If your AI use touches personal data — customer names, emails, CVs, support tickets — then UK GDPR and the Data Protection Act 2018 apply, full stop. The good news for a small business is that the duties are the ones you already know: have a reason to process the data, tell people, keep it minimal, and don't let a machine make serious decisions about someone with no human involved. The AI part rarely changes the rules. It just raises the stakes on getting them right.
This is general guidance to help you ask the right questions, not formal legal advice. Where the answer matters — a big automated decision, sensitive data at scale, a regulated sector — check with a data protection specialist or your DPO. Everything below reflects UK GDPR, the DPA 2018 and the ICO's published guidance on AI and data protection at the time of writing.
Does GDPR apply when I use AI?
Yes, whenever the AI processes personal data. UK GDPR governs the processing of information about identifiable living people, and it doesn't care whether that processing happens in a spreadsheet, a CRM, or a large language model. Paste a customer email into a chatbot and you've processed personal data through a third party.
What is personal data here? A name, an email, a phone number, a customer reference, or any detail specific enough to single someone out. It hides in ordinary work:
- Support tickets and their full conversation history
- CVs and job applications
- Sales notes, call transcripts, and meeting recordings
- Spreadsheets of leads with contact details
If none of your AI use touches data like that — you're drafting generic marketing copy or summarising a public report — then GDPR mostly steps aside. The moment a real person is identifiable in the input or output, every normal duty is live. For where to draw that line day to day, see can I put company data into ChatGPT.
What are my main obligations?
The same handful you have for any data processing, applied to AI. You need a lawful basis, you have to be transparent, you keep personal data to a minimum, and you stay clear about whether you're the controller or a processor. None of this requires an enterprise compliance team. It requires deciding a few things on purpose instead of by accident.
Here's the practical version — obligation on the left, the actual thing a small business does on the right.
| Obligation (UK GDPR) | What an SME actually does |
|---|---|
| Lawful basis for processing | Pick one before you start — usually legitimate interests or contract for operational use, consent for marketing. Write it down. |
| Transparency | Add a plain line to your privacy notice: you use AI tools, for what, and whether any decision is automated. |
| Data minimisation | Strip names and identifiers from prompts where you can. Don't paste a whole customer database to answer one question. |
| Purpose limitation | Use the data only for what you told people. Don't quietly repurpose support logs to train a model. |
| Controller vs processor | Know your role. You're usually the controller; the AI vendor is your processor. Get a data processing agreement in place. |
| Security | Use business-tier tools, sensible access controls, and a provider that doesn't train on your inputs by default. |
| Individual rights | Be able to find, correct, and delete someone's data — including anything sitting in AI logs or histories. |
Controller vs processor trips people up, so be clear on it. You decide why and how the data is used, which makes you the controller and puts the legal responsibility on you. The AI provider acts on your instructions as a processor. That relationship should be covered by a data processing agreement — most business-tier AI tools publish one. Read it, and check it says they process your data only on your instructions and don't train their models on it.
On data minimisation, the single most useful habit is keeping identifiable personal data out of prompts and out of anything that feeds training. Anonymise or pseudonymise before you paste. "Summarise this complaint" works just as well with the customer's name removed.
Do I need a DPIA for AI?
Only when the AI use is likely to be high risk. A Data Protection Impact Assessment is a short structured think-through of the risks before you start. You need one when processing is likely to result in a high risk to people's rights — the ICO says AI that involves large-scale profiling, automated decision-making with significant effects, or processing sensitive data at scale will usually require one.
Rough test for a small business:
- Probably no DPIA: drafting emails, summarising your own notes, generating first-draft copy, internal Q&A over your own documents.
- Probably yes: screening or ranking job applicants, scoring or profiling customers, any AI making or heavily shaping a decision that affects someone, sensitive data (health, ethnicity, and similar) processed at any real scale.
The ICO publishes a DPIA screening checklist and a template. If two or more high-risk factors apply, do the assessment — it's a document, not a project, and it's far cheaper than an enforcement notice. A DPIA that concludes "low risk, here's why" is a perfectly good outcome and worth keeping on file.
Can I make automated decisions about people using AI?
Not solely automated decisions that carry legal or similarly significant effects — unless you meet a specific condition and give people a route to human review. This is UK GDPR Article 22, and it's the rule most likely to catch an SME that gets enthusiastic about automation.
"Significant effects" means decisions like:
- Refusing credit or a loan
- Rejecting a job application
- Cancelling or refusing a service
- Setting a price or eligibility that materially affects someone
If AI makes that kind of call with no meaningful human involvement, Article 22 generally prohibits it unless it's necessary for a contract, authorised by law, or based on the person's explicit consent — and even then you must offer human intervention, an explanation, and the right to contest it.
The clean answer for most small businesses: keep a person in the loop. Let AI shortlist, flag, or recommend, then have a human make the actual decision and be able to explain it. That keeps you out of Article 22 territory and produces better decisions anyway. A rubber-stamp doesn't count — the human has to genuinely be able to override the machine. If you're weighing whether AI even suits a decision like this, when AI is the wrong tool is worth a read.
