Is Your Business Using AI Tools? Here's What You're Now Legally Responsible For
Your team is already using AI tools — probably more than you realise. Here's what that means for your legal responsibilities under UK GDPR and the EU AI Act, and the practical steps you can take this week.
The short version
- Shadow AI is already here: Your team is almost certainly using AI tools that no-one formally approved and that appear on no register — a governance gap, not a technology problem.
- It's a data-protection issue: Any customer, employee or business data fed into a third-party AI tool is data processing under UK GDPR, so you need a lawful basis and a processor agreement in place.
- The EU AI Act applies to users: If you use AI tools in your business — even to write emails or summarise documents — you have obligations, including an acceptable-use policy and basic staff AI literacy.
- Start by asking your team: A simple audit of which AI tools people actually use takes about an hour, costs nothing, and everything else builds from that single list.
Picture a typical Monday morning in a UK small business. Someone opens ChatGPT to draft a proposal. A developer asks GitHub Copilot to review a function. The sales team’s CRM quietly uses AI to score leads. A support agent pastes a customer complaint into an AI summariser to save time. By lunchtime your business has reached for half a dozen AI tools. None formally approved, none on a register, no policy covering any of them. This is the everyday reality for most UK SMEs right now, and your AI tools business legal responsibility is no longer a future concern you can defer. It is already yours.
What is shadow AI, and why should you care?
Shadow AI is any artificial intelligence tool employees use in their daily work without formal approval, oversight or awareness from IT or leadership — and it is now almost universal.
The name sounds dramatic, but the reality is mundane. A team member discovers ChatGPT speeds up their email replies, tells a colleague, and within a month half the office uses it. No-one did anything wrong. No-one thought to ask whether they should. That is the governance gap, and it matters because what happens inside those tools is your legal responsibility, not the individual employee’s.
Shadow AI is not a technology problem. It is an oversight problem. The fix is not to ban AI tools. That ship has sailed, and a ban would dent productivity without actually stopping the use. The fix is to get visibility, set clear rules, and make the approved path the easiest path.
What is your AI tools business legal responsibility?
Your AI tools business legal responsibility comes mainly from UK GDPR and the EU AI Act: feeding business or personal data into AI tools is regulated processing you must govern.
There are two legal dimensions every UK SME should understand.
UK GDPR and data protection
When someone pastes a client’s name and contact details, an employee’s performance notes, or commercially sensitive information into a public AI tool, that data leaves your systems and is handled by a third party. Under UK GDPR, the UK’s post-Brexit version of the General Data Protection Regulation, this counts as data processing, full stop. That means you need:
- A lawful basis for the processing (for example, legitimate interests or contractual necessity).
- A data-processor agreement with the AI tool provider, confirming how they handle, store and protect the data.
- Clarity on whether your data is used to train the AI model — something that varies widely between providers.
Most employees using free, consumer-grade AI tools have none of these in place. That is not a criticism; it is simply how fast AI adoption has outrun policy. But it is a gap you need to close.
The EU AI Act: it applies to users, not just developers
The EU AI Act (which came into force across 2024 and 2025) is often discussed as something only AI companies need to worry about. In fact, it creates obligations for deployers, businesses that use AI tools in their operations, not just the companies that build them.
If your business operates in the EU, sells to EU customers, or uses AI in certain higher-risk contexts such as hiring decisions or customer credit assessments, the Act applies to you. A fuller breakdown of risk categories and timelines is worth reading, but the core obligations for most SMEs using everyday AI tools are straightforward:
- Know what AI tools you are using. You cannot manage what you cannot see.
- Have an acceptable-use policy: a written document that sets out the rules.
- Ensure basic AI literacy. Staff should understand what the tools do and what the risks are.
None of these is onerous. But none of them is in place at most small businesses right now.
ASK YOURSELF THIS
If a regulator or a prospective enterprise client asked you today which AI tools your business uses, and what your policy is for using them, could you answer? If not, this week is a good time to start building that answer.
What should an AI acceptable-use policy cover?
An AI acceptable-use policy need not be long: a single page covering approved tools, prohibited data inputs and a process for requesting new tools is a solid starting point.
At minimum, your policy should address:
- Approved tools: a list of AI tools the business has reviewed and sanctioned for work use.
- Prohibited inputs: what data must never be entered into public AI tools. Typically personal data about clients or employees, commercially confidential information, and anything covered by a non-disclosure agreement.
- Who approves new tools: a named person or role (even if that is you) so there is a process, not just a rule.
- Staff awareness: a short note on what the policy means in practice, so it is not filed and forgotten.
You do not need a legal team to draft a first version. You do need it written down, communicated, and, ideally, signed off before the next time someone takes a client brief and pastes it straight into an AI chat window.
Where do you start? Build your AI tool register first.
An AI tool register is a simple record of every AI tool your business uses, its purpose, the data it touches and who approved it: your governance foundation.
The practical first step is the simplest: ask your team. Send a short message this week asking everyone to list the AI tools they use regularly, including browser extensions, built-in features such as AI summaries in Microsoft 365 or Google Workspace, and any AI-assisted software in your tech stack. You will probably be surprised by the length of the list.
The businesses that handle this well are not the ones that banned AI. They are the ones that asked the question early enough to get ahead of it.
Once you have that list, you can cross-reference it against your data-processing records, check provider terms for processor agreements, and prioritise what needs a proper review. It sounds like a project. In practice, the first audit takes about an hour.
What about AI literacy for staff?
Basic AI literacy means staff understand what an AI tool can and cannot do, what data they must not share, and why those boundaries exist — no lengthy course required.
The EU AI Act asks deployers to make sure their staff have enough AI literacy to use these tools appropriately. For most SMEs, that means a short briefing rather than a multi-day course. Cover the basics of how large language models work, what “training data” means in practice, and the company’s own rules. Fifteen to thirty minutes of structured awareness, documented and repeated when the policy changes, meets the spirit of the requirement for everyday business tools.
This article is practical guidance for general awareness only. It does not constitute legal advice, and the rules around AI governance and data protection are still evolving. For advice specific to your circumstances, consult a qualified legal or compliance professional.
SecurSentry is launching soon to guide you, step by step, through building your AI tool register and AI acceptable-use policy, so you know exactly what is running in your business and can show you are managing it responsibly. Join the waitlist to be first to know when it opens.