SecurSentry
← All notes
EU AI Act

Is Your Business Using AI Tools? Here's What You're Now Legally Responsible For

Your team is already using AI tools — probably more than you realise. Here's what that means for your legal responsibilities under UK GDPR and the EU AI Act, and the practical steps you can take this week.

The short version

Picture a typical Monday morning in a UK small business. Someone opens ChatGPT to draft a proposal. A developer asks GitHub Copilot to review a function. The sales team’s CRM quietly uses AI to score leads. A support agent pastes a customer complaint into an AI summariser to save time. By lunchtime your business has reached for half a dozen AI tools. None formally approved, none on a register, no policy covering any of them. This is the everyday reality for most UK SMEs right now, and your AI tools business legal responsibility is no longer a future concern you can defer. It is already yours.

What is shadow AI, and why should you care?

Shadow AI is any artificial intelligence tool employees use in their daily work without formal approval, oversight or awareness from IT or leadership — and it is now almost universal.

The name sounds dramatic, but the reality is mundane. A team member discovers ChatGPT speeds up their email replies, tells a colleague, and within a month half the office uses it. No-one did anything wrong. No-one thought to ask whether they should. That is the governance gap, and it matters because what happens inside those tools is your legal responsibility, not the individual employee’s.

Shadow AI is not a technology problem. It is an oversight problem. The fix is not to ban AI tools. That ship has sailed, and a ban would dent productivity without actually stopping the use. The fix is to get visibility, set clear rules, and make the approved path the easiest path.

Your AI tools business legal responsibility comes mainly from UK GDPR and the EU AI Act: feeding business or personal data into AI tools is regulated processing you must govern.

There are two legal dimensions every UK SME should understand.

UK GDPR and data protection

When someone pastes a client’s name and contact details, an employee’s performance notes, or commercially sensitive information into a public AI tool, that data leaves your systems and is handled by a third party. Under UK GDPR, the UK’s post-Brexit version of the General Data Protection Regulation, this counts as data processing, full stop. That means you need:

Most employees using free, consumer-grade AI tools have none of these in place. That is not a criticism; it is simply how fast AI adoption has outrun policy. But it is a gap you need to close.

The EU AI Act: it applies to users, not just developers

The EU AI Act (which came into force across 2024 and 2025) is often discussed as something only AI companies need to worry about. In fact, it creates obligations for deployers, businesses that use AI tools in their operations, not just the companies that build them.

If your business operates in the EU, sells to EU customers, or uses AI in certain higher-risk contexts such as hiring decisions or customer credit assessments, the Act applies to you. A fuller breakdown of risk categories and timelines is worth reading, but the core obligations for most SMEs using everyday AI tools are straightforward:

  1. Know what AI tools you are using. You cannot manage what you cannot see.
  2. Have an acceptable-use policy: a written document that sets out the rules.
  3. Ensure basic AI literacy. Staff should understand what the tools do and what the risks are.

None of these is onerous. But none of them is in place at most small businesses right now.

ASK YOURSELF THIS

If a regulator or a prospective enterprise client asked you today which AI tools your business uses, and what your policy is for using them, could you answer? If not, this week is a good time to start building that answer.

What should an AI acceptable-use policy cover?

An AI acceptable-use policy need not be long: a single page covering approved tools, prohibited data inputs and a process for requesting new tools is a solid starting point.

At minimum, your policy should address:

You do not need a legal team to draft a first version. You do need it written down, communicated, and, ideally, signed off before the next time someone takes a client brief and pastes it straight into an AI chat window.

Where do you start? Build your AI tool register first.

An AI tool register is a simple record of every AI tool your business uses, its purpose, the data it touches and who approved it: your governance foundation.

The practical first step is the simplest: ask your team. Send a short message this week asking everyone to list the AI tools they use regularly, including browser extensions, built-in features such as AI summaries in Microsoft 365 or Google Workspace, and any AI-assisted software in your tech stack. You will probably be surprised by the length of the list.

The businesses that handle this well are not the ones that banned AI. They are the ones that asked the question early enough to get ahead of it.

Once you have that list, you can cross-reference it against your data-processing records, check provider terms for processor agreements, and prioritise what needs a proper review. It sounds like a project. In practice, the first audit takes about an hour.

What about AI literacy for staff?

Basic AI literacy means staff understand what an AI tool can and cannot do, what data they must not share, and why those boundaries exist — no lengthy course required.

The EU AI Act asks deployers to make sure their staff have enough AI literacy to use these tools appropriately. For most SMEs, that means a short briefing rather than a multi-day course. Cover the basics of how large language models work, what “training data” means in practice, and the company’s own rules. Fifteen to thirty minutes of structured awareness, documented and repeated when the policy changes, meets the spirit of the requirement for everyday business tools.


This article is practical guidance for general awareness only. It does not constitute legal advice, and the rules around AI governance and data protection are still evolving. For advice specific to your circumstances, consult a qualified legal or compliance professional.

SecurSentry is launching soon to guide you, step by step, through building your AI tool register and AI acceptable-use policy, so you know exactly what is running in your business and can show you are managing it responsibly. Join the waitlist to be first to know when it opens.

Frequently asked questions

Does the EU AI Act apply to small businesses in the UK?

It can, in two ways. If your business operates in the EU or sells to EU customers, the EU AI Act applies to how you deploy AI tools, regardless of your company's size or where it is based. Even outside the EU, UK GDPR obligations on data processing through AI tools apply to every business.

What is shadow AI in the workplace?

Shadow AI refers to AI tools that employees use without IT or leadership formally approving or even knowing about them — tools like ChatGPT, Grammarly, or AI-assisted CRM features adopted individually. It is a governance gap, meaning the risk is not the technology itself but the absence of oversight, policy and accountability around it.

Do I need an AI acceptable-use policy as a small business?

If your team uses any AI tools — and they almost certainly do — then a written acceptable-use policy is a practical necessity. It does not need to be long, but it should cover which tools are approved, what data must never be pasted into public AI tools, and who has authority to approve new tools.

What counts as a high-risk AI use under the EU AI Act?

The EU AI Act classifies AI uses into risk tiers, with the heaviest obligations falling on systems that make decisions affecting employment, credit, essential services or law enforcement. For most SMEs, everyday tools like writing assistants and summarisers sit in lower-risk categories, but knowing what you are using, and for what purpose, is the first step to understanding where you stand.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.