Athlex Explains: When AI Writes the Request, Is Your Business Ready?

The ICO has published new guidance on AI-generated FOI requests to help public authorities deal with Freedom of Information requests involving artificial intelligence.

The guidance explains that people now use AI tools to help them make information requests. As a result, some requests may look longer, more formal or more complex than before. Some may also rely on wording that does not quite fit the law.

Why this matters beyond FOI

At first, this may sound like a public sector issue.

However, private businesses should still pay attention.

If people can use AI tools to write Freedom of Information requests, they can also use them to write subject access requests, complaints, contract challenges and customer queries.

Therefore, this is not just a story about FOI.

It gives businesses a useful warning about what comes next.

People now have tools that help them ask formal questions quickly. Sometimes those questions will make sense. Sometimes they will not. Either way, businesses need to know how to respond.

Why this matters for UK businesses

Freedom of Information law applies to public authorities. Therefore, most private businesses do not need to respond to FOI requests.

However, private businesses do need to deal with data protection rights under the UK GDPR.

For example, individuals may ask for a copy of their personal data through a subject access request. Athlex has a helpful DSAR guide for SMEs that explains what these requests involve and why they can become difficult to manage.

Individuals may also ask how your business uses, shares, stores or deletes their data.

AI can make requests look more formal

Because of AI tools, those requests may now look more detailed.

They may also sound more legal than before.

That does not mean the request is correct. However, your business still needs a clear process for handling it.

In practice, your team should know:

• who deals with requests;
• how they track deadlines;
• where they can find personal data;
• when they need legal input;
• how they check whether AI tools play a role;
• how they respond clearly and fairly.

Without that structure, even a simple request can create stress.

Once stress enters the process, mistakes become more likely. Because apparently one awkward email can still ruin everyone’s afternoon.

The real risk is not the AI-generated request

AI-generated requests may feel frustrating. They may run too long. They may quote the wrong law. They may also ask for information the person cannot receive.

However, the request itself is not the main risk.

The bigger risk appears when your business cannot explain what it does with personal data.

Requests test your data protection controls

For example, a business may struggle if it cannot explain:

• what personal data it holds;
• why it holds that data;
• where teams keep it;
• who can access it;
• which suppliers process it;
• whether AI tools use it;
• how long the business keeps it;
• whether the privacy notice matches reality.

As a result, a request can quickly become more than an admin task.

It can test your data protection controls.

It can also show whether your policies match what actually happens inside the business.

If you need practical support reviewing your current position, Athlex’s GDPR consultancy services can help you assess gaps and decide what needs attention first.

AI makes transparency more important

Many businesses already use AI in everyday ways.

For example, they may use AI to:

• summarise customer emails;
• support recruitment;
• review complaints;
• analyse customer behaviour;
• support fraud checks;
• write internal notes;
• power website chatbots;
• prioritise sales leads.

Some of these uses may feel low risk.

However, personal data changes the position.

If an AI tool uses personal data, the business needs to understand what happens to that data.

That means asking clear questions.

What data does the tool use? Why does the business use it? Has the business told the person? Does a supplier help process the data? Can the supplier use the data to train the tool? Could the output affect someone?

These are not abstract legal questions.

They are practical business questions.

Increasingly, customers, staff and regulators may expect clear answers.

Automated decision-making is where AI gets serious

Some AI tools simply help teams work faster. Others go further. They may help decide who gets an interview, whether a transaction looks suspicious, what price someone is offered, or whether a customer should receive a service. At that point, AI is no longer just a helpful tool in the background. It may be influencing decisions that affect real people.

That is why automated decision-making needs special care.

The Data Use and Access Act 2025 has changed parts of the UK’s data protection rules. In simple terms, it gives organisations more flexibility to use automated systems for significant decisions. However, the ICO is clear that this flexibility depends on appropriate safeguards still being in place.

So, this is not a free pass to hand decisions to AI and walk away whistling. Where an automated decision has a legal or similarly significant effect on someone, businesses still need to think carefully about fairness, transparency and challenge. For example, people may need to be told about the decision, given a chance to challenge it, allowed to make their views known and given access to meaningful human involvement.

This matters for businesses using AI in areas such as:
* recruitment;
* fraud checks;
* lending or affordability decisions;
* customer risk scoring;
* access to services;
* pricing;
* complaints handling.

The key question is not simply:
Are we using AI?
The better question is:
Could this AI use affect someone in a meaningful way?

If the answer is yes, the business needs to slow down and check the rules before the system goes live.
That means understanding what the AI tool does, what data it uses, how decisions are made, what role humans play and how people can challenge the outcome. Because “the system recommended it” is not a data protection strategy.

It is a sentence that usually arrives shortly before someone asks for evidence. In short, AI can support better decisions. However, businesses still need to understand how those decisions are made and whether people have proper safeguards.
A human review also needs to be real. If someone simply accepts the AI output without thinking, that is not meaningful oversight. It is just automation wearing a human hat, which is less comforting than some people seem to think.

What businesses should do now

The answer is not to panic.
It is also not to ban every AI tool and pretend everyone will go back to manual spreadsheets.
Instead, businesses should take practical steps.

