Overview & objectives

This policy defines the principles and controls for managing AI data responsibly and lawfully. It ensures compliance with ISO/IEC 42001, GDPR, and the EU AI Act, focusing on accuracy, minimisation, traceability, and data subject rights.

Core data governance principles

• Lawfulness & fairness: Data used only under a valid legal basis and for declared purposes.
• Data minimisation: Use only the minimum necessary data for AI training or operation.
• Accuracy: Maintain data quality through validation and periodic review.
• Transparency: Communicate data use clearly to stakeholders and users.
• Security & confidentiality: Protect data against unauthorised access or alteration.
• Accountability: Maintain records of data processing decisions and audits.

Data quality & provenance controls

• Data sources verified for integrity and licensing terms.
• Bias and representativeness tests performed before training.
• Provenance metadata (document source, owner, timestamp) stored with dataset.
• Data quality KPIs defined: completeness > 95%, error rate < 2%, update frequency per policy.
• Non-conforming data quarantined pending review by Oversight Officer.

Lawful basis & privacy framework

• Personal data processed only under one of the UK GDPR Art 6 legal bases (e.g., consent, legitimate interest, contract).
• Special category data requires explicit consent and Article 9 conditions.
• DPIAs conducted for all high-risk AI processing activities.
• All AI datasets classified by sensitivity (Public / Internal / Restricted).
• Privacy notices link to specific AI uses (Art 13 & 14 compliance).

Data subject rights & transparency

• Provide mechanisms to exercise rights of access, rectification, erasure, and objection within one month.
• Implement AI-specific rights to human review and explanation (Art 22 GDPR).
• Publish Transparency Statement detailing AI data sources and uses.
• Record all DSR requests and responses in AIMS Evidence Register.

Data security & access controls

• Data encrypted in transit and at rest (AES-256 or TLS 1.3 minimum).
• Access granted on least-privilege basis and reviewed quarterly.
• Audit logs retained ≥ 1 year for all AI data access and modifications.
• Incident response linked to AI CAPA and Security Operations Center playbook.
• Third-party processors must meet the same security standards and be audited annually.

Retention, deletion & archiving

• Retention periods defined by data type and purpose (see Retention Schedule Table).
• Model training datasets re-evaluated annually for relevance and bias.
• Secure deletion methods verified (DoD 5220.22-M or equivalent).
• Archived data encrypted and accessible only to Compliance Lead.
• Deletion records logged and linked to AIMS evidence entry.

Oversight & accountability

• Data Protection Officer (DPO) responsible for policy implementation and monitoring.
• Compliance Lead reviews quarterly data quality and privacy metrics.
• Findings reported to AI Governance Board and included in Management Review.
• Training and awareness programs mandatory for staff handling AI data.

Templates & examples

Dataset ID: AI-DATA-047  
Name: ChatBot Training Corpus V2  
Purpose: Fine-tuning response model for support chatbot  
Data Type: Text logs (no PII after anonymisation)  
Source: Support Tickets 2024 Q1–Q2  
Retention: 2 years | Deletion due: Mar 2026  
Lawful Basis: Legitimate interest | Risk Level: Low  
Owner: Model Owner / Compliance Lead validated  
Status: Active ✅
  

Implementation checklist

• Data Governance & Privacy Policy approved and published.
• Data Register maintained and reviewed quarterly.
• DPIAs conducted for all high-risk AI processing activities.
• Access controls, retention, and deletion tested and documented.
• Evidence archived for audit and regulator inspection.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 10 Nov 2025 • This page is general guidance, not legal advice.