Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: ICO issues guidance for developers and users of generative AI

The Information Commissioner's Office ('ICO') published, on 3 April 2023, a press release in which it specifies eight questions that developers and users need to ask when using generative artificial intelligence ('AI'). In particular, the ICO stated that news stories about the implications of the use of generative AI and large language models ('LLMs'), such as ChatGPT, have reached a climax, noting that while these technologies are novel, the applicable data protection law principles remain the same.

Additionally, the ICO emphasised the risks involved with the use of such technologies, highlighting that organisations developing or using generative AI should be considering their data protection obligations from the outset, taking, as mandatory practice, a Data Protection by Design and by Default approach. In this regard, the ICO noted that data protection law still applies when organisations are processing personal information from publicly accessible sources, and that organisations developing or using generative AI that processes personal data should ask themselves the following questions:

  • What is their lawful basis for processing personal data?
  • Is the organisation a controller, joint controller, or a processor?
    • In this regard, the ICO noted that if an organisation is developing generative AI using personal data, it has obligations as a data controller, whereas if it is using or adapting models developed by others, it may be a controller, joint controller, or a processor.
  • Has the organisation prepared a Data Protection Impact Assessment ('DPIA') before processing personal data?
  • How does the organisation ensure transparency?
    • In this regard, the ICO stated that organisations must make information about the processing publicly accessible, unless an exemption applies, and that if it does not take disproportionate effort, it must communicate this information directly to data subjects.
  • How will the organisation mitigate security risks, including risks of model inversion and membership inference, data poisoning, and other forms of adversarial attacks?
  • How will the organisation limit unnecessary processing?
  • How will the organisation comply with individual rights requests?
  • Will the organisation use generative AI to make solely automated decisions?

Notably, the ICO stated that it will act where organisations are not following the law and not considering the impact on individuals, and highlighted the suite of guidance and tools available for organisations to assist in their compliance.

You can read the press release here.