United Kingdom: Updated ICO position on engineering individual rights into generative AI models

On 10 December 2024, the UK's Information Commissioner's Office (ICO) updated its guidance on incorporating individual rights into generative AI systems following a public consultation. The ICO clarified that under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, data controllers must design AI systems to uphold data protection principles such as lawfulness, fairness, and transparency, embedding safeguards throughout the process. While Article 11 of GDPR permits processing without identifying individuals if unnecessary, organisations must demonstrate that data is sufficiently anonymised or pseudonymised and that this approach aligns with the processing purpose. They must also allow individuals to provide identifying information to exercise their rights if desired.