AI is moving quickly across tertiary education. Colleges and universities are exploring how it can support teaching, improve services, widen access, and streamline operations. At the same time, leaders are dealing with genuine concerns about academic integrity, fairness, accuracy, data security, and public trust.
Most institutions are still developing their approach to AI governance. The good news is that they do not need to start from scratch. The General Data Protection Regulation (GDPR) already provides a strong, rights-based governance structure that can be adapted for many aspects of AI governance. It offers principles, processes, and a culture of accountability that fits the realities of both FE and HE.
This blog sets out how tertiary education can use the GDPR as a key element of responsible AI governance, and why doing so allows institutions to act now with confidence.
Why governance matters for AI
Governance is not about slowing innovation. It is about creating the conditions for safe and purposeful use of AI. Strong governance helps institutions:
- Protect academic integrity.
- Support safe experimentation with new tools.
- Reduce legal, ethical, and reputational risk.
- Promote fairness and accessibility.
- Respond quickly as technology evolves.
Tertiary education does not need complex or heavy systems to achieve this. It needs clear expectations, simple processes, and a shared language. GDPR already offers this structure for many key areas, including risk assessment, transparency, roles and responsibilities, data protection, and accountability.
A principle-based model that fits tertiary education
The UK’s light approach to AI regulation means institutions must set their own direction, aligned with relevant regulators, for example ICO, Office for Students, and devolved nations regulators. A small set of clear, firm principles helps colleges and universities make consistent decisions and manage risk. In this post we’ll focus on the education space rather than research:
- Pedagogy and learning first
- Appropriateness and proportionality
- Clarity of purpose
- Transparency
- Accountability
- Accessibility, Fairness and inclusion
- Privacy and security
- Adaptability
These principles mirror the structure of GDPR. They focus on rights, risk, and purpose, which are exactly the elements needed to govern AI use across both academic and operational contexts.
GDPR is a readymade model to support AI governance
GDPR is often seen as a compliance requirement. In practice it is a mature governance framework designed to balance innovation and accountability. Its influence can be seen in most major international AI governance models, including the UK White Paper, OECD guidance, UNESCO recommendations, and the EU AI Act.
The EU AI Act is a good example. It uses a risk-based approach and focuses on transparency, accountability, documentation, and human oversight. This is very similar to the way GDPR treats higher risk data processing. It emphasises things like consent, transparency, explainability, and fairness, it gives individuals rights, and forces organisations to be accountable.
A central challenge in AI governance is finding the right balance: protecting people while enabling responsible innovation. GDPR offers a helpful precedent. It shows that clear, rights-based rules can coexist with technological progress by providing predictable principles, proportionate safeguards, and a mature framework for accountability. Institutions can build on this approach as they shape governance for AI.
Mapping GDPR principles to key aspects of AI governance
GDPR principles can inform many core elements of AI governance across both FE and HE.
Lawfulness, fairness, transparency
Make AI use visible and understandable. Publish clear guidance, transparency statements, and named responsibilities.
Purpose limitation
Define each AI use case and prevent silent repurposing. A feedback tool should not quietly become a profiling tool for admissions or learner support.
Data minimisation
Use only the data that is required. Avoid feeding personal or sensitive data into AI systems unless necessary and clearly justified.
Accuracy
Monitor AI outputs for reliability. This matters in assessment, feedback, pastoral decisions, and operational workflows.
Storage limitation
Set retention rules for training data, model versions, and outputs that involve personal data.
Integrity and confidentiality
Apply existing information security standards to AI systems and datasets.
Accountability
Maintain an AI system register, complete impact assessments, and document decisions.
Extending GDPR rights to AI use
GDPR rights give students and learners strong protections. These can be extended to AI.
Right to access
People should know when AI has influenced an outcome or recommendation.
Right to rectification
Errors caused by AI should be open to challenge and correction.
Right to erasure
If personal data is removed from systems, it should also be removed from training data where technically possible.
Right to object
Staff, learners, and students should be able to opt out of AI assisted processes in sensitive areas such as HR, disciplinary decisions, or certain assessments.
Protection from automated decisions
High stakes decisions must always involve meaningful human oversight.
Using existing GDPR tools to govern AI
Colleges and universities already have mature GDPR processes and structures.
- A Data Protection Officer
- DPIA templates and workflows
- Records of Processing Activities
- Procedures for handling rights requests
- Regular training and audit cycles
These can be extended with minimal effort:
DPIAs
Adapt templates to include fairness, explainability, bias, and system level risks linked to AI.
ROPA
Create a central register of AI tools, use cases, and data flows.
Rights processes
Allow learners, students, and staff to challenge AI influenced outcomes.
Training
Update GDPR training to include AI risks and acceptable use, particularly around data.
Why this approach works for the whole sector
Using GDPR as a foundation gives tertiary education:
- A proven, rights-based model
• Consistency across colleges and universities
• A governance approach that is already enforceable and auditable
• A scalable foundation for future AI regulation
• A shared language for academic, digital, safeguarding, and compliance teams
This is a practical way for institutions to act now without waiting for national legislation.
What’s not covered:
Whilst a GDPR aligned approach is a useful part of AI governance, it’s not a complete solution – in particular education specific concerns, especially academic integrity must also be considered.
Five practical steps for tertiary institutions
- Senior leaders own the agenda
AI governance must be seen as strategic and ethical, not just technical.
- Build on what already works
Extend existing systems for data protection, safeguarding, ethics, and academic integrity.
- Govern the full AI lifecycle
Separate procurement from use. Risk assessestools before adoption and monitors their impact in day-to-day practice.
- Create safe space for innovation
Governance should support experimentation. Clear rules and accessible guidance help staff, learners, and students use AI confidently.
- Share and collaborate
The sector is stronger when it moves together. Sharing models and lessons brings consistency and increases public trust.
Final thought
AI is already reshaping teaching, learning, and institutional operations. Tertiary education has a responsibility to manage this shift safely while creating space for innovation. The sector does not need to reinvent governance to achieve this. Extending the principles and processes already embedded through GDPR are a key component.
Institutions that do this will protect their communities, build trust, and lead the way in shaping ethical and effective AI use across the UK tertiary education sector.
Find out more by visiting our Artificial Intelligence page to explore publications and resources, learn more about our communities and sign up for our AI Literacy training.
For regular updates from the team sign up to our mailing list.
Get in touch with the team directly at AI@jisc.ac.uk