020 3026 4629 4.7 rated on Google

AI, Data Protection and UK GDPR

Overview

AI tools do not get a data protection exemption

Every time someone in your business pastes a customer email into a chatbot, uploads a spreadsheet to a summariser or lets an AI tool score applications, personal data is being processed, and UK GDPR applies in full. The ICO has been clear that AI is a priority area, and the risks are not theoretical: data entered into public AI tools can leave your control permanently, some tools use inputs for training, and AI-driven decisions about individuals carry specific legal duties. Most staff have never been told any of this.

This course closes that gap. It starts with how AI tools actually handle the data you give them, including the crucial difference between public and enterprise deployments, then works through the UK GDPR essentials as they apply to AI: lawful basis, minimisation, transparency, and the rules on automated decision-making and profiling, including the changes made by the Data (Use and Access) Act 2025. You will learn exactly what can and cannot go into an AI tool, when an AI project needs a data protection impact assessment and how to run one, and how to handle rights requests and breaches where AI is involved.

The course is fully online and self paced, taking most learners three to four hours, with twelve months of access from enrolment. Pass the closing assessment and your CPD certified certificate is generated straight away, dated and named, ready to download and print.

CPD Certified
Fully Online
UK GDPR · AI
All Sectors

What you’ll learn

What you’ll be able to do

By the end of this course you will be able to:

Explain how AI tools process, retain and sometimes train on the data entered into them.

Apply the UK GDPR principles to AI use, including lawful basis, purpose limitation and minimisation.

Judge what data can safely be entered into a given AI tool, and recognise what must never be.

Explain the rules on automated decision-making and profiling, including the Data (Use and Access) Act 2025 changes.

Decide when an AI project or tool requires a data protection impact assessment, and contribute to one.

Handle subject access and other rights requests where AI processing is involved.

Recognise when AI misuse becomes a reportable personal data breach and respond correctly.

Keep the records that demonstrate accountability for AI processing to the ICO.

Course content

Six modules to work through

Each module builds on the last and ends with the material you need for the final assessment. Work at your own pace and return to any module during your twelve month access window.

1Why AI Changes the Data Protection PictureWhat actually happens to data entered into an AI tool, and why the old assumptions fail.
  • How generative AI tools handle your inputs: processing, retention and context windows
  • Public tools versus enterprise deployments, and why the difference matters legally
  • Model training on user inputs: which tools do it and how to find out
  • Where the data goes: hosting, international transfers and sub-processors
  • Why “it’s just a productivity tool” is not a data protection answer
2UK GDPR Foundations for AI UseThe principles and lawful bases, applied specifically to AI processing.
  • The seven principles applied to AI: what changes and what does not
  • Choosing a lawful basis for AI processing, and why legitimate interests needs care
  • Special category data and AI: the extra conditions that apply
  • Controller and processor roles when an AI vendor is involved
  • Data minimisation in practice: the least data that does the job
3What You Can and Cannot Put Into an AI ToolThe practical rules for everyday use, from customer emails to HR files.
  • The red-line categories: identifiable customer data, employee data, health data, credentials
  • Anonymisation and pseudonymisation: what genuinely takes data out of scope
  • Safe patterns: dummy data, redaction and enterprise tools with the right settings
  • Confidentiality beyond GDPR: client obligations, trade secrets and legal privilege
  • A simple decision test staff can apply before every prompt
4Automated Decision-Making and ProfilingThe specific legal regime for decisions made about people by machines.
  • What counts as solely automated decision-making with legal or similarly significant effects
  • The Data (Use and Access) Act 2025: what changed and what safeguards remain
  • Meaningful human involvement: what it takes for review to be real, not rubber-stamped
  • Profiling: scoring, ranking and predicting people, and the transparency it requires
  • Rights of individuals affected by automated decisions, and how to honour them
5DPIAs for AI ProjectsWhen an AI project needs a data protection impact assessment, and how to do one well.
  • The triggers: when a DPIA is legally required for AI processing
  • Scoping the assessment: data flows, purposes and the people affected
  • Assessing necessity, proportionality and the risks AI adds
  • Mitigations that regulators expect to see for AI systems
  • Sign-off, consultation with the DPO and when to consult the ICO
6Rights, Breaches and AccountabilityHandling requests, incidents and evidence when AI is in the processing chain.
  • Subject access requests that touch AI processing, and what you must disclose
  • Rectification, erasure and objection where AI tools hold or produced the data
  • When AI misuse is a personal data breach, and the 72 hour reporting clock
  • Records of processing, policies and training logs: the accountability trail
  • What ICO scrutiny of AI looks like, and being ready for it

Who it’s for

Is this course a good fit?

