Big Tech first owned artificial intelligence
For thousands of small and medium-sized businesses across the UK, it is already part of the working day. SMEs use it to answer customer queries, draft emails, screen CVs, write marketing copy and cut down on admin. For most business owners, the appeal is simple — less repetitive work, faster output and lower costs.
But a new warning says many of those firms may be taking on legal risks they haven’t even thought about.
The gap nobody is talking about
A briefing from LawDistrict says 40% of UK SMEs now use AI tools. Yet many are missing basic data protection safeguards.
The concern is straightforward. Businesses are signing up to AI platforms without fully understanding what happens to customer, employee or applicant data once it enters those systems.
That gap between adoption and governance is getting harder to ignore.
Research on AI adoption in the UK published by the government in 2026 found that approximately one in six businesses in the UK use at least one AI tool. Of the companies using AI, 85% use it for natural language processing and text generation. It is by far the most common type of AI application.
This is a notable detail. The tools that handle the most sensitive AI applications are generally the easiest to implement. These can include employee records, customer complaints, applications, and even message exchanges with customers.
The compliance mistake most firms are making
UK data protection attorney Ali Pinarbasi is one of our partners at LawDistrict. “Just because an organization uses third parties for AI does not mean they are absolved from the UK GDPR,” he said.
Most small and medium-sized enterprises are not developing their own AI. They are integrating third parties to do the work they have to do. There’s a hiring platform that scans CVs. There’s a customer service platform that does complaint summarization. There’s a productivity platform that summarizes meeting notes. There’s a marketing platform that does customer data aggregation.
This can mean hiring a lawyer to draft a data processing agreement. It can mean restricting the data one can enter into the tool. It can mean using a data hosting service that offers a protective measure. It can mean educating employees on the protection measure that is in place.
Nearly everyone is clueless as to how their data is being used
LawDistrict’s briefing found that 53.8% of UK adults don’t know their data may be used to train AI models.
That is a genuine trust gap between businesses and the people whose data they deal with.
For small firms, the question is practical. Would a customer, job applicant or employee reasonably know that their personal information is being processed by an AI system?
If the answer is no, the firm may need to update its privacy notices and internal policies. Under UK GDPR, businesses must clearly explain how personal data is used — including whether it feeds into AI systems or model improvement.
Where the risk gets most serious
The problem is especially sharp in recruitment.
LawDistrict reports that 27% of UK business leaders admit to leveraging AI in making hiring or firing decisions. For HR departments, that statistic should be concerning.
Employment decisions are high stakes. If AI is used to shortlist candidates, rank CVs, assess performance or recommend redundancies, businesses must think carefully about bias, fairness and human oversight.
AI can repeat and even strengthen patterns found in old data. If a recruitment tool has been trained on biased hiring history, it may disadvantage certain groups without the employer ever knowing. That can lead to discrimination claims, regulatory scrutiny and serious reputational damage.
The assessment most firms skip
Data Protection Impact Assessments — DPIAs — are another area where small firms are falling short.
A DPIA allows businesses to identify issues before integrating technology that may impact persons’ rights. It may be necessary to use one when considering automated decisions, profiling, or processing sensitive data, all of which are examples of data processing.
“It is essential to look at how the tool works, not to mention how data is collected, processed, and perhaps reused,” said Pinarbasi.
This is an often-overlooked aspect of most small businesses, and many of them are unaware that they will be required to complete one.
The simple truth
The message is not to stop using AI. The tools are useful. The productivity gains are real.
The danger is treating AI as a harmless add-on rather than a system that handles personal data, shapes decisions and creates legal exposure.
AI can make small businesses more efficient. But used without care, it can also make them more vulnerable.
