A practical guide to updating Privacy Notices for AI

As organisations embed AI into everyday business processes, meeting transparency obligations is becoming more complex. Where AI systems use personal dataInformation which relates to an identified or identifiable natural person., Privacy Notices are expected to explain not just what data is processed, but how AI is involved and what that means for individuals. 

This shift is driven by emerging AI regulation. Whilst the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) requires organisations to provide clear and accessible information about how personal data is used, the EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU. introduces additional requirements around making AI systems visible, understandable, and subject to appropriate human oversight. Together, these frameworks are reshaping what meaningful transparency looks like when AI is involved. 

In this blog, we look at the key areas that should be covered when updating a Privacy NoticeA clear, open and honest explanation of how an organisation processes personal data. to reflect AI-driven personal data processing. The sections below link to each core topic and will help you assess whether your existing Privacy Notice clearly explains how AI is used, how personal data is affected, and what this means for individuals.   

• Where and why you use AI 
• What personal data AI uses and generates 
• How personal data is shared for AI processing 
• How personal data is used to train or improve AI 
• AI-supported and automated decision-making 
• How data protection user rights apply when AI is used 
• AI risks, limitations, and safe​guards 
• Transparency requirements under the EU A​I Act 
• Making AI information easy to understand 
• Keeping your Privacy Notice updated 

Read our earlier blog for an overview of the core requirements of a GDPR-compliant Privacy Notice. 

What to include when updating your Privacy Notice to cover AI use 

1. Where and why you use AI

Clearly explain when AI systems are used to processA series of actions or steps taken in order to achieve a particular end. personal data or generate information about identifiable individuals. This goes beyond vague references to ‘automated tools’ and requires transparency about where and how AI is used. 

Include: 

• What AI systems are used, including third-party or embedded AI tools 
• Why AI is used, such as decision support, monitoring, or content generation about individuals 
• How AI is integrated into business processes like recruitment or customer support 
• Where individuals interact with AI, including when they receive AI-generated outputs 
• How AI outputs are used in practice, including whether they are acted on automatically or reviewed by a human before decisions are made 

Being clear about where AI is involved helps individuals understand when technology, rather than a human alone, is influencing decisions or outcomes that affect them.  

In some cases, meaningful human review is not only good practice but a legal requirement, particularly where AI supports or enables automated decision-making with significant effects on individuals. For example, where AI  is used to assess a loan or finance application and the outcome is a refusal, individuals should be able to request a human review of that decision. 

2. What personal data AI uses and generates 

AI systems may analyse data in new ways or generate new information about individuals. Privacy Notices should therefore explain how personal data is used by AI systems, not just that it is processed. 

This includes defining: 

• What categories of personal data are used by AI systems 
• What data is used for training AI systems 
• Whether data is used in real-time decision-making or analysed to identify patterns, trends, or predictions 
• Whether special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... is involved directly or indirectly, including through inference 

Where AI systems generate new data about individuals, such as scores, predictions, risk profiles, or behavioural inferences, this should be made clear. These outputs can still constitute personal data and may have significant impacts on individuals. 

Where AI introduces a new way of processing existing data or changes the scale or nature of that processing, this must trigger a review and update to existing Privacy Notices to reflect how personal data is actually used.  

3. How personal data is shared for AI processing 

AI-related data sharing should be clearly distinguished from generic third-party disclosures. This helps individuals understand when their data moves outside an organisation’s direct control and into model-driven environments. 

A Privacy Notice should answer the following questions: 

• Is personal data shared with external AI vendors or cloud-based AI platforms?
  If yes, explain the type of provider involved, why personal data is shared, and whether the provider acts only on the organisation’s behalf.
• Are foundation models or large language models (LLMs) involved?
  If yes, state whether personal data is submitted to a general-purpose model, whether it is hosted internally or by a third-party, and whether data is used solely to generate outputs or also to improve the model.
• Does personal data leave the organisation’s environment?
  If yes, explain whether data is processed or stored outside the UK or EU, the regions involved, and high-level safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... in place. 

4. How personal data is used to train or improve AI

The use of personal data for AI training is one of the most sensitive and frequently misunderstood areas of AI transparency. Individuals are often unaware that their data could be used to improve or refine AI systems beyond the immediate service they receive. 

A Privacy Notice should clearly explain where personal data is used to train or improve AI systems. This includes setting out whether training data is anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR., pseudonymised, or identifiable, and whether training takes place as a one-off activity or on an ongoing basis as systems evolve. 