1. Map where AI is being used

First, find out where AI is being used across the business.
This should include obvious tools, such as chatbots and AI platforms. However, it should also include less obvious uses in HR, marketing, sales, customer service, finance and operations.
For each use, ask:
* Is personal data involved?
* What is the AI tool doing?
* Is a supplier involved?
* Is the output used to make decisions?
* Has anyone checked the data protection position?

This does not need to be complicated. However, it does need to be clear.

2. Review your privacy notices

Next, check whether your privacy notices still reflect reality. If your business uses AI in a way that affects personal data, your privacy information may need to explain this. For example, you may need to explain what data is used, why it is used, who it is shared with and what rights people have. A privacy notice should not be a dusty webpage that nobody trusts. Instead, it should be a clear explanation of what actually happens. Athlex can support businesses with practical privacy notice and compliance reviews through its data protection services.

3. Prepare for AI-assisted DSARs and complaints

Businesses should also prepare for more detailed requests and complaints. For example, people may use AI to help them ask about:
* what personal data you hold;
* how AI tools use their data;
* whether decisions are automated;
* how long information is kept;
* whether data has been shared with suppliers;
* whether they can object or challenge a decision.

In addition, AI tools may make complaints look more formal, more detailed and more legal than before. Some complaints may be valid and well explained. However, others may be based on misunderstandings, incorrect assumptions or wording copied from an AI tool without much thought behind it. As a result, your DSAR and complaint process should be easy to follow.
Your team should know what to do, who to involve and when to escalate. They should also understand how to respond clearly when a complaint is broad, unclear, abusive, repetitive or based on incorrect legal points.

That way, the business can respond properly without turning one email into a full organisational incident.

Received a data protection complaint and not sure what to do first?
Athlex has created a free Data Protection Complaints Checklist to help businesses take a calm, practical first step when a data protection complaint comes in.
The checklist helps you think through:
* what the complaint is actually about;
* whether personal data is involved;
* whether there is a potential breach;
* who needs to be involved internally;
* what evidence should be kept;
* when the issue should be escalated;
* how to avoid making the situation worse.

It is designed to help you respond clearly, quickly and with more confidence.
Ask us for your free checklist – hello@athlex.co.uk

4. Check your supplier contracts

AI suppliers can create hidden risks. Therefore, before using AI tools with personal data, businesses should check the contract position. In particular, they should understand:
* whether the supplier is a processor or controller;
* where the data is stored;
* whether the supplier uses the data to train AI models;
* which sub-processors are involved;
* what security measures apply;
* what happens if there is a breach;
* whether the supplier can support DSARs and deletion requests.

If those answers are unclear, the business may not be ready to use the tool with personal data. That may slow things down. However, it is better than discovering the issue after a complaint. If you are reviewing AI supplier terms, Athlex’s contract and clause review support can help you understand the risks before you sign.

5. Use DPIAs for higher-risk AI

Finally, businesses should complete a Data Protection Impact Assessment where AI use is likely to create higher risks. A DPIA helps identify privacy risks before a project goes live. It is especially useful where AI is used for profiling, monitoring, recruitment, fraud checks, special category data or decisions that may affect people.

A good DPIA should ask:
* Is this use of AI necessary?
* Is it fair?
* Can we explain it?
* Could it harm people?
* Are the safeguards strong enough?
* Can a human properly review the outcome?

In other words, a DPIA should not be treated as a form to complete at the end. It should help the business make better decisions from the start. Athlex provides DPIA support for businesses that need practical guidance on higher-risk processing, including AI projects.

The Athlex view: AI readiness is now part of data protection readiness

The ICO’s guidance on AI-generated FOI requests is aimed at public authorities. However, the wider message applies to many organisations. AI is changing how people ask questions. It is also changing how businesses use personal data. As a result, data protection processes need to keep up. For UK businesses, this means AI governance should not sit in a separate future project.
Instead, it should be built into everyday data protection work. That includes:
* clear records of processing;
* accurate privacy notices;
* strong supplier checks;
* practical DPIAs;
* clear DSAR processes;
* sensible human review;
* evidence of decisions;
* a clear process for handling complaints.

The businesses that manage this well will not be the ones with the longest AI strategy document. They will be the ones that can explain what they are doing, show why it is fair and respond properly when challenged. That is what builds trust. And trust is still one of the strongest data protection tools a business has. For businesses that need ongoing support, Athlex’s outsourced DPO services can help keep data protection work moving without adding pressure to already stretched teams. https://athlex.co.uk/outsourced-dpo/

Need help with AI, complaints and data protection?

Athlex helps UK businesses understand data protection in a clear and practical way. We support businesses with AI risk reviews, DPIAs, privacy notices, DSAR processes, supplier checks, complaint handling and outsourced DPO support. If your business is using AI, planning to use AI, or only just realising that your teams are already using it, now is the time to get your data protection foundations in order.

Not sure where to start with a complaint? Get our free Data Protection Complaints Checklist and get clear, practical steps for handling complaints before they escalate.

Athlex makes data protection clear, practical and built for real business decisions. Data protection made simple.