Overview
AI tools do not get a data protection exemption
Every time someone in your business pastes a customer email into a chatbot, uploads a spreadsheet to a summariser or lets an AI tool score applications, personal data is being processed, and UK GDPR applies in full. The ICO has been clear that AI is a priority area, and the risks are not theoretical: data entered into public AI tools can leave your control permanently, some tools use inputs for training, and AI-driven decisions about individuals carry specific legal duties. Most staff have never been told any of this.
This course closes that gap. It starts with how AI tools actually handle the data you give them, including the crucial difference between public and enterprise deployments, then works through the UK GDPR essentials as they apply to AI: lawful basis, minimisation, transparency, and the rules on automated decision-making and profiling, including the changes made by the Data (Use and Access) Act 2025. You will learn exactly what can and cannot go into an AI tool, when an AI project needs a data protection impact assessment and how to run one, and how to handle rights requests and breaches where AI is involved.
The course is fully online and self paced, taking most learners three to four hours, with twelve months of access from enrolment. Pass the closing assessment and your NFAQ certified certificate is generated straight away, dated and named, ready to download and print.
What you’ll learn
What you’ll be able to do
By the end of this course you will be able to:
Explain how AI tools process, retain and sometimes train on the data entered into them.
Apply the UK GDPR principles to AI use, including lawful basis, purpose limitation and minimisation.
Judge what data can safely be entered into a given AI tool, and recognise what must never be.
Explain the rules on automated decision-making and profiling, including the Data (Use and Access) Act 2025 changes.
Decide when an AI project or tool requires a data protection impact assessment, and contribute to one.
Handle subject access and other rights requests where AI processing is involved.
Recognise when AI misuse becomes a reportable personal data breach and respond correctly.
Keep the records that demonstrate accountability for AI processing to the ICO.
Course content
Six modules to work through
Each module builds on the last and ends with the material you need for the final assessment. Work at your own pace and return to any module during your twelve month access window.
1Why AI Changes the Data Protection PictureWhat actually happens to data entered into an AI tool, and why the old assumptions fail.⌄
- How generative AI tools handle your inputs: processing, retention and context windows
- Public tools versus enterprise deployments, and why the difference matters legally
- Model training on user inputs: which tools do it and how to find out
- Where the data goes: hosting, international transfers and sub-processors
- Why “it’s just a productivity tool” is not a data protection answer
2UK GDPR Foundations for AI UseThe principles and lawful bases, applied specifically to AI processing.⌄
- The seven principles applied to AI: what changes and what does not
- Choosing a lawful basis for AI processing, and why legitimate interests needs care
- Special category data and AI: the extra conditions that apply
- Controller and processor roles when an AI vendor is involved
- Data minimisation in practice: the least data that does the job
3What You Can and Cannot Put Into an AI ToolThe practical rules for everyday use, from customer emails to HR files.⌄
- The red-line categories: identifiable customer data, employee data, health data, credentials
- Anonymisation and pseudonymisation: what genuinely takes data out of scope
- Safe patterns: dummy data, redaction and enterprise tools with the right settings
- Confidentiality beyond GDPR: client obligations, trade secrets and legal privilege
- A simple decision test staff can apply before every prompt
4Automated Decision-Making and ProfilingThe specific legal regime for decisions made about people by machines.⌄
- What counts as solely automated decision-making with legal or similarly significant effects
- The Data (Use and Access) Act 2025: what changed and what safeguards remain
- Meaningful human involvement: what it takes for review to be real, not rubber-stamped
- Profiling: scoring, ranking and predicting people, and the transparency it requires
- Rights of individuals affected by automated decisions, and how to honour them
5DPIAs for AI ProjectsWhen an AI project needs a data protection impact assessment, and how to do one well.⌄
- The triggers: when a DPIA is legally required for AI processing
- Scoping the assessment: data flows, purposes and the people affected
- Assessing necessity, proportionality and the risks AI adds
- Mitigations that regulators expect to see for AI systems
- Sign-off, consultation with the DPO and when to consult the ICO
6Rights, Breaches and AccountabilityHandling requests, incidents and evidence when AI is in the processing chain.⌄
- Subject access requests that touch AI processing, and what you must disclose
- Rectification, erasure and objection where AI tools hold or produced the data
- When AI misuse is a personal data breach, and the 72 hour reporting clock
- Records of processing, policies and training logs: the accountability trail
- What ICO scrutiny of AI looks like, and being ready for it
Who it’s for
Is this course a good fit?
This course is for anyone whose work brings personal data and AI tools together, and for the people responsible for making sure that happens lawfully.
Data protection officers & leads
DPOs and privacy leads extending their oversight to AI processing.
Managers & team leaders
Anyone supervising staff who use AI tools on customer or employee data.
HR & payroll staff
Teams handling the most sensitive employee data in the business.
Marketing & sales teams
Heavy AI users working daily with customer lists, CRM data and enquiries.
IT & systems administrators
Those configuring AI tools and deciding retention and training settings.
Anyone using AI with real data
Staff in any role who draft, summarise or analyse using AI tools.
Assessment
How it’s assessed
The course is assessed by a single online multiple choice test taken after the modules. It can be retaken as many times as you need at no extra cost.
End-of-course assessment
Study details
You can pause and resume at any point, and your progress is saved automatically. There is no time limit on the assessment itself.
Certification
Your CPD-certified certificate
AI, Data Protection and UK GDPR — CPD Certified
On passing the assessment, your NFAQ certified digital certificate is available to download and print immediately, with your name, the course title and the completion date. It is dated, named evidence that your staff have been trained on the data protection rules that apply to AI use, exactly the kind of record the ICO expects under the accountability principle, and a strong mitigation if an incident ever occurs. We recommend refresher training every two years, or sooner if the law or your AI toolset changes.
FAQs
