AI_DUE_DILIGENCE JUNE 28, 2026

EU AI Act and GDPR: What UK Businesses Using AI Should Check

14 min read 2,795 words
EU AI Act and GDPR: What UK Businesses Using AI Should Check featured image

If your UK business uses AI for customer support, recruitment, marketing, profiling, automated decisions, or content generation, you are probably processing personal data under UK GDPR. Depending on your customers, tools, or supply chain, you may also have obligations under the EU AI Act. The two frameworks are separate but they overlap in ways that matter practically for a small business website, an operations workflow, or a SaaS tool you chose from a vendor directory.

This is not legal advice. It is practical guidance to help you understand what to check, what to document, and when to ask for specialist support. The ICO, the EU Commission, and your own records are the sources that count.

Why UK businesses should care about the EU AI Act

The EU AI Act is a risk-based regulation from the European Commission that applies to businesses operating inside the EU and to certain tools used by EU residents. The EU AI Act regulatory framework classifies AI systems into four risk tiers: unacceptable, high, limited, and minimal risk. Prohibited practices are banned outright. High-risk systems face the strictest requirements around transparency, record-keeping, human oversight, and data governance.

For a UK small business, direct applicability depends on whether you are selling into EU markets, processing data of EU residents, or using a vendor whose AI system is subject to the Act. Even if the Act does not directly apply to you, UK GDPR applies to any processing of personal data, and the ICO has published specific guidance on AI and data protection that draws on similar principles.

How UK GDPR applies to AI processing

UK GDPR applies whenever you process personal data. AI tools almost always process personal data, even if that is not immediately obvious. A chatbot that records customer messages. An email sorting tool that reads subject lines. A recruitment platform that scores CVs. A marketing tool that segments your audience by behaviour. All of these involve personal data and therefore fall under UK GDPR obligations.

The ICO guidance on AI and data protection makes clear that existing data protection principles do not disappear because a tool is labelled AI. Lawful basis, purpose limitation, data minimisation, transparency, and individual rights all still apply.

For a practical GDPR checklist for small business websites, see the GDPR compliance checklist for small business websites which covers foundational steps before adding AI on top. The principles overlap significantly, and reviewing your existing compliance posture first often surfaces gaps that AI tooling then amplifies.

Lawful basis comes first

Before deploying any AI tool that processes personal data, you need a lawful basis under Article 6 of UK GDPR. The most common ones for AI use cases are:

  • Consent: the individual has given clear, specific, freely given permission for their data to be processed in that way.
  • Contract: processing is necessary to perform a contract with the individual.
  • Legitimate interests: your business interest does not override the individual's rights, after a balancing test.

Using a CRM with AI-driven lead scoring, an automated chatbot on your website, or a marketing automation tool that profiles users all require a documented lawful basis. If you are unsure which applies, the ICO's interactive lawful basis guide is a practical starting point before seeking legal advice.

Data minimisation and purpose limitation

AI tools can accumulate large amounts of data quickly. UK GDPR requires that you only collect and process what you actually need, and that you use it only for the stated purpose. If an AI tool retains chat logs for model training purposes, that is a different purpose from the original support interaction and may require separate consent or a new lawful basis.

This is where vendor due diligence becomes important. Many AI tool providers update their terms and model training settings without sending a clear notification. Reviewing what data the tool retains, whether it trains on your inputs, and how you can opt out of training is a practical step before committing to any AI vendor.

The EU AI Act risk tiers and what they mean in practice

The EU AI Act classifies AI systems by risk. Understanding which tier your tool or workflow might fall into helps you assess whether you have additional obligations beyond UK GDPR.

Prohibited practices

Certain AI uses are banned outright under the Act. These include AI systems that deploy subliminal techniques to distort behaviour, exploit vulnerabilities, or score individuals on social behaviour in ways that lead to harm. If your business uses subliminal manipulation through AI in any customer-facing process, this applies to you regardless of where your customers are based. Most small businesses are not operating in this space, but it is worth knowing the boundary.

High-risk AI systems

High-risk AI systems under the Act include uses in employment decisions, credit scoring, critical infrastructure management, education assessment, and law enforcement. For a typical UK small business, high-risk AI might include:

  • Recruitment AI: screening CVs or scoring candidates automatically.
  • Automated HR decisions: scoring performance, identifying dismissals, or making promotion recommendations.
  • Credit or insurance scoring: automated decisions affecting access to financial services.