Tip: Even where personal data is not used for AI training, explicitly stating this can help build trust and reduce uncertainty. 

5. AI-supported and automated decision-making

Where AI systems make decisions that significantly affect individuals, specific transparency and rights obligations apply under GDPR Article 22. 

If AI is used to make decisions about people, a Privacy Notice should explain whether those decisions are fully automated or supported by AI, whether they have a meaningful impact on individuals, and what level of human oversight or review is in place. 

Where Article 22 applies, individuals must be clearly informed how they can: 

• Object to AI-driven processing 
• Request human review 
• Express their views and contest decisions 
• Opt out of certain forms of automated decision-making, where applicable 

6. How data protection user rights apply when AI is used

AI does not remove data protection rights, but it can change how those rights work in practice. Unlike traditional systems, AI can generate inferences, predictions, and model-driven outputs that are not always fixed, directly editable, or easily isolated from wider systems. 

For organisations, this creates a challenge: how to be honest about these limits without undermining individuals’ rights. For individuals, it can be difficult to understand what exercising a right will realistically achieve. 

A well-written Privacy Notice helps bridge this gap. It should explain how rights apply in an AI context, including: 

• What access means where AI is involved 
• The limits of rectification where data is inferred or probabilistic 
• What erasure means once data has influenced a model 
• How objections to AI-driven processing are handled 

Being transparent about these practical realities, rather than overstating control, helps manage expectations, reduces complaints, and supports more constructive engagement when individuals exercise their rights. 

7. AI risks, limitations, and safeguards

AI systems are not infallible. They can produce inaccurate results, reflect bias in training data, or change over time in ways that are not immediately obvious. Being transparent about these limits helps individuals understand how AI affects them and helps organisations demonstrate responsible use. 

Whilst not always legally required, it is increasingly expected that a Privacy Notice will: 

• Acknowledge that AI outputs may be inaccurate or biased 
• Explain the steps taken to monitor accuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading., fairness, and potential misuse 
• Clarify how AI systems are reviewed and updated as they evolve 
• Explain how to contest an AI-based decision 

8. Transparency requirements under the EU AI Act

For organisations directly in scope of the EU AI Act, there are additional, legally binding transparency obligations that sit alongside the broader principles outlined above.  

For AI systems that directly interact with individuals, organisations must: 

• Clearly inform individuals when they are interacting with an AI system, rather than a human, so the nature of the interaction is not misleading or obscured 
• Ensure AI-generated or manipulated content is clearly identified as artificial, including synthetic text, audio, or video (such as ‘deepfakes’), in a way that is understandable to people and machine readable 

For high-risk AI systems, these obligations form part of a wider and more prescriptive compliance frameworkA series of policies, procedures, actions plans etc. detailing an organisation's compliance with any relevant laws, Codes of Practice etc., and organisations should consider seeking specialist advice to ensure full alignment with the AI Act. 

Making AI information easy to understand

AI systems can be difficult to understand, particularly when organisations rely on technical terminology. A well-written Privacy Notice should help individuals easily understand when AI is used, what it does, and how it may influence outcomes. 

In practice, this means: 

• Using plain language
  Explain AI use in clear, straightforward terms. Avoid technical jargon, internal system names, or model labels that have little meaning outside the organisation. 
• Provide examples
  Use simple, relevant examples to illustrate how AI processes personal data or supports decisions, helping readers understand what this means in real-world situations.
• Make AI information easy to find
  Structure the Privacy Notice so AI-related disclosures are clearly signposted and not buried within generic processing descriptions. 

Keeping your Privacy Notice updated

AI systems can evolve faster than traditional processing activities. Models may be retrained, updated, or repurposed over time, and new use cases can emerge as organisations scale or adopt new tools. When Privacy Notices are not kept up to date with these changes, transparency information may quickly fall behind reality. 

Organisations should regularly review AI-related disclosures to ensure Privacy Notices accurately reflect how AI is used in practice, particularly where changes affect individuals’ rights or expectations. This can help support trust and demonstrates accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. as AI use evolves. 

The DPO Centre helps organisations establish clear and effective AI governanceThe framework of policies, processes, and roles that ensure Artificial Intelligence (AI) is developed and used responsibly, ethically, and in compliance with applicable laws, societal expectations, and corporate values. , enabling confident and accountable use of AI systems. Contact us to find out more about our AI services.

In case you missed it…

• Data protection & AI governance 2025-2026 
• AI Officer vs DPO: Defining roles in AI governance 
• AI Impact Assessments: What are they and why do you need one?