This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
If you've already accepted that AI tools are part of how your business handles customer data, the next question is whether you're meeting the standard your regulator now expects in writing. The Information Commissioner's Office is no longer just publishing informal guidance on AI. It has a statutory duty to prepare a formal Code of Practice, and the first version is already taking shape.
In short: regulations bringing a statutory AI Code of Practice into force (SI 2026/425) took effect on 12 May 2026, placing the Information Commissioner under a legal duty to prepare a code covering both the development and use of AI, including a mandatory children's data component. Final guidance under the code is expected during summer 2026. Once in force, a business that follows the code has a legal presumption of good practice; a business that doesn't will need to show its approach meets the same standard some other way.
Why this matters even if you didn't build the AI yourself
Most small and mid-sized businesses don't build their own AI models. They use a vendor's chatbot, a forecasting add-on inside their existing software, or a CV-screening tool bought off the shelf. It's tempting to assume the code is aimed at the vendor, not the business using the tool.
That's not how UK GDPR works. If your business decides how customer or staff data gets used by an AI system, you're very likely the data controller for that processing, regardless of who wrote the underlying model. The code is written with that in mind: it covers both the organisations that build AI and the organisations that deploy it.
What the code actually requires
An operations manager at a 40-person UK retail business rolling out an AI chatbot for customer service and an AI forecasting tool for stock levels is a good example of who this affects directly. Before this code, that business might have deployed both tools, checked the vendor's own privacy claims, and moved on.
Under the code, the expectation is different. The business needs to be able to show it assessed the data protection risk of each AI system before deployment, not just accepted the vendor's word for it. For a chatbot already live for six months, that means going back and documenting an assessment that should have happened at the start, not treating it as a one-off box that's already ticked.
The Information Commissioner's Office's own AI and data protection guidance frames this around existing UK GDPR obligations rather than inventing new ones from scratch: lawful basis for the processing, data minimisation, transparency about how the AI system uses personal data, and a documented risk assessment proportionate to the risk. The genuinely new element is the mandatory children's data component, which sets a higher bar wherever an AI system might process data belonging to someone under 18, even if the business doesn't specifically target children.
What this looks like in practice
A 20-person professional services firm using an AI note-taking tool in client meetings doesn't need a legal department to act on this. The practical version looks like: list which AI tools touch personal data, note what each one is actually used for, check whether the vendor's own documentation explains how it processes that data, and write down the answer, even briefly, before the tool goes into regular use rather than after a client or regulator asks.
Where a business already has a broader AI risk assessment process in place, the code's expectations fit inside it rather than replacing it. Where a business has never done this for any of its AI tools, the code is a reasonable trigger to start with the highest-risk system first, typically whichever tool touches the most sensitive data or the largest number of people.
Why a business would bother following a code that isn't a hard legal requirement in itself
The code itself doesn't create brand-new offences. What it does is give businesses a clear, ICO-endorsed reference point for what "good" looks like under UK GDPR when AI is involved. A business that can point to the code and show it followed the approach is in a materially stronger position if a complaint or an ICO inquiry ever happens, compared to a business that has no documented approach at all and is relying on "we assumed the vendor had it covered."
This matters most for the two scenarios that already generate the bulk of AI-related complaints to the ICO: a customer objecting to how a chatbot handled their personal data, and a job applicant or employee affected by an automated decision. A business that has already documented its risk assessment for the relevant AI tool has a straightforward answer ready. A business that hasn't is starting from zero at the worst possible moment.
What you can do about it
The ICO's own guidance on AI and data protection is the primary reference point, and it's written for exactly this audience, not just large enterprises with dedicated compliance teams. Three practical steps: identify every AI tool currently in use that touches personal data, check whether a data protection risk assessment exists for each one, and prioritise writing one for any tool that doesn't have it yet, starting with whichever handles the most sensitive data.
This is a planning exercise, not a compliance guarantee. Confirm the current state of the code and its final guidance with the ICO directly or a qualified adviser before treating any specific AI deployment as settled.
FAQ
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Is the ICO's AI Code of Practice already in force?
The regulations requiring the Information Commissioner to prepare the code (SI 2026/425) came into force on 12 May 2026. Final detailed guidance under the code is expected during summer 2026, so check the ICO's website for the current published version before treating any specific requirement as settled.
Does this apply to a business that only uses off-the-shelf AI tools, not one that builds its own?
Yes. The code covers both organisations that develop AI and organisations that deploy it. If your business decides how an AI tool processes customer or staff data, you're likely acting as the data controller for that processing under UK GDPR, regardless of who built the underlying model.
What's different about the children's data requirement?
The code includes a mandatory children's data component, meaning any AI system that could process data belonging to someone under 18 is held to a higher standard, even for a business that doesn't specifically market to children.
Do I need a lawyer to do a data protection risk assessment for an AI tool?
Not necessarily for a straightforward, low-risk tool. The ICO publishes guidance intended for organisations without a dedicated legal team. For anything processing sensitive data at scale, or where the assessment is genuinely unclear, getting a qualified adviser involved is worth it.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Already have an AI policy in place, or need to build one from scratch? Start with a free acceptable use policy template.
Get the Free Template