Does the UK have an AI Act?

No. The UK has chosen a regulator-led, pro-innovation approach rather than a single horizontal AI statute. However, deployer obligations are already enforceable through UK GDPR, the Data Protection Act 2018, ICO guidance, and sector-specific regulation.

What are the UK penalties for AI-related non-compliance?

The ICO can enforce fines of up to 4% of annual global turnover under UK data protection law. There is no separate AI-specific fine schedule.

What is the Algorithmic Transparency Recording Standard?

The ATRS is mandatory for all UK government departments and in-scope arm's-length bodies delivering public or frontline services. Scope was clarified December 17, 2024. It is not a private-sector obligation yet, but signals the direction of travel for AI transparency requirements.

When is a DPIA required for AI systems in the UK?

Under UK GDPR Article 35, a DPIA is required where new technology is likely to result in high risk to individuals. It is always required for systematic and extensive profiling, and for automated decisions with legal or similarly significant effects. If unmitigated residual high risk remains, you must consult the ICO before processing.

Obligations Already Enforceable

The UK Doesn’t Need an AI Act to Regulate You

If your AI system processes personal data or makes significant decisions about people, your compliance obligations are already live.

Talk to Us About Compliance See the Framework

No AI Act — But Real Obligations

The UK has chosen a regulator-led, pro-innovation approach rather than a single horizontal AI statute. But that does not mean there are no obligations. UK GDPR, the Data Protection Act 2018, ICO guidance, and the Algorithmic Transparency Recording Standard create a concrete compliance surface for any organization deploying AI.

DPIA Requirements (UK GDPR Article 35)

Required where new technology is likely to result in high risk to individuals. Always required for:

Systematic and extensive profiling

Automated decisions with legal or similarly significant effects

If unmitigated residual high risk remains after safeguards, you must consult the ICO before processing.

ICO AI Guidance Framework

Updated March 2023, under review following the Data (Use and Access) Act 2025. Remains the operative compliance source for AI and personal data.

Accountability

Transparency

Lawfulness

Accuracy

Fairness

Security

Individual Rights

ICO AI Audit Framework

What the ICO looks for when auditing AI systems. This is the practical audit checklist.

Governance and accountability

Transparency

Contracts and third parties

Data minimisation

Security

Privacy by design

Statistical accuracy

Bias and discrimination

Human review

Algorithmic Transparency Recording Standard (ATRS)

Mandatory for all UK government departments and in-scope arm’s-length bodies delivering public or frontline services. Scope clarified December 17, 2024.

Not a private-sector obligation yet — but it signals the direction of travel. Organizations building documentation now will be ahead when the standard expands.

Penalties

Up to 4% annual global turnover

ICO enforcement under UK data protection law. No separate AI-specific fine schedule.

What’s Coming

The AI Regulation Bill [HL] — a Private Members’ Bill — had its first reading March 4, 2025. It has not been enacted. Its political future is uncertain.

The regulator-led model remains operative. Organizations should build for existing law, not wait for a statute that may not come.

What This Means for Your Organization

UK deployer obligations are already enforceable. The documentation requirements are clear. The ICO audit framework tells you exactly what evidence to produce.

AOP builds the structured, audit-ready evidence files that map to each of these requirements.

EU AI Act → Colorado AI Act → Book a Call →