Guides

UK GDPR and AI: A Business Guide (2026)

How UK GDPR applies to AI in 2026 — lawful basis, DPIAs, transparency, automated decision-making under the DUAA 2025, and data minimisation across the AI lifecycle. Cited to the ICO.

By dgm · 2026-01-31 · Updated 2026-06-10 · 2 min read

If your AI touches personal data — customers, employees, prospects — UK GDPR applies. Here’s what that means in practice in 2026, cited to the ICO. (dgm implements osFoundry as an independent partner. General information, not legal advice — involve your DPO.)

UK GDPR (read with the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025) applies whenever AI processes personal data — in training, fine-tuning, or running inference. The ICO’s AI guidance is the reference.

Lawful basis

Any processing of personal data needs a lawful basis under Article 6 — for most commercial AI, consent, contract or legitimate interests. The ICO treats identifying the correct lawful basis at each lifecycle stage (training vs inference) as foundational. Special-category data (health, biometrics, etc.) needs an additional condition.

DPIAs

A Data Protection Impact Assessment is legally required for processing likely to result in high risk — and the ICO treats most AI involving personal data (especially profiling, large-scale or special-category processing) as triggering one. In practice, assume you need a DPIA for an AI project on personal data, and do it early. (See our DPIA guide.)

Automated decision-making (rebuilt by the DUAA)

The DUAA replaced Article 22 with new Articles 22A–22D. The headline: solely-automated decisions with legal or similarly significant effects are now permitted in wider circumstances for ordinary data, provided safeguards are met — informing individuals, letting them make representations, letting them contest, and providing human intervention. Special-category ADM stays restricted. (See our automated decision-making guide.)

The other obligations

Across the AI lifecycle you must also handle:

Transparency (Articles 13–14) — tell people their data is used, including in AI;
Accuracy and fairness of outputs;
Data minimisation — don’t feed more personal data than needed; and
Security — protect the data and the model.

Where osFoundry and dgm fit

dgm implements AI with data protection designed in: data control (self-host in your own cloud or an EU region — osFoundry publishes US/EU/JP regions, not a UK one, and UK GDPR has EU adequacy), audit logging, human-in-the-loop review for significant decisions, and the ability to minimise what personal data is exposed (e.g. bring-your-own-key, self-hosting so data isn’t sent to third parties). A common pitfall — staff pasting personal data into consumer AI tools — is exactly what a governed setup prevents.

dgm is an independent integration partner with zero integrations so far, and not a law firm. Compliance decisions need your DPO and qualified legal advice. To scope a UK-GDPR-aware AI project, book a consultation with dgm.

Frequently asked questions

Does UK GDPR apply to AI?

Yes. Any AI that processes personal data — in training, fine-tuning or running inference — is subject to UK GDPR and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). You need a lawful basis, must run a DPIA for high-risk processing, and must meet transparency, accuracy, fairness, minimisation and security obligations.

What lawful basis do I need for AI?

Any processing of personal data needs a lawful basis under Article 6 — for most commercial AI that's consent, contract or legitimate interests. The ICO treats identifying the correct lawful basis at each lifecycle stage (training vs inference) as a foundational step. Special-category data needs an additional condition.

Do I need a DPIA for an AI project?

Usually yes if it involves personal data. A Data Protection Impact Assessment is legally required for processing likely to result in high risk, and the ICO treats most AI involving personal data — especially profiling, large-scale or special-category processing — as triggering that requirement. See our dedicated DPIA guide.

What changed for automated decisions under the DUAA?

The Data (Use and Access) Act 2025 replaced Article 22 with new Articles 22A–22D. Solely-automated decisions with legal or similarly significant effects are now permitted in wider circumstances for ordinary (non-special-category) data, provided safeguards are met: informing individuals, allowing representations, allowing contest, and providing human intervention. Special-category ADM stays restricted.

How does dgm help with UK GDPR and AI?

dgm implements AI with data control (self-hosting or an EU region), audit logging and human-in-the-loop review designed in, which supports lawful, transparent processing. dgm is an independent integration partner with zero integrations so far and not a law firm — compliance decisions need qualified legal advice and your DPO.

UK GDPR and AI: A Business Guide (2026)

Lawful basis

DPIAs

Automated decision-making (rebuilt by the DUAA)

The other obligations

Where osFoundry and dgm fit

Frequently asked questions

Ready to replace your SaaS stack with osFoundry?

Simple, transparent pricing

Initial consultation

AI integration

UK GDPR and AI: A Business Guide (2026)

When UK GDPR bites

Lawful basis

DPIAs

Automated decision-making (rebuilt by the DUAA)

The other obligations

Where osFoundry and dgm fit

Frequently asked questions

Related reading

Ready to replace your SaaS stack with osFoundry?

Simple, transparent pricing

Initial consultation

AI integration