GDPR and AI Tools UK: What Businesses Must Know in 2026

June 29, 2026
Posted by: Gradeon
Category: Compliance

Using AI tools like ChatGPT or Microsoft Copilot creates UK GDPR obligations the moment personal data is involved, regardless of how the tool is marketed or how informal its use feels. Whether that use is compliant depends almost entirely on configuration, not on which AI tool you choose.

In 2026, the rules around this have changed significantly. The Data (Use and Access) Act received Royal Assent in June 2026, and it directly rewrites how UK GDPR treats AI-driven automated decisions.

Is Using ChatGPT or Copilot a UK GDPR Issue?

It depends entirely on which version you use and how.

Consumer ChatGPT processing personal data is almost always a GDPR risk because of lawful basis, transfer, and data minimisation issues. Enterprise versions, such as ChatGPT Enterprise or Microsoft Copilot for Microsoft 365 with proper licensing, include data protection terms that make compliant use possible, but a DPIA, vendor due-diligence record, and AI policy are still required.

The free tier of ChatGPT uses inputs for model training by default, which creates GDPR issues whenever personal data is involved. A paid Team or Enterprise plan with a proper Data Processing Agreement and training opt-out is required before any customer data should be entered.

What Changed: Article 22 Has Been Replaced

This is the single most important UK GDPR development for AI in 2026.

Since the Data Use and Access Act commencement plan brought the relevant data protection changes into force on 5 February 2026, section 80 replaces Article 22 of the UK GDPR with new Articles 22A-D.

The DUAA creates a more permissive framework for organisations to make decisions based solely on automated processing that have legal or similarly significant effects on individuals. This relaxes some restrictions under the old Article 22, but introduces new safeguards, including clearer rights for individuals to obtain human review and to contest automated decisions.

In practice, this means UK businesses now have slightly more flexibility to use AI for automated decisions, but the obligation to provide meaningful human review when challenged is now more clearly defined, not less.

What UK GDPR Requires When AI Touches Personal Data

UK GDPR and the Data Protection Act 2018 are the floor for every UK business using AI. If your AI touches personal data, customer names, employee data, support tickets, sales pipeline notes, anything, you have UK GDPR obligations regardless of sector.

Three principles matter most in practice:

Lawful basis. You need a documented lawful basis for the personal data your AI processes. Legitimate interests is usually the working answer for internal use, but it requires a documented Legitimate Interests Assessment.

Data minimisation. Train and prompt with the minimum personal data necessary. ChatGPT does not need your full customer list to draft an email.

Transparency. Your privacy notice must explain that AI is being used to process personal data and how.

When Is a DPIA Legally Required for AI Tools?

Any use of AI that involves high-risk processing of personal data requires a Data Protection Impact Assessment. The ICO expects DPIAs to be conducted before processing begins, not retrospectively.

For any AI tool that processes personal data at scale, uses profiling, automated decision-making, or sensitive categories of data, a DPIA is legally required. For a simple AI writing assistant that never sees personal data, a DPIA is not mandatory, but the ICO recommends conducting one anyway as good practice.

The Most Common Compliance Gap in UK Businesses

If your team is pasting customer data into the consumer version of ChatGPT, not the business one, you almost certainly have a UK GDPR issue. This is the single most common AI compliance gap seen in UK SMEs.

Staff pasting customer data into unapproved AI tools is one of the clearest shadow IT risks UK businesses face, because the data leaves your control the moment it is entered into a consumer-grade tool with no enterprise data protection agreement in place.

AI Chatbots and Article 22A-D in Practice

If your business uses an AI chatbot, specific UK GDPR rules apply regardless of the new, more permissive automated decision-making regime.

A booking chatbot needs a name, date, and contact number, not date of birth, address, or employer. A FAQ chatbot answering product questions needs no personal data at all unless escalating to a human.

The most common ICO finding in chatbot audits is over-collection, businesses asking for data they never use, simply because the chatbot platform supports it.

Decisions that genuinely affect individuals still require safeguards. A chatbot that automatically declines a loan enquiry based on postcode or age data, or one that screens and rejects job applicants without human involvement, requires explicit consent plus a meaningful human review route.

What ICO Enforcement Looks Like in 2026

The financial risk of getting this wrong has increased sharply.

The ICO issued 15 fines totalling approximately £21.7 million in 2025, an eightfold increase on the previous year. The average fine rocketed nearly tenfold, from approximately £150,000 in 2024 to £1.45 million in 2025.

ICO fines for UK GDPR breaches reach up to £17.5 million or 4% of annual global turnover, whichever is higher. For SMEs specifically, the ICO typically issues reprimands and enforcement notices for first breaches rather than maximum fines, but reputational damage from an ICO investigation is significant.

A Practical Compliance Checklist for UK Businesses Using AI Tools

Choose enterprise plans, not consumer ones. Never enter customer personal data into free AI tools. A paid plan with a proper Data Processing Agreement is the minimum starting point.

Confirm data residency and transfer safeguards. Under UK GDPR, transferring personal data outside the UK requires adequate safeguards, and you should confirm the AI provider is certified under the UK Extension to the EU-US Data Privacy Framework where relevant.

Maintain an AI register. An AI register is a single list of every AI tool used in the business, who owns it, what data it touches, what risk class it falls in, and what compliance is required. Every UK business using AI should have one, since the ICO, FCA, and EU AI Act all expect this to be producible on request.

Update your privacy notice. Your privacy policy needs to mention AI tools by name or category, since customers have a right to know if AI is processing their data.

Train your team before rollout. No compliance framework survives contact with an untrained employee pasting customer data into a free ChatGPT account. Set clear rules about which tools are approved and what data can be entered.

This checklist sits within the wider AI governance compliance obligations UK businesses face in 2026, which extend beyond data protection into sector-specific regulatory expectations depending on your industry.

Frequently Asked Questions

Is ChatGPT GDPR compliant for UK businesses?

Only with the correct configuration. Consumer ChatGPT creates GDPR risk with personal data. Enterprise plans with a signed Data Processing Agreement and training opt-out support compliant use.

Has Article 22 of UK GDPR changed in 2026?

Yes. The Data Use and Access Act replaced Article 22 with new Articles 22A-D from February 2026, creating more flexibility for automated decisions alongside clearer human review rights.

Do small UK businesses need a DPIA before using AI tools?

Only when processing is high-risk, such as profiling or automated decision-making. For low-risk tools with no personal data exposure, a DPIA is recommended but not legally mandatory.

What happens if staff paste customer data into free ChatGPT?

This is the most common UK AI compliance gap. Free-tier tools use inputs for training by default, meaning the business loses control over that personal data entirely.

What are the ICO fines for AI-related GDPR breaches?

Fines can reach £17.5 million or 4% of global turnover. The average fine rose from roughly £150,000 in 2024 to £1.45 million in 2025.

Does an AI chatbot need to register separately with the ICO?

No. The organisation deploying the chatbot must be registered as a data controller, and that registration covers all processing the chatbot performs.

Source: ICO Guidance on AI and Data Protection, 2026. Data (Use and Access) Act 2026. GDPR Local ICO Artificial Intelligence Report 2026.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.