The ICO exists to empower you through information.

As part of the ICO’s work on artificial intelligence (AI) regulation, we have been quick to respond to emerging developments in generative AI, engaging with generative AI developers, adopters and affected stakeholders. In April 2023, we set out questions that developers and deployers needed to ask1. In January 2024, we launched our five-part generative AI consultation series2, which this consultation response summarises.

The series set out to address regulatory uncertainties about how specific aspects of the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act (DPA) 2018 apply to the development and use of generative AI. It did that by setting out our initial analysis of these areas, along with the positions we wanted to consult on.  

What follows is a summary of the key themes that emerged from the responses to the consultation. This summary is not intended to be a comprehensive record of all the views expressed, nor a response to all individual points raised by respondents. 

In addition to summarising feedback, this consultation response sets out our analysis on how specific areas of data protection law apply to generative AI systems. This response does not cover the entirety of our regulatory expectations (these are covered in more detail in our core guidance on AI and data protection)3. This response does provide clear views on the application of data protection law to specific issues. In due course, we will be updating our existing guidance to reflect the positions detailed in this response.

The response also flags areas where we think further work is needed to develop and inform our thinking. We also recognise that the upcoming data reform legislation4 may have an impact on the positions set out in this paper.


1 Generative AI: eight questions that developers and users need to ask

2 ICO consultation series on generative AI and data protection

3 Artificial intelligence

4 See the Data (Use and Access) (DUA) Bill