The UK’s Information Commissioner’s Office (ICO) has announced its intention to review how key businesses are using generative AI. The ICO has warned businesses not to underestimate the risks associated with generative AI and not to rush into adopting it without considering the potential harms. Generative AI is capable of producing complex content such as text, images, audio, and video, and it is considered to have higher risks compared to other AI models due to its potential impact across various sectors, including law enforcement, immigration, employment, insurance, and health.

The UK has previously adopted a “light touch” approach to AI regulation, as outlined in its “Pro-Innovation” AI Whitepaper. Instead of proposing new legislation, the Whitepaper emphasized sector-specific, principles-based guidance and existing laws. In contrast, the EU has proposed the AI Act, a standalone piece of legislation that regulates all AI systems regardless of the industry. However, there have been indications that the UK may reevaluate its approach to AI regulation and consider a more intensive approach, potentially even introducing AI-specific legislation.

The ICO, as the UK’s Data Protection Authority, will focus on reviewing data protection risks associated with generative AI. The ICO urges businesses to understand how AI utilizes personal information, mitigate risks, and ensure compliance with customer expectations and regulatory requirements. The ICO has updated its Guidance on AI and data protection and provided a toolkit to assess and mitigate AI risks. The ICO has also issued concise guidance in the form of eight questions that organizations using or developing generative AI should consider. These questions cover topics such as lawful basis for data processing, security mitigation, and GDPR compliance.

It is important to note that this information is current as of the posting date and may not reflect any subsequent developments.