UK GDPR and AI: What Your Privacy Policy Is Missing
If you use AI tools that process personal data — and almost all of them do — your privacy policy needs updating. UK GDPR Articles 13-14 require you to tell users how their data is being processed, including by AI systems.
What you must disclose
The existence of automated decision-making including profiling (Article 22). Meaningful information about the logic involved. The significance and envisaged consequences for the data subject.
GDPR Article 22: The right not to be subject to automated decisions
Your customers have the right not to be subject to decisions based solely on automated processing that significantly affects them. If your chatbot makes decisions about service eligibility, pricing, or access, you need explicit consent or a lawful basis.
How to update your privacy policy
List every AI tool that processes personal data. Describe what data each tool collects. Explain the purpose of the processing. State the legal basis. Include opt-out instructions.