Is it legal to use US AI tools like ChatGPT under UK GDPR?
Yes, provided you handle the international transfer properly. Most popular AI tools — ChatGPT, Claude, Gemini and the rest — are run by US companies, and sending personal data to them is a restricted transfer under UK GDPR. That doesn't make them illegal. It means you need a valid transfer safeguard in place.
In practice, for a small business:
- Check the provider's transfer terms. Reputable vendors cover UK/EU transfers through the UK's international data transfer mechanism (the IDTA or the UK addendum to the EU Standard Contractual Clauses), and some offer UK or EU data residency. This is in their data processing agreement.
- Use a business or enterprise tier. These typically exclude your inputs from model training by default and give you the DPA you need. Consumer free tiers often do not.
- Minimise what crosses the border. The less identifiable personal data you send, the smaller the transfer risk. Strip identifiers first.
- Tell people. Your privacy notice should mention that data may be processed outside the UK with appropriate safeguards.
Do those four things and using a US AI tool is a normal, defensible arrangement. Skip them — paste customer data into a free consumer account with no DPA — and you've made an unlawful transfer with no safeguard. Same tool, very different legal position.
What about the EU AI Act — does that affect me?
For most UK small businesses, only at the edges. The EU AI Act is separate from GDPR and applies mainly to organisations placing AI systems on the EU market or affecting EU users, with the heaviest rules reserved for genuinely high-risk uses — AI in credit decisions, employment and recruitment, essential public services, and a short list of others. If you're a UK firm using off-the-shelf tools for internal work, it largely won't bite.
Where it's worth attention: if you build or deploy AI that decides who gets hired, who gets credit, or who accesses an essential service — especially with EU customers — those uses attract extra obligations around risk management, transparency and human oversight. If that's you, get specific advice. For everyone else, GDPR is the framework that actually shapes your day-to-day AI use.
What happens if I get it wrong?
The ICO regulates this, and it has real teeth. For serious breaches, fines run up to £17.5 million or 4% of annual global turnover, whichever is higher. That headline figure is aimed at large failures, not a one-off mistake by a small firm — but the ICO can also investigate complaints, audit your processing, and issue enforcement notices ordering you to stop or change what you're doing.
For a small business, the realistic sequence is a complaint or a data breach, an ICO enquiry, and pressure to fix your practices fast — plus the reputational hit of customers learning their data was mishandled. Most trouble traces back to three failures: no lawful basis, no transparency (people didn't know), or a leak because identifiable data went somewhere it shouldn't. All three are avoidable with the basics above.
The cheapest time to get this right is before you roll a tool out. A readiness assessment will tell you whether your groundwork is solid, and following a written AI use policy keeps your team on the same page about what data can go where. When we design a system, data handling is built in from the start rather than bolted on after — a free AI Readiness Assessment is a sensible first step, and our fixed-fee AI System Audit maps exactly where personal data flows before anything gets automated.
FAQ
Does GDPR apply when I use AI?
Yes, whenever the AI touches personal data — names, emails, customer records, CVs, support tickets. UK GDPR and the Data Protection Act 2018 apply to the processing, not the technology. If your prompt or training set contains information about identifiable people, every normal data protection duty applies exactly as it would to a spreadsheet.
Do I need a DPIA before using AI?
Only when the use is likely high risk — large-scale profiling, decisions affecting people's rights, or sensitive data at scale. Drafting emails or summarising your own notes usually needs no DPIA. Screening job applicants or scoring customers with AI usually does. The ICO publishes a screening checklist; when in doubt, do the short assessment.
Is it legal to use ChatGPT under UK GDPR?
Yes, if you use it lawfully. Keep identifiable personal data out of prompts where you can, use a business or enterprise tier that excludes your inputs from training, check the provider's UK/EU transfer safeguards, and tell people in your privacy notice. The tool is legal; careless use of it with customer data is what creates the risk.
Can I make automated decisions about people with AI?
Not solely automated decisions with legal or similarly significant effects — like refusing credit, rejecting a job application, or ending a service — unless a specific condition applies and you offer human review. UK GDPR Article 22 gives people the right to a human in the loop. Keep a real person making the final call.
What counts as personal data in an AI prompt?
Anything that identifies a living person, directly or indirectly — a name, email, phone number, customer reference, or a description detailed enough to single someone out. Support tickets, CVs, and sales notes are usually full of it. Pseudonymised or genuinely anonymised data carries far less risk, so strip identifiers before pasting where you can.
What happens if I get AI and data protection wrong?
The ICO can investigate, order you to stop, and fine serious breaches up to £17.5 million or 4% of global turnover. For a small business the realistic outcomes are an audit, an enforcement notice, and reputational damage after a complaint or breach. Most problems trace back to no lawful basis, no transparency, or leaked data.
Do I need to tell customers I use AI?
Yes, where AI processes their personal data. Transparency is a core UK GDPR duty, so your privacy notice should say plainly that you use AI tools, for what, and whether any decision is automated. You don't need to name every model, but people should not be surprised to learn an algorithm handled their data.