Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what assessment they have made of data security risks associated with the adoption of artificial intelligence systems by small and medium-sized enterprises in the hospitality sector; and what guidance they have issued about the safe deployment of those systems.

Organisations that process personal data through the deployment of AI systems must comply with the UK’s data protection legislation, as set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). This includes a requirement to put in place appropriate technical and organisational measures to ensure the security of personal data.

The Information Commissioner’s Office, the UK’s independent regulator for data protection, has published guidance for organisations on artificial intelligence and data protection available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/. Additionally, the UK Government has published a Code of Practice that sets baseline security requirements for AI tools, models and systems. The Code has informed the development of an AI security global standard in ETSI (EN 304 223) which was published in December 2025.

The Government also supports the UK’s AI assurance market, and has set out our ambitions for the sector in the Roadmap to Trusted Third-Party AI Assurance. AI assurance is crucial to ensure that AI systems are developed and deployed responsibly and in compliance with the law, so that businesses can confidently invest in new AI products and innovate at pace.