• Content Type

Official policy proposals and consultations

Guidance on the AI auditing framework: draft guidance and consultation


Applications of artificial intelligence (AI) increasingly permeate many aspects of our lives. We understand the distinct benefits that AI can bring, but also the risks it can pose to the rights and freedoms of individuals. This is why we have developed a framework for auditing AI, focusing on best practices for data protection compliance – whether you design your own AI system, or implement one from a third party. It provides a solid methodology to audit AI applications and ensure they process personal data fairly. It comprises:

  • auditing tools and procedures that we will use in audits and investigations; and
  • this detailed guidance on AI and data protection, which includes indicative risk and control measures that you can deploy when you use AI to process personal data

This guidance is aimed at two audiences:

  • those with a compliance focus, such as data protection officers (DPOs), general counsel, risk managers and the ICO’s own auditors; and
  • technology specialists, including machine learning experts, data scientists, software developers and engineers, and cybersecurity and IT risk managers

The guidance clarifies how you can assess the risks to rights and freedoms that AI can pose; and the appropriate measures you can implement to mitigate them. While data protection and ‘AI ethics’ overlap, this guidance does not provide generic ethical or design principles for your use of AI. It corresponds to different data protection principles, and is structured as follows:

  • part one addresses accountability and governance in AI, including data protection impact assessments (DPIAs)
  • part two covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination
  • part three addresses data minimisation and security, and
  • part four is about how you can facilitate the exercise of individual rights in your AI systems, including rights related to automated decision-making

This content is available under the Open Government Licence v3.0

Discussion forum

  • Author
  • Up

    Share your thoughts on this item here.

You must be logged in to contribute to the discussion