Why AI Cybersecurity Is Now a GDPR Compliance Issue 

When most people think about GDPR, they think about cookie notices, consent forms, and privacy policies. Cybersecurity might feel like a separate concern, something that belongs to the IT department rather than the compliance team. But the two are more closely linked than many organisations realise, and a warning published by the Information Commissioner's Office in May 2026 serves as a timely reminder of why.

The ICO has warned that cyber criminals are increasingly using artificial intelligence to carry out attacks that are faster, more sophisticated, and harder to detect than those of just a few years ago. AI-generated phishing emails can now convincingly mimic the tone and format of legitimate communications. Automated tools can scan for vulnerabilities at a scale and speed that human attackers cannot match. For organisations that hold personal data, which is practically every business, these developments are a data protection risk.

What Does GDPR Require When It Comes to Security?

Under UK GDPR, organisations that process personal data are required to implement appropriate technical and organisational measures to protect it. This covers accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access. It is known as the security principle, and it applies to every organisation that handles personal data, regardless of size or sector.

The word "appropriate" is important here. It does not mean perfect, and it does not demand the same level of investment from a small charity as from a major bank. What it does mean is that the measures in place must be proportionate to the nature of the data you hold, the risks involved, and the current threat environment. As that environment changes, and AI is changing it materially, what counts as appropriate needs to be regularly reassessed.

Why AI-Powered Threats Change the Calculation

Phishing has always been one of the most effective methods for gaining unauthorised access to systems and data, but AI has made it significantly more dangerous. Traditional phishing emails were often straightforward to identify, as they often had generic greetings, odd phrasing, and implausible requests. AI-generated phishing can now be personalised, fluent, and tailored specifically to the organisation or individual being targeted, making it much harder for staff to spot and resist.

At the same time, automated vulnerability scanning means that weaknesses in systems can be identified and exploited far more quickly than before. An organisation that previously had days or weeks to identify and patch a vulnerability may now find that window has significantly narrowed.

The ICO's guidance identifies five practical steps organisations can take to protect against AI-powered threats, covering both the technical controls that reduce the risk of an attack succeeding and the procedural measures that limit the damage if one does.

What Practical Steps Should Organisations Take?

Multi-factor authentication, or MFA, is one of the most effective controls available and remains underused in many organisations. Requiring a second form of verification before granting system access means that stolen or guessed passwords alone are not sufficient for an attacker to get in. The National Cyber Security Centre has consistently highlighted MFA as a foundational security measure, particularly for systems that hold personal data.

Staff awareness training is equally important. If employees cannot identify a phishing email or do not know what to do when something looks suspicious, even strong technical controls can be bypassed. Training should be regular, practical, and updated to reflect how attackers are currently operating. In 2026, that means including AI-generated threats in what staff are taught to recognise.

Access controls matter too. Limiting who can reach which systems and data means that if one account is compromised, the damage can be contained. Reviewing access privileges regularly, and removing them when they are no longer needed, is straightforward but frequently overlooked.

Having a documented and tested incident response plan is also essential. The ICO requires organisations to notify a reportable breach within 72 hours of becoming aware of it. That is a short window. Knowing in advance who is responsible for assessing an incident, who makes the decision to notify the regulator, and what information needs to be gathered is the difference between a managed response and a chaotic one.

What Happens if an Organisation Fails to Take This Seriously?

The ICO takes security failures seriously. Organisations that experience a breach because they failed to implement adequate security measures risk regulatory investigation and, in serious cases, enforcement action and fines. The connection between cybersecurity and GDPR compliance is direct: a breach that results from foreseeable security failures is, in many cases, also a data protection failure.

This does not mean that every organisation that suffers an attack will face enforcement. Regulators recognise that no system is entirely immune to determined attackers. What they are examining is whether the organisation took reasonable steps to protect the personal data it holds, and whether it responded appropriately when something went wrong.

If your organisation has not recently reviewed its cybersecurity measures in light of the growing use of AI in attacks, the ICO's May 2026 guidance is a practical starting point. If you have questions about what your GDPR security obligations require in your specific circumstances, seeking specialist legal advice will help you put the right framework in place before a problem arises rather than in response to one.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Next
Next

EU AI Act: Where Things Stand in May 2026