nerdster.ai
← All insights

Compliance & governance

AI compliance for UK businesses: GDPR, FCA and the EU AI Act, untangled

There isn’t one AI law to follow, there are five overlapping ones. Here is what each actually asks of you, and the short checklist that satisfies all of them.

June 2026 · 8 min read

The short version

  • UK businesses using AI sit under five overlapping regimes, not one new law.
  • You don’t need to read them all, you need one register, one policy and clear data rules.
  • Get those three right and your compliance officer can sign off with confidence.

“Are we allowed to use AI?” is the wrong question. The honest answer is yes, with conditions, and those conditions come from several places at once. The good news: once you see them side by side, the work is smaller than it looks.

Which rules actually apply to us?

Most UK businesses using AI sit under some mix of these:

  • UK GDPR (ICO): anything involving personal data, including what staff paste into a chatbot.
  • FCA Consumer Duty + AI guidance: if you sell financial products to UK consumers.
  • The EU AI Act: if your AI affects people in the EU. See our plain-English guide.
  • UK AI principles: the government’s cross-sector expectations, applied by your regulator.
  • Sector rules: SRA for law, FCA for finance, CQC for care, and so on.

What GDPR means in practice

The rule of thumb: an AI tool is just another place your data goes. You still need a lawful basis, you still can’t over-collect, and you still owe people transparency. The practical risk for most firms isn’t the model, it’s a staff member pasting client data into a free tool that trains on it.

What the FCA expects

If you’re regulated, Consumer Duty doesn’t change because AI is involved. You must be able to explain how an outcome was reached, show it’s fair, and keep a human accountable. “The model decided” is not an answer the FCA accepts.

The checklist that covers all five

  1. AI register: every AI tool in use, who uses it, what data goes in.
  2. AI policy: approved tools, banned data, and when a human must review.
  3. Data rules: what may never be pasted into a public tool.
  4. Human-in-the-loop: named reviewer for anything client-facing or high-stakes.
  5. A review date: because the rules and the models keep moving.

Who should own this?

Someone senior, with the authority to say “not that tool, not that data”. In smaller firms that’s often a director wearing another hat; in others it’s a fractional Head of AI who owns governance and reports to the board. Either way, write it down and keep it current.

Compliance here isn’t about slowing AI down. It’s the thing that lets you say yes to it, safely, in front of a regulator or a client. Our 90-minute audit produces the register and policy as its first output.

Frequently asked

Is there a UK AI law?

No single one. The UK uses a principles-based approach and asks existing regulators (ICO, FCA, CMA and others) to apply current law to AI in their area. The EU AI Act may also apply to you if you affect people in the EU.

Does GDPR cover AI?

Yes. UK GDPR applies to any personal data you put into or get out of an AI tool, including prompts. Lawful basis, transparency and data minimisation all still apply.

What does the FCA expect on AI?

If you serve UK retail customers, Consumer Duty plus the FCA’s AI guidance shape how AI can affect pricing, eligibility, advice and support. You must be able to explain outcomes.

What is the simplest way to be compliant?

Keep an AI register, write a one-page AI policy, decide what data can never go into public tools, and require human review for anything client-facing. Review it as the rules change.

Want this sorted, properly?

Our 90-minute audit leaves you with a one-page action list: three things AI should be doing, what it will cost and what it will save. Keep the report either way.

Book a call More insights