On 13th January 2025, the Government announced that it planned to “turbo charge” AI in the UK by throwing the full weight of Whitehall behind the industry and adopting all 50 recommendations set out by Matt Clifford in his AI Opportunities Action Plan. The move is designed to increase growth by attracting investment and tackling the country’s low productivity. The IMF estimates that if AI is fully embraced it can boost productivity by as much as 1.5 percentage points a year. If fully realised, these gains could be worth up to an average £47 billion to the UK each year over a decade.

The announcement was made as tech companies Vantage Data Centres, Nscale, and Kyndryl stated they have committed £14 billion in investment to build the AI infrastructure the UK needs to meet the Government’s ambitions. The infrastructure work will provide 13,250 jobs across the country. This is over and above the £25 billion in AI investment announced at the International Investment Summit.

This is an incredible opportunity for existing and new AI Startups. If ever there was a welcoming mat being laid out for the industry, this is it. But to fully take advantage of the opportunities available and ensure you have a long term sustainable business, you need to understand the data protection and privacy risks around AI so you can create a solid risk assessment and management strategy.

What are the UK GDPR principles?

All businesses developing AI solutions and/or applications hold significant amounts of data as this is what AI is trained, tested, and validated on. One of the general public’s biggest concerns about AI is the safety of their personal data and privacy. If you are an AI startup, your bible for all things data protection and privacy compliance is the Information Commissioner’s Office website.

There are six UK GDPR principles listed under Article 5(1) which states that personal data must be processed:

1. lawfully, fairly, and in a transparent manner
2. for specified, explicit, and legitimate purposes only
3. in a manner that is adequate, relevant, and limited to what is necessary
4. accurately and where required, kept up to date
5. regarding storage, data should only be kept as long as necessary
6. in a way that protects it from unlawful or unauthorised processing, loss, damage, or destruction

Article 5(2) provides states that the Controller (and Processors) must be able to demonstrate compliance. This is known as the accountability requirement and mainly involves recording the steps you’ve taken to reach compliance.

How should an AI startup approach data protection and privacy risk management?

The ICO states that that AI is high risk technology, so when you are developing a new AI solution or application, you must identify and assess the risks and implement measures to mitigate them. This is achieved by conducting a Data Protection Impact Assessment (DPIA).

One of the biggest challenges in doing a DPIA for AI innovation is the particular risks associated with individual solutions and applications depend on specific factors such as:

• How the product will be used.
• The data required to train, test, and verify the model.
• The sector of the population in which the product will be used.
• Domestic and international regulatory requirements.
• The social, cultural, and political considerations of developing and selling the AI solution or application.

Can I leave AI DPIAs to the scientists and engineers?

The ICO is extremely clear in its answer to this question:

“You cannot delegate these issues to data scientists or engineering teams. Your senior management, including DPOs, are also accountable for understanding and addressing them appropriately and promptly (although overall accountability for data protection compliance lies with the controller, ie your organisation).

To do so, in addition to their own upskilling, your senior management will need diverse, well-resourced teams to support them in carrying out their responsibilities. You also need to align your internal structures, roles and responsibilities maps, training requirements, policies and incentives to your overall AI governance and risk management strategy.”

How do I manage the UK GDPR fairness and transparency requirements if I am training AI on personal data?

If you need to use personal data to train your AI innovations, you must tell people affected at the point of data collection that their personal information will be used to train your AI product. You also need to inform people if you plan to train your AI on personal data you collected in the past for a different purpose.

In cases where informing individuals is not possible or involves a “disproportionate effort” you need to take “appropriate measures” to protect people’s rights, freedoms, and legitimate interests. For example, you could put a note on your website stating where you obtained your AI training data from and how data subjects can object or have their data removed from the training database.

Concluding comments

This article merely skims the surface of the data protection and privacy compliance requirements that AI startups need to consider and observe. What’s more, compliance is changing constantly as governments around the globe try and keep up with the rapid pace of AI development and the growth opportunities it presents.

The best way to protect your commercial interests and reputation is to work with an experienced Risk Management Solicitor who can advise you of the regulations you need to be aware of and the latest ICO requirements. They can also undertake a DPIA so you can be assured of its breadth and accuracy.

To find out more about any matters discussed in this article, please email us at [email protected] or phone 0121 249 2400.

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article, please contact 43Legal.