If your business uses AI for any of these purposes, you may face obligations under both UK GDPR (which already requires human review for automated decisions under Article 22) and the EU AI Act (which requires conformity assessments, technical documentation, and ongoing monitoring). The ICO guidance on automated decision-making is directly relevant here and worth reading alongside this article.

Limited risk and minimal risk

Limited-risk AI systems such as chatbots, AI-generated content, or emotion recognition tools have specific transparency obligations under the Act. You must inform users they are interacting with AI if that is not obvious. Minimal-risk AI covers tools with low risk to individuals and faces the lightest touch requirements, though the Act encourages codes of conduct for this tier.

Most small UK businesses using AI for content generation, customer support, or internal productivity will fall into the limited or minimal risk categories. This does not mean no obligations, but the steps are more manageable.

EU AI Act application dates and why they matter for UK businesses

The EU AI Act entered into force in August 2024 with a phased implementation timeline. Prohibited practices bans apply from February 2025. High-risk system obligations apply from August 2026. General AI obligations for most other systems apply from August 2026. GPAI model obligations apply from August 2025.

Even though the UK is no longer in the EU, these dates matter if you supply AI tools or services to EU customers, if your AI vendor is EU-based and subject to the Act, or if you are evaluating tools whose providers will need to comply and may change their terms or pricing as a result. Monitoring vendor communications during this period helps you anticipate changes before they affect your own compliance documentation.

What a small business AI compliance check looks like

A practical AI compliance review does not require legal training. It requires a structured look at what AI tools you are using, what data they touch, what decisions they influence, and what records you are keeping. Below is a workflow you can apply to your own business operations.

Step 1: Inventory your AI tools

List every AI-powered tool you use in your business. This includes tools embedded in platforms you already use, not just standalone AI products. Common places AI appears in small businesses:

  • Website chatbot or support widget
  • CRM with AI lead scoring or email suggestions
  • Marketing platform with automated segmentation or content suggestions
  • HR or recruitment platform with CV screening
  • Accounting or invoicing tool with automatic categorisation
  • Customer feedback or survey tool with sentiment analysis
  • AI writing or image generation tools used in content production

Step 2: Identify what personal data each tool touches

For each tool in your inventory, note what personal data it processes. This includes names, email addresses, IP addresses, behaviour data, chat logs, CV content, or any other data that could identify an individual. You do not need to audit the full dataset, just understand the categories of data involved.

Step 3: Check your lawful basis for each tool

For each AI tool that processes personal data, confirm you have a documented lawful basis. If you rely on consent, check that consent is specific, freely given, and documented. If you rely on legitimate interests, document the balancing test you have carried out. The ICO has templates for this on their website.

Step 4: Review transparency and notices

UK GDPR requires you to inform individuals when their data is being processed. If you use an AI chatbot, you need a clear notice that tells visitors they are talking to an AI. If you use AI in recruitment, candidates must be told before applications are processed. This notice does not need to be complex but it must be present and accurate.

Step 5: Check for automated decision-making and human review

UK GDPR Article 22 gives individuals the right not to be subject to solely automated decisions that produce significant effects. If your AI tool makes a decision about a customer or employee without human involvement, you need to be able to explain the logic, offer a way to challenge the decision, and ensure a human can review it on request. Documenting who has oversight responsibility for each AI process is a practical step many small businesses skip.

Step 6: Review vendor documentation and data retention

Check what your AI vendors say they do with your data. Many AI providers update their data handling practices when new regulations come into force. Look for information on:

  • Whether the vendor uses your inputs to train their model
  • How long they retain conversation logs or uploaded data
  • Whether they have a UK GDPR or EU GDPR addendum
  • What their process is if you request data deletion

If a vendor cannot give you clear answers on these points, treat that as a risk signal and consider whether the tool is appropriate for your use case.

Common mistakes small businesses make with AI and data protection

Based on patterns that come up in practice, several mistakes are particularly common for small businesses deploying AI tools.

Assuming the vendor handles compliance for you. Using a GDPR-compliant AI tool does not automatically make your own use compliant. You are the data controller. The vendor is a processor. The obligations sit with you for how you configure and use the tool.

Not updating privacy notices when adding AI. If you add a chatbot or AI analytics tool to your website and do not update your privacy policy, you have a transparency gap under UK GDPR. The notice needs to name the tool, explain what data it processes, and describe the purpose.

Skipping the Data Protection Impact Assessment. If an AI tool is likely to cause high risk to individuals, UK GDPR requires a DPIA before you start using it. Many small businesses do not realise this applies to their recruitment AI or profiling tool. The ICO publishes DPIA templates that are practical to work through even without a legal background.

