May 22, 2022
Data Protection Law

A new ICO AI Toolkit has been published by the Information Commissioner’s Office (ICO) for organisations which use artificial intelligence (AI) to process personal data. The purpose of the toolkit is to promote compliance with the UK GDPR.

The AI toolkit builds on previous guidance from the ICO on AI and data protection.

AI plays an increasingly important role in the world. Real life examples include: smart assistants, social media monitoring, marketing chatbots and automated financial investing.

New AI systems are being developed by companies all the time, to achieve previously unobtainable gains in efficiency and productivity.

However, the novelty of AI means that there is a risk that such systems may breach the UK GDPR and adversely affect the rights and freedoms of individuals. The ICO AI toolkit will aid organisations in preventing such breaches.

The ICO AI toolkit is targeted at organisations’ risk and governance teams. This promotes as senior leadership awareness of the data protection risks that organisations need to navigate and address to comply with the UK GDPR.

What is the ICO AI Toolkit?

The ICO describes the toolkit as a risk assessment tool.

The AI toolkit provides space for organisations to summarise their risk assessment, as well as any practical steps that can be taken to reduce such risks.

Firstly, an organisation identifies the risks. Then, the toolkit gives three options for those risks – high, medium or low. Each risk area is aligned to the key principles contained in the UK GDPR (i.e. accountability, data minimisation, fairness, transparency, purpose limitation etc). 

Once risks are identified, the toolkit suggests practical steps that organisations can take:

  • Must: it is a legal requirement to comply with these steps;
  • Should: it is best practice to follow these steps; or
  • Could: it is optional good practice to follow these steps.

If the practical steps are followed, the likelihood of compliance with the UK GDPR is increased. 

The AI toolkit intends to be a practical document for organisations, designed to provide them with confidence that their AI system is in compliance with the UK GDPR.

The ICO further encourages that organisations publish their toolkit risk assessment in order to help with transparency, although use of the kit is not compulsory.

Importance of a DPIA

It must be noted, however, that the toolkit does not replace the need for a Data Protection Impact Assessment (DPIA) or ensure compliance with UK GDPR. It is simply a method which can be used by organisations to highlight and navigate around potential risks posed by artificial intelligence systems which process data.

Although the toolkit could be seen as a hindrance and lengthy process, in the long run it can provide organisations with proof that they have been transparent in their data processing methods.


A major benefit of the ICO AI toolkit is that it will enable organisations to have greater confidence that they are being compliant with data protection laws when they process personal data through their artificial intelligence systems.

The AI toolkit will also help organisations to understand the risks posed to the rights of individuals by artificial intelligence, as well as providing clarity for organisations about the laws that apply to them, allowing them to innovate responsibly.

Ideally, the AI toolkit will be a useful, practical tool which highlights risks and ensures compliance with data protection laws.

However, the AI toolkit is relatively new, therefore the benefits which are predicted are yet to be seen and applied in practice on a large scale.

Is it compulsory for an organisation to use the ICO AI toolkit?

No. Use of the toolkit is not compulsory for any organisation. However, use of it demonstrates genuine effort to comply with the UK GDPR. This is useful in circumstances where the ICO is investigating an organisation and its potential breaches of data protection legislation. The ICO does not look kindly on retrospective risk analysis. Contemporary evidence of an organisation’s risk assessment assists in minimising enforcement risk.  

That said, the ICO has clarified that the AI toolkit does not replace the UK GDPR’s requirement to carry out a Data Protection Impact Assessment (DPIA). DPIAs are required where any processing is likely to result in a high risk to individuals’ data protection rights. If the AI toolkit were to identify a high risk, organisations must proceed to conduct a DPIA. Essentially, the AI toolkit is simply an extra form of security for both the organisation and the individuals’ whose data is being processed.

Organisations will not be penalised for not using the toolkit, but will demonstrate compliance if they do.

Final Thoughts

The ICO AI toolkit is a useful way to ensure compliance with data protection laws. It highlights risks and suggests how to address those risks to individuals’ rights and freedoms.

If you have any questions on the above or data protection compliance more generally please contact Neil Williamson or Colin Lambertus.