ICO report on data protection implications of agentic AI (Artificial Intelligence)
What has the Information Commissioner’s Office said about agentic AI?
The Information Commissioner’s Office (ICO) has recently published a report highlighting the potential data risks and opportunities associated with using agentic AI. The report outlines how the ICO intends to keep agentic AI’s development and use under review.
Agentic AI systems can independently set goals and execute complex tasks with minimal human intervention. The rapidly expanding potential uses of agentic AI mean these systems are increasingly attractive to businesses looking to make efficiencies. The ICO emphasises that, 'as developing agentic AI increases the potential for automation, organisations remain responsible for data protection compliance of the agentic AI they develop, deploy or integrate in their systems and processes'.
Click here to access the ICO’s full report.
What are the risks of agentic AI businesses should be aware of?
The ICO’s report highlights novel agentic AI data protection risks (considering the pace of development since its recent consultation series on generative AI), which include:
- Issues around determining controller and processor responsibilities through the agentic AI supply chain;
- Rapid automation of increasingly complex tasks resulting in an increase in automated decision-making;
- Purposes for agentic processing of personal information being set too broadly to allow for open-ended tasks and general purpose agents;
- Agentic systems processing personal information beyond what is necessary to achieve instructions or aims;
- Potential unintended use or inference of special category data;
- Increased complexity impacting transparency and the ease with which people can exercise their information rights;
- New threats to cyber-security resulting from the nature of agentic AI; and
- Concentration of personal information facilitating Personal Agents (PAs).
All businesses considering deploying agentic AI must be aware that they are exposed to these risks.
What can businesses do to mitigate the risk of data breaches?
The ICO is not disincentivising the use of agentic AI. Rather, it states that it exists to ‘encourage and support data protection-focused opportunities’. The ICO’s intention is to clearly set out the risks of agentic AI’s use, along with the need for pause and detailed consideration by organisations before adopting such systems (privacy by design).
The ICO will continue to review the use and development of agentic AI to ensure that innovation is not at the expense of people’s privacy.
Until further regulatory guidance is published, organisations may look to the ICO’s innovation support services, such as Innovation Advice and the ICO’s Regulatory Sandbox, for further information and guidance
In summary, organisations must guard against overreliance on agentic AI. They must adopt a privacy-by-design approach to be confident that the associated risks are fully assessed and mitigated - both prior to use, and on an ongoing basis.
Looking to prepare and need a helping hand?
Get in touch and let our Data Protection specialists take it from here.
Meet your Data Protection experts.
Please be advised that this is an update which we think may be of general interest to our wider client base. The insights are not intended to be exhaustive or targeted at specific sectors as such, and whilst we naturally take every care in putting our articles together, they should not be considered a substitute for obtaining proper legal advice on key issues which your business may face.