Does AI Use Your Personal Data? What GDPR Says in 2026
Photo: Jonas Leupe / Pexels
Key takeaways
- The ICO's statutory Code of Practice on AI and automated decision-making is expected in summer 2026 after a spring consultation.
- Whether AI 'uses' your personal data depends on the tier: consumer AI tools often train on inputs, business tiers usually don't.
- The ICO's Recruitment Rewired project found widespread gaps in bias monitoring for AI hiring tools across employers surveyed.
- Personal data going into any AI tool, even for internal use, still needs a lawful basis under GDPR.
- Employers using AI in recruitment or performance review face the most immediate scrutiny under emerging guidance.
Whether AI 'uses' your personal data isn't a single yes-or-no answer. It depends on which tool, which tier, and what you typed in, and 2026 has brought new UK regulatory attention to exactly this question. The ICO has spent the year working on a statutory Code of Practice on AI and automated decision-making, and its findings from employer engagement so far are a useful reality check for any UK business using AI on staff or customer data.
The short answer: it depends on the tier
Free consumer AI tools frequently train on what you type in by default, unless you actively opt out where that option even exists, and may retain conversations for extended periods. Business and enterprise tiers of the same tools typically carry different terms: Anthropic's commercial terms state that Claude for Work and Enterprise data isn't used for training, a distinction that doesn't automatically apply to the free consumer product. The practical question isn't 'does AI use personal data' in the abstract. It's 'does this specific tool, on this specific tier, use the personal data I'm about to type into it', and that answer changes tool by tool.
What the ICO has been working on in 2026
The ICO's current strategy names generative AI, foundation models and automated decision-making among its priority areas for 2026, and in March the regulator launched a public consultation on draft guidance covering automated decision-making, including profiling, which closed in May. Final guidance is expected in summer 2026. This matters because the Data Protection Act 2018's AI and ADM Code of Practice Regulations formally require the ICO to produce authoritative guidance covering transparency, bias and discrimination, and rights and redress, moving these from best-practice suggestions to a documented standard businesses can be measured against.
The recruitment finding worth knowing about
One of the more concrete pieces of evidence to come out of the ICO's work this year is its 'Recruitment Rewired' project, which engaged more than thirty employers between March 2025 and January 2026 and found widespread gaps in how those employers monitored bias in automated hiring tools. This is a specific, evidenced finding, not a hypothetical concern, and it's directly relevant to any business using AI to screen or rank candidates: personal data is clearly involved, the decision affects someone's access to employment, and the regulator has already found most employers weren't checking for bias systematically.
What this means if you use AI on personal data
Personal data entering an AI tool, even for a purely internal task like summarising a performance review, still needs a lawful basis under GDPR, exactly as it would for any other processing. The AI element doesn't create a special exemption or a special burden on its own; it's the same data-protection principles applied to a newer tool. What's changing in 2026 is the specificity of guidance around it, particularly for automated decisions that affect people, which is why recruitment and performance-review uses deserve more attention than routine drafting tasks.
What to check now, before the final Code lands
Don't wait for the ICO's final guidance to check the basics. Confirm which tier each AI tool your business uses is actually on, since that determines whether personal data is being used to train a model you don't control. If you use AI anywhere in recruitment or performance decisions, document your lawful basis and consider a basic bias spot-check now, given the ICO's own findings on how rare that check currently is. Our AI risk assessment guide and GDPR and AI tools guide cover the specific questions to work through.
What counts as personal data in an AI prompt, specifically
It's easy to underestimate how much of what goes into an everyday AI prompt is personal data under GDPR's broad definition. A client's name and account number, a candidate's CV, an employee's performance notes, even a customer's tone of voice described in a support ticket summary, all count. The rule of thumb worth applying before pasting anything into an AI tool: if the text identifies, or could reasonably be combined with other information to identify, a living person, treat it as personal data and check the tool's terms before it goes in, rather than assuming casual internal use falls outside scope.
What UK employers specifically should watch for next
Given the ICO's recruitment findings, any employer using AI anywhere in hiring, from CV screening to interview-note summarisation, should treat that use case as the priority to review first, ahead of lower-stakes internal drafting tasks. A basic, documented check of whether an AI-assisted shortlisting process treats candidates consistently across demographic groups doesn't require statistical expertise at small-business scale; it requires someone actually looking at outcomes periodically, which the ICO's own evidence suggests most employers currently aren't doing.
The difference between personal data and anonymised data in AI use
One genuine mitigation worth knowing about: if data can be properly anonymised before it reaches an AI tool, meaning it can no longer reasonably be linked back to an individual, GDPR's obligations around that specific processing largely fall away. In practice, true anonymisation is harder to achieve than it sounds, removing a name isn't enough if account numbers, dates and locations still make someone identifiable when combined, so this isn't a shortcut to skip the checks above. But for internal analytics or aggregate reporting use cases specifically, genuine anonymisation is worth exploring as a way to use AI more freely on data that would otherwise require the full lawful-basis and vendor-vetting process.
What to expect once the ICO's Code of Practice lands
When the final Code of Practice on AI and automated decision-making is published, expect it to move from broad principles toward specific, checkable expectations, similar in spirit to how existing ICO guidance on cookies or subject access requests reads. For a business already following the basics covered here, tier awareness, documented lawful basis, and bias spot-checks for automated decisions, the final Code is likely to formalise practices you already have rather than introduce entirely new obligations from nothing. Businesses starting from zero once the Code lands will have considerably more catching up to do than those who used 2026 to get ahead of it.
A note on trust, not just compliance
It's worth remembering the underlying reason any of this matters beyond a regulator's checklist: customers and employees increasingly notice, and care, when a business handles their personal data casually with a new technology rather than deliberately. A short, honest answer to 'does your AI tool use my data' tends to build more goodwill than most businesses expect, and it costs nothing beyond having actually checked the answer before someone asks. Treat that conversation as an opportunity to demonstrate care, not just an obligation to survive.
Where to check the terms yourself
Rather than trusting a summary, including this one, on a decision this specific, go directly to your AI vendor's privacy centre or data processing terms and search for the words 'training' and 'retention'. Most major vendors publish this information clearly once you know where to look, and a five-minute direct check gives you a more current and specific answer than any general article, since terms genuinely do change and a summary written months ago may already be slightly out of date by the time you read it.
| Free / consumer tier | Business / enterprise tier | |
|---|---|---|
| Trains on your input by default | Often yes, unless opted out | Usually no, per commercial terms |
| Data processing agreement available | Rarely | Typically yes |
| Suitable for personal data processing | Case by case, check terms first | More often suitable, still verify |
“People must be able to trust that organisations are using AI and automated decision-making systems fairly, transparently and in ways that respect their rights.”