principles at each stage of the AI lifecycle when using personal data. These principles include, but are not limited to, accuracy, transparency, purpose limitation, data minimisation, confidentiality, and accountability. This means organisations must evaluate the risks to individuals, inform them of their rights arising from specific contexts, and put relevant safeguards in place. The principles-based and context-specific nature of data protection law allows for striking the right balance between protecting privacy and benefiting from what new technologies have to offer. The Information Commissioner’s Office (ICO), the UK’s independent data protection regulator, plays an important role in the regulation of AI models, which are generally trained on high volumes of data – often including personal data. The ICO monitors the effects of AI on people and society using sources including its own casework, stakeholder engagement and wider intelligence gathering. The ICO has already published guidance and resources on AI and data protection law, including an AI toolkit to help organisations identify and mitigate risks, and recently conducted a consultation series on how aspects of data protection law should apply to the development and use of generative AI models. As outlined by ICO guidance, the UK GDPR requires organisations to put in place appropriate technical and organisational measures to implement the data protection principles effectively. This is known as data protection by design and by default and is applicable to AI systems processing personal data. The data protection framework also allows the ICO to carry out consensual audits to assess whether controllers or processors are complying with good practice in the processing of personal data. Further, the ICO has a range of enforcement powers available against data protection breaches such as serving an assessment notice when carrying out investigations to help understand how organisations use and store data, through to enforcement notices or penalty notices. Government response to Committee conclusions and recommendations 36 and 37