decisions. Is that legal under GDPR? Almost certainly yes, if you have done the right preparation. Here is what “right preparation” actually means for AI systems, and how to satisfy ai gdpr compliance requirements without hiring a law firm to sign off every workflow.

Where GDPR Meets AI

Most business AI touches personal data whether you planned for it or not. Names in a support inbox, email addresses in a booking form, behavioural signals from a chatbot transcript, all of it counts.

The rule is simple: if your AI system processes anything that identifies or relates to a living person, UK GDPR applies. This covers invoice extraction tools reading customer names off PDFs, support triage systems reading email content, scheduling assistants handling booking details, and analytics tools profiling site visitor behaviour. There is no “AI exemption.” The same obligations that applied to your CRM apply to your AI layer, they are just easier to overlook because the processing happens inside a black box.

We covered the practical side of this in our guide on automating your enquiry process with AI, worth reading alongside this piece if you are wiring AI into forms or inboxes.

Lawful Basis for AI Processing

Every use of personal data needs a lawful basis before processing starts, not after. For most B2B AI deployments, one of three applies:

  • Legitimate interest: the most common basis for internal automation (invoice extraction, email triage, CRM enrichment). Requires a documented legitimate interest assessment weighing your business need against individual privacy impact.
  • Contractual necessity: applies when AI processing is required to deliver a service the person signed up for, such as an AI-powered booking confirmation.
  • Consent: needed for anything beyond what a reasonable person would expect, particularly profiling or marketing-adjacent uses. Consent must be specific, informed, and as easy to withdraw as it was to give.

Document your basis in writing before you plug in an AI tool, not retrospectively. If the ICO or a data subject asks “why were you processing my data this way,” a dated record beats a memory.

Automated Decision-Making (Article 22)

This is where most founders get nervous, often unnecessarily. Article 22 of UK GDPR restricts solely automated decisions that have legal or similarly significant effects, think loan approvals, job rejections, or automatic account suspensions with no human involved.

Following the Data (Use and Access) Act reforms, the framework has shifted. Solely automated decision-making based on ordinary personal data is now generally permitted on any lawful basis, but decisions involving special category data (health, ethnicity, religion, etc.) remain restricted to narrow exceptions such as explicit consent. According to Bird & Bird’s coverage of the ICO’s 2026 consultation, the ICO published updated draft guidance on automated decision-making and profiling in spring 2026, with final guidance expected summer 2026.

Regardless of the lawful basis, safeguards are still mandatory whenever a decision is solely automated:

  1. The person must be told a decision was automated.
  2. They must be able to request human intervention.
  3. They must be able to contest the outcome.

The meaningful intervention test. If a human “reviews” every AI decision by rubber-stamping it in two seconds without genuinely engaging with the reasoning, regulators treat that as solely automated anyway. Meaningful human review means someone with authority to change the outcome actually looks at the case, not that a name appears in an approval log.

Most SMB AI use, routing enquiries, drafting replies, flagging invoices for review, does not meet the “legal or similarly significant effect” threshold. But if your AI system rejects applications, adjusts pricing, or denies access to a service without a human checkpoint, treat Article 22 as directly relevant.

Data Protection Impact Assessments (DPIAs)

The ICO’s own guidance is direct on this: AI processing involving innovative technology combined with another risk factor, evaluation, scoring, large-scale processing, or sensitive data, generally requires a DPIA before you go live. In practice, that means most business AI deployments touching personal data need one.

A proportionate DPIA for an SMB AI system should cover:

  • What personal data the system processes and why
  • The lawful basis you are relying on
  • Who has access to the outputs, including any third-party AI vendor
  • What happens if the system gets it wrong (error rates, review process)
  • How long data is retained and how it is deleted
  • Whether a human can override or contest the outcome

You do not need forty pages. A one-to-two page document that a DPO or founder can defend under questioning is more useful than a template nobody reads. If the residual risk is genuinely high and you cannot reduce it, you are required to consult the ICO before processing begins.

Practical Compliance Steps

Five things to get right before (or shortly after) launching an AI system that touches customer data:

1. Data minimisation in prompts. Do not paste full customer records into a prompt when the task only needs a name and a query. Strip unnecessary fields before they reach the model, especially with third-party AI APIs where you do not control retention.

2. Processing records. Article 30 requires a record of processing activities. Add your AI system as its own entry: what it does, what data it touches, where it is hosted, and who the vendor is.

3. Privacy notices. If your website or product now uses AI to process enquiries, your privacy notice needs to say so in plain language. Vague catch-all clauses written before AI adoption will not hold up to scrutiny.

4. Vendor DPAs. Every AI vendor that processes personal data on your behalf, from a chatbot platform to an email triage tool, needs a signed Data Processing Agreement. Check where they host data and whether it leaves the UK/EEA.

5. Retention and the right to explanation. Set explicit retention periods for AI-processed data and delete on schedule. If a decision was automated, be ready to explain, in plain terms, the logic and data that produced it. Osborne Clarke’s guide to assessing AI privacy risk is a useful reference if you want a deeper legal read alongside this practical checklist.

Compliance Checklist

Quick reference before any AI system touching personal data goes live:

  • Lawful basis identified and documented
  • DPIA completed if the system involves innovative tech + another risk factor
  • Article 22 safeguards in place if any decision is solely automated
  • Processing record updated (Article 30)
  • Privacy notice reflects AI processing in plain language
  • Vendor DPA signed for every third-party AI tool
  • Retention period set and enforced
  • Human override / contest route available and genuinely meaningful

Where This Fits With Your Website

If your website’s forms, chatbot, or booking flow feed data into an AI system, that data pipeline is part of your GDPR footprint, not a separate concern. It matters just as much as page speed or conversion rate when you are weighing what to build. A fast, well-built site with a badly governed AI layer behind it is still a liability.

We build AI systems with this baked in from day one, minimal data collection, documented lawful basis, and vendor arrangements that hold up to scrutiny, rather than retrofitting compliance after launch.

Sources


Deploying AI that processes personal data and want it built compliant from the start? Talk to us about a GDPR-conscious AI system, or explore how our AI systems work fits alongside a Studio Site or Launch Sprint build.