Generative AI and Data Protection

The UK Government has adopted a framework for regulating the development and use of Artificial Intelligence (AI). They have used UK regulators like the Information Commissioner Office (ICO) to create specific rules for different sectors.

The ICO has launched a consultation series on generative AI, focusing on how aspects of data protection law should apply to the development and use of generative AI models.

What is Generative AI?

In a nutshell, generative AI is a type of artificial intelligence technology that is capable of producing new content such as images, videos, text and computer code. Generative AI models are typically trained using large sets of input training data, which they use to create similar content based on prompts given to them by the user.

The ICO is aiming, through its consultation, to clarify how data protection law applies to the use of this data in the development and use of generative AI. This includes how organisations developing generative AI models can enable individuals to exercise the rights granted to them under data protection laws, where the use of personal data in the development process is concerned.

What does data protection legislation provide in terms of individual rights?

UK data protection legislation grants individuals certain rights over their personal data. Organisations that process personal data must ensure that the individuals who own that personal data are able to exercise these rights.

  • The rights granted to all individuals in relation to their personal data include:
  • the right to be informed that their personal data is being processed;
  • the right to have access to a copy of any of their personal data that is being processed;
  • the right to have their personal data rectified if it is inaccurate;
  • the right not to be subject to automated decision-making; and
  • in some cases, the right to have their information deleted, or to restrict or prevent the use of their information.

These rights apply wherever personal data is being processed. This means that in the context of generative AI, they apply to any personal data included in:

  • the data used to train the AI model;
  • data used for fine-tuning;
  • the outputs created by generative AI; and
  • user queries (e.g. when a user enters personal information via a prompt into the AI model).

Therefore, it is important that organisations who develop generative AI models to consider the data protection impacts and have processes in place to ensure that data subjects can lawfully exercise their rights.

What is the ICO’s initial view?

The ICO’s current consultation chapter on individual rights focuses on the right to be informed, the right to access, the right to have personal data deleted and the right to restrict processing of personal data. It has not yet considered rights relating to automated decision-making.

Right to be informed

The right to be informed is an important prerequisite to individuals being able to exercise their other rights under data protection legislation. An individual can only exercise such rights if they are aware that their personal data is actually being processed.

Generative AI developers use a diverse range of datasets derived from various sources in order to develop and train generative AI models.

Data is often collected directly from the individuals. For example, a company may provide a developer with employee data for them to fine-tune a generative AI model to be used for HR processes. Where personal data is collected directly from individuals, Article 13 of the UK GDPR states that such individuals with clear information about the use of their data, and what rights the individual has in relation to the processing of their data. They must also be clear about the fact that the data is being used for AI training.

Where data is collected from other sources (i.e. web-scraping), Article 14 of the UK GDPR provides that the right to be informed still applies. Individuals must be notified that their data has been collected and given clear information about the use of their data and their rights.

There are certain exceptions under Article 14 with regards to the right to be informed, such as where it is impossible to do so, or would require disproportionate effort to provide the requisite information to each data subject (i.e. where the dataset is exceptionally large). Generative AI developers seeking to apply such exceptions must still take appropriate measures to protect individual rights, including making privacy information publicly available.

The ICO is currently looking for views on what further measures generative AI developers should take to safeguard individuals’ right to be informed, including the application of privacy-enhancing technology or other pseudonymisation techniques.

Right to access

Individuals have a right of access to a copy of any personal data held about them, including in data sets being used to train generative AI models. The ICO has stated that it expects developers to have “accessible, clear, easy-to-use, documented and evidenced methods” to respond to data subject access requests.

It is sometimes difficult to identify individuals within large datasets, making it difficult to comply with an access request. In these cases, the law requires developers to explain this to the individual making the access request and demonstrate why this is the case. The individual can then decide if they wish to provide additional information to facilitate the identification.

Rights to erasure, rectification, restriction and objection to processing

If an individual wishes to exercise their right to have their personal data rectified or erased, or to object to their personal data being processed altogether, their request should be addressed within 1 month (or 3 months, if an extension is necessary).

The ICO recognises that applying such rights could be difficult for generative AI developers given that during training, generative AI models retain imprints of the data inputted into them for learning. Many developers use input and output filters to mitigate the risk that a generative AI model outputs personal data. The ICO is looking for views on whether such filters are sufficient for suppressing or removing personal data from generative AI models. They are also interested to discover if developers are using any other techniques to apply an individual’s right to erasure and objection, including “machine unlearning”.


Organisations developing, training and deploying generative AI models have a legal duty to enable people to exercise their rights over any personal data being used.

Developers need to be able to show that they:

  • have a clear and effective process for enabling individuals to exercise their rights;
  • are making privacy information clear, accurate and easily accessible; and
  • can justify any exceptions being relied upon and demonstrate the measures being taken to safeguard individuals’ interests, rights and freedoms.

The ICO’s call for evidence on individuals’ rights and freedoms in the context of generative AI models closed on 10 June 2024. The ICO should then be able to provide developers with clearer advice on how they can meet their legal obligations in this area.

If you have any questions or concerns regarding data protection and generative AI, please contact our IT and Technology team

Like to talk about this Insight?

Get Insights in your inbox

To Top