The GDPR (EU regulation) has strict rules on how AI processes personal data. Key requirements include:

• Lawful Basis for Processing (Article 6)
  AI systems must have a lawful basis (e.g., consent, legitimate interest, legal obligation) before processing personal data.
• Obtaining Consent – Article 7 (GDPR) Sets the conditions for obtaining valid consent for data processing. AI must process data lawfully, transparently, and fairly, and often requires explainability, human oversight, and consent.
• Data Subject Rights (Articles 12-22)
  Individuals have rights such as:
  • Right to be informed. (explainable AI)
  • Right to access data.
  • Right to rectification.
  • Right to erasure (right to be forgotten).
  • Right to object to automated decision-making (AI-based decisions must have human oversight).
• Automated Decision-Making & Profiling (Article 22)
  If an AI system makes fully automated decisions with legal effects, individuals must have:
  • The right to contest decisions.
  • Human intervention in critical cases.
  • Transparency on how the decision was made
• Privacy by Design & Default (Article 25)
  AI systems must incorporate data protection measures from the start (e.g., data minimization, encryption).
• Data Protection Impact Assessment (DPIA) (Article 35)
  If AI processing poses high risks to individuals (e.g., biometric recognition), organisations must conduct a DPIA.
• Cross-Border Data Transfers (Articles 44-50)
  AI systems processing data outside the EU must comply with international transfer rules (e.g., Standard Contractual Clauses, adequacy decisions).

The UK legislation broadly aligns with the EU GDPR, however it does allow more flexibility in AI innovation.

Note – The UK is developing its own AI regulations, focusing on accountability, fairness, and explainability in AI systems.

Visit the ICO website for more information.