2024-07-15
The ICO's AI guidance - a practical summary for charities
If your charity uses AI with personal data, you have legal obligations under UK GDPR. Not guidelines. Not best practice. Here's what the ICO's guidance means for common charity use cases.
The ICO has been publishing guidance on AI and data protection through 2023 and 2024 (their strategic approach to regulating AI is worth reading), and most charities haven't read it. That's understandable. ICO guidance is long, written for a general audience, and doesn't tell you what it means for a charity running on Salesforce with a fundraising team that's just started using ChatGPT. It also updates frequently, so what's current now may shift.
This is boring stuff. We know. But it's not stuff to glaze over or try to save time on. Getting data protection right when you use AI is an act of respect for the people who've shared data with your charity. It matters for them and it matters for your reputation. We're strong advocates for trying things with AI, but not at the expense of getting this wrong.
This post translates the ICO's guidance into what it means for common charity AI use cases.
The legal requirements
You need a lawful basis for processing personal data through AI. This is the same requirement as any data processing under UK GDPR. If you're feeding beneficiary data into an AI tool to analyse patterns, you need a lawful basis. For most charities, this will be legitimate interest (with a proper balancing test) or, in some cases, consent.
Significant AI deployments involving personal data need a Data Protection Impact Assessment (DPIA). If you're using AI to make or support decisions about people, such as prioritising service users, segmenting donors, or triaging enquiries, you should be doing a DPIA. This doesn't need to be a 50-page document. It needs to honestly assess the risks to the people whose data you're processing and explain how you're mitigating them.
You must be transparent about AI use. If AI is involved in decisions affecting people, those people should know. This applies to beneficiaries, service users, donors, and staff. Your privacy notice should cover it. If you're using AI chatbots, people should know they're talking to AI.
Special category data needs extra care. Health data, ethnicity, religion, political opinions, sexual orientation: these need an Article 9 condition to process. Many charities handle exactly this kind of data. Processing it through AI tools raises the bar significantly.
How this applies to charity work
Using ChatGPT or Claude to draft fundraising emails: if you're typing in "write me a fundraising email about our winter appeal" with no personal data, you're fine. If you're pasting in donor names and giving histories to get personalised drafts, you're processing personal data through a third-party tool and need to think about lawful basis, data processing agreements, and whether that tool's terms allow it.
Analysing beneficiary feedback: if the feedback is anonymised, the data protection requirements are minimal. If it contains personal data (names, case references, health details), you need a lawful basis, and you need to ensure the AI tool you're using has appropriate data processing terms. Most free-tier AI tools do not.
AI-assisted donor segmentation is a form of profiling under UK GDPR. The ICO's guidance on profiling for fundraising applies. You need a lawful basis (usually legitimate interest), a balancing test, and a privacy notice that tells donors you're doing it. Website chatbots that collect personal data need informed consent and a path to human intervention. AI in recruitment requires human oversight and transparency with candidates.
The practical starting point
Separate your AI use cases by whether they involve personal data or not. Most charity AI use doesn't (drafting communications, summarising public documents). For those, carry on.
For the ones that do involve personal data, start with an audit. Make a list of where your organisation uses AI tools and whether personal data is involved. A spreadsheet with columns for "tool," "data involved," "lawful basis," and "DPIA needed?" is sufficient. Check whether your agreement with each provider covers AI data processing. Enterprise versions of tools like ChatGPT and Microsoft Copilot typically include data processing terms. Free tiers often don't.
Update your privacy notices if you're using AI in ways that affect people. You don't need technical detail. Something like "We use AI tools to help analyse feedback and improve our services" is a start. And make sure staff understand what data they can and cannot put into AI tools. "Don't put personal data into ChatGPT" is a reasonable starting point, but your team also needs to understand why, and what the alternatives are when they need to process personal data.
The ICO's guidance isn't asking charities to do anything unreasonable. It's asking them to apply the same data protection principles to AI that they already apply to everything else. The challenge is that pasting a case file into ChatGPT takes three seconds and feels like using a search engine. It isn't. It's sharing personal data with a third party. The ICO isn't looking to punish charities for experimenting with AI, but they will expect you to have thought about data protection before you started.