This course is for anyone whose work brings personal data and AI tools together, and for the people responsible for making sure that happens lawfully.

Data protection officers & leads

DPOs and privacy leads extending their oversight to AI processing.

Managers & team leaders

Anyone supervising staff who use AI tools on customer or employee data.

HR & payroll staff

Teams handling the most sensitive employee data in the business.

Marketing & sales teams

Heavy AI users working daily with customer lists, CRM data and enquiries.

IT & systems administrators

Those configuring AI tools and deciding retention and training settings.

Anyone using AI with real data

Staff in any role who draft, summarise or analyse using AI tools.

The course assumes no prior data protection training and builds the UK GDPR essentials as it goes, but it also works well as AI-specific top-up training for staff who have already done a general GDPR course. Businesses training a team can use volume licensing with consolidated invoicing and completion tracking, with seat prices reducing as team size grows.

Assessment

How it’s assessed

The course is assessed by a single online multiple choice test taken after the modules. It can be retaken as many times as you need at no extra cost.

End-of-course assessment

FormatMultiple choice
Questions20 MCQs
Pass mark80%
MarkingInstant, automated
ResitsUnlimited, free

Study details

Study time3–4 hours
Access period12 months
Delivery100% online
DeviceAny, phone, tablet, PC
CertificateInstant on passing

You can pause and resume at any point, and your progress is saved automatically. There is no time limit on the assessment itself.

Certification

Your CPD-certified certificate

AI, Data Protection and UK GDPR — CPD Certified

On passing the assessment, your CPD certified digital certificate is available to download and print immediately, with your name, the course title and the completion date. It is dated, named evidence that your staff have been trained on the data protection rules that apply to AI use, exactly the kind of record the ICO expects under the accountability principle, and a strong mitigation if an incident ever occurs. We recommend refresher training every two years, or sooner if the law or your AI toolset changes.

CPD Certified
Instant download
Supports ICO accountability
Refresher recommended every 2 years

FAQs

Questions people often ask

We already do annual GDPR training. Why do we need this as well?
General GDPR training written before generative AI does not answer the questions staff now face daily: can I paste this into a chatbot, does this tool train on our data, is this AI-generated decision lawful. This course applies data protection law specifically to AI use. If you already run our GDPR Refresher, this course slots alongside it as the AI-specific layer.
Does this cover the EU AI Act too?
It references the EU AI Act where it overlaps with data protection, but the focus of this course is UK GDPR and the Data Protection Act 2018 as they apply to AI. For the wider regulatory picture, including the AI Act risk tiers and the AI literacy duty, see our Level 3 AI Governance for Managers and Supervisors course, which pairs well with this one.
Is it up to date with the Data (Use and Access) Act 2025?
Yes. The module on automated decision-making covers the position after the Data (Use and Access) Act 2025, including the reframed rules on automated decisions and the safeguards that organisations must still provide.
How long do I get to complete it?
You have twelve months of access from the day you enrol. The material takes most people three to four hours in total, which you can spread across as many sessions as you like. Your progress is saved automatically.
What happens if I fail the assessment?
You can retake it as many times as you need at no extra cost. There is no time limit on the test itself, and you can go back through the modules before trying again. The pass mark is 80 percent.
What other training pairs well with this?
Pair this with Safe Use of AI at Work for the practical staff-level rules, and our GDPR Refresher and Cyber Security Awareness annual course for the general data protection baseline. Managers responsible for AI decisions should look at Level 3 AI Governance. Ask us about bundle pricing.
Get 10% OFF All Products!

Special Offer!

Exclusive Discount

10% OFF

Use code NCT10 at checkout

*Valid on all products. Does not include examination resits.

X
X