The ICO exists to empower you through information.

3 April 2023

Stephen Almond, Executive Director, Regulatory Risk, leads the ICO’s team responsible for anticipating, understanding and shaping the impacts of emerging technology and innovation on people and society.

News stories about the implications of generative artificial intelligence (AI) and large language models (LLMs) are reaching a climax, with almost two thousand academics and technology experts signing a letter last week calling for a six-month moratorium.

LLMs (such as ChatGPT) and their use cases – from writing essays to powering chatbots or creating websites without human coding involved – have captured the world’s imagination. But it is important to take a step back and reflect on how personal data is being used by a technology that has made its own CEO “a bit scared”.

ChatGPT itself recently told me that “generative AI, like any other technology, has the potential to pose risks to data privacy if not used responsibly”. And it doesn’t take too much imagination to see the potential for a company to quickly damage a hard-earned relationship with customers through poor use of generative AI. But while the technology is novel, the principles of data protection law remain the same – and there is a clear roadmap for organisations to innovate in a way that respects people’s privacy.

Organisations developing or using generative AI should be considering their data protection obligations from the outset, taking a data protection by design and by default approach. This isn’t optional – if you’re processing personal data, it’s the law.

Data protection law still applies when the personal information that you’re processing comes from publicly accessible sources. If you’re developing or using generative AI that processes personal data you need to ask yourself the following questions:

  1. What is your lawful basis for processing personal data? If you are processing personal data you must identify an appropriate lawful basis, such as consent or legitimate interests.
  2. Are you a controller, joint controller or a processor? If you are developing generative AI using personal data, you have obligations as the data controller. If you are using or adapting models developed by others, you may be a controller, joint controller or a processor.
  3. Have you prepared a Data Protection Impact Assessment (DPIA)? You must assess and mitigate any data protection risks via the DPIA process before you start processing personal data. Your DPIA should be kept up to date as the processing and its impacts evolve.
  4. How will you ensure transparency? You must make information about the processing publicly accessible unless an exemption applies. If it does not take disproportionate effort, you must communicate this information directly to the individuals the data relates to.
  5. How will you mitigate security risks? In addition to personal data leakage risks, you should consider and mitigate risks of model inversion and membership inference, data poisoning and other forms of adversarial attacks.
  6. How will you limit unnecessary processing? You must collect only the data that is adequate to fulfil your stated purpose. The data should be relevant and limited to what is necessary.
  7. How will you comply with individual rights requests? You must be able to respond to people’s requests for access, rectification, erasure or other information rights.
  8. Will you use generative AI to make solely automated decisions? If so – and these have legal or similarly significant effects (e.g. major healthcare diagnoses) – individuals have further rights under Article 22 of UK GDPR.

As the data protection regulator, we will be asking these questions of organisations that are developing or using generative AI. We will act where organisations are not following the law and considering the impact on individuals.

We are here to support organisations, enabling them to scale and maintain public trust. Our recently updated Guidance on AI and Data Protection provides a roadmap to data protection compliance for developers and users of generative AI. Our accompanying risk toolkit helps organisations looking to identify and mitigate data protection risks.

Innovators identifying novel data protection questions can get advice from us through our Regulatory Sandbox and new Innovation Advice service. Building on this offer, we are in the process of piloting a Multi-Agency Advice Service for digital innovators needing joined up advice from multiple regulators with our partners in the Digital Regulation Cooperation Forum.

There really can be no excuse for getting the privacy implications of generative AI wrong. We’ll be working hard to make sure that organisations get it right.