The ICO's guidance on AI and data protection is where the UK's data regulator explains how the UK GDPR applies once personal data meets these tools. It deserves a place on a law firm's reading list, because client files hold some of the most sensitive personal data there is. The regulator keeps the whole of it on one hub, written for organisations of every kind, and the pieces that matter to a small firm are easy to pick out.
What sits in the ICO's AI hub
The centrepiece is the guidance titled Artificial intelligence and data protection, a detailed account of applying each UK GDPR principle to AI systems, from lawful basis through fairness to accountability. Beside it sits Explaining decisions made with AI, produced with the Alan Turing Institute, on how to explain AI-assisted decisions to the people they affect. There is separate guidance on biometric recognition, and a practical AI and data protection risk toolkit for assessing what a system does to the rights and freedoms of the people whose data runs through it. The hub also carries a flag worth noting: the Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and its data protection provisions are now in force. Expect the pages to keep moving as the ICO works the changes through.
The principles it presses hardest
Three themes carry most of the weight. Accountability comes first: where AI processing is likely to pose a high risk to individuals, the ICO expects a data protection impact assessment before the processing starts, not a rationalisation after it. Fairness comes with a distinction firms should learn, that a system can be statistically impressive and still unfair to the person in front of it, which is why bias in training data gets its own treatment. And transparency runs throughout, from telling people how their data is used to giving a meaningful explanation when a decision was assisted by a machine, with particular caution around decisions taken solely by automation that carry legal effect.
For a law firm the translation is direct. Matter files are dense with personal and special category data, so a tool that touches them sits at the sharp end of this guidance. The assessment the ICO expects is much the same exercise as the one the SRA expects before a firm adopts new technology.
What to do with it
Run the risk toolkit against any AI tool before it reaches client work, keep the completed assessment on file, and revisit it when the tool or the law changes, which the 2025 Act guarantees it will. The duties the guidance rests on are worked through from the firm's side in UK GDPR when client data meets AI and client confidentiality when using AI tools.
The hub itself is at the ICO’s guidance on AI and data protection.
If nobody in your firm has put these questions to the tools you already use, we run the assessment with partners in a day and leave the record on file where a regulator would want it: start with a conversation.
