The ICO is the UK’s most important AI regulator for most businesses — because almost every AI project touches personal data. Here’s what its guidance covers in 2026, cited to the ICO. (dgm implements osFoundry as an independent partner. General information, not legal advice.)

Why the ICO matters most

In the absence of a UK AI Act, the ICO (Information Commissioner’s Office) is the lead cross-sector regulator for AI, because data protection is where AI most often bites. If your AI uses personal data, the ICO’s expectations are the ones to know first.

The core guidance

The ICO’s “Guidance on AI and data protection” is the central reference. It covers, across the AI lifecycle:

  • lawful basis for processing;
  • fairness of AI outcomes;
  • transparency and individual rights;
  • DPIAs for high-risk processing;
  • accuracy of outputs; and
  • security and data minimisation.

The risk toolkit

The ICO also publishes an AI and data protection risk toolkit — a practical way to identify and mitigate the data-protection risks AI systems create, mapped to lifecycle stages. It’s a sensible starting point when scoping a DPIA.

Generative AI

The ICO ran a multi-part generative-AI consultation series addressing the hard questions: lawful basis for training on web-scraped data, purpose limitation across the genAI lifecycle, accuracy, and engineering individual rights into models. It has published responses tackling common misconceptions — useful reading if you deploy generative AI.

The 2026 ADM update

Following the Data (Use and Access) Act 2025, the ICO is consulting on new draft guidance on automated decision-making (including profiling), resetting the “significant decision” and “solely automated” thresholds to match the new Articles 22A–22D. The consultation ran into 2026, with final guidance expected around Summer 2026 — so watch for the finalised version if you do automated decisions.

Where osFoundry and dgm fit

dgm implements AI in line with ICO expectations: a clear lawful basis and purpose, transparency, human oversight for significant decisions, data minimisation, and data control (self-host in your own cloud or an EU region — osFoundry publishes US/EU/JP regions, not a UK one). The ICO’s risk toolkit maps neatly onto how we scope a DPIA-ready project.

dgm is an independent integration partner with zero integrations so far, and not a law firm. Confirm specifics against the ICO’s own pages and your DPO. To scope an ICO-aware AI project, book a consultation with dgm.