Not keeping records of AI processing. UK GDPR requires you to maintain records of processing activities. AI tools processing personal data should be included in your processing activity records, with notes on the lawful basis, retention period, and any automated decision-making involved.

Accepting default settings without review. AI tools often default to model training on your data. Checking and disabling this setting where possible is one of the simplest practical steps you can take to reduce data protection risk.

AI tool updates and what to monitor

AI providers update their models, add features, and change data policies frequently. A tool you reviewed six months ago may now handle data differently. If you use OpenAI-powered tools, ChatGPT API integrations, or other third-party AI services in your business workflow, checking the release notes and any changes to data retention or training settings is worth building into a periodic review.

The OpenAI and AI tool update checks for small businesses guide covers what to look for in vendor communications and how to assess whether an update changes your compliance position.

If you are still deciding where AI belongs in your workflow, the guide on using AI in a small business without adding complexity is a useful companion before committing to tools that process customer or employee data.

Why vendor selection matters for AI compliance

When you are evaluating AI tools for your business, the technical capability is only one part of the picture. How the vendor handles data, where their infrastructure is located, and what contractual protections they offer directly affect your own compliance posture.

Before committing to any AI vendor, it is worth asking the same questions you would ask before any significant technology investment. Whether you are choosing an AI chatbot provider, a recruitment platform, a marketing automation tool, or a document processing service, the evaluation criteria for choosing an IT partner include points that apply equally to AI vendors: data handling commitments, contractual obligations, support responsiveness, and long-term viability.

How IT change management applies to AI tool adoption

Adding an AI tool to your website or business workflow is a change to your IT environment. If you are deploying AI across multiple systems or integrating it with existing platforms, applying a structured approach to that change helps you avoid gaps in your compliance review.

The IT change management process covers how to assess risk before making system changes, document what you have done, and handle the transition without disrupting your operations. When the change involves personal data processing or automated decision-making, those same principles help you ensure nothing gets missed.

Special considerations for UK businesses handling EU customer data

If your UK business serves customers in the EU, you may be processing the personal data of EU residents. This creates a specific situation where both regimes can apply simultaneously. UK GDPR applies because you are established in the UK and processing personal data. The EU AI Act may also apply depending on the AI systems you use and how EU customers interact with them.

In practice, this means your compliance documentation needs to account for both frameworks. Your privacy notices should be clear to EU visitors. Your data processing records should note which individuals are EU residents. Your contracts with AI vendors should include EU GDPR data processing agreements alongside any UK-specific provisions.

The ICO and the European Data Protection Board both publish guidance that helps clarify the interaction between UK GDPR and EU GDPR, particularly around data transfers, adequacy decisions, and the role of representatives in each jurisdiction.

Practical AI compliance checklist for a small business website and operations

  • Inventory every AI tool you use, including embedded tools in platforms you already use.
  • Identify the personal data each tool processes and note the categories involved.
  • Document the lawful basis for each tool and keep that record updated.
  • Update your privacy notice to include AI tools, what data they process, and the purpose.
  • Check for automated decisions and confirm human review is available for affected individuals.
  • Review vendor data handling including training opt-outs, retention periods, and deletion processes.
  • Conduct a DPIA if an AI tool is likely to cause high risk to individuals.
  • Include AI processing in your records of processing activities under UK GDPR.

Frequently Asked Questions

Does the EU AI Act apply to UK businesses?
It can. A UK-only business may not be directly covered in every case, but the EU AI Act can matter if the business offers AI systems into the EU, serves EU users, uses AI outputs in an EU context, or works with vendors and customers who are inside scope. UK businesses should check scope before assuming the Act is irrelevant.
How does UK GDPR connect with AI tools?
UK GDPR applies when an AI tool processes personal data. That includes chat logs, customer messages, CVs, behavioural data, analytics records, support tickets, or employee data. The business still needs a lawful basis, transparency, data minimisation, retention controls, security, vendor checks, and records of processing.
Do small businesses need a DPIA before using AI?
A DPIA is strongly recommended, and may be required, where AI processing is likely to create high risk for individuals. Recruitment screening, profiling, automated decisions, monitoring, financial decisions, vulnerable users, or large-scale personal data processing are all situations where a DPIA should be considered before deployment.
What should a business check before adding an AI chatbot or automation?
Check what data the tool collects, whether the vendor uses inputs for model training, where data is stored, how long logs are retained, whether a data processing agreement is available, what users are told, and who inside the business is responsible for human review and escalation.
Can N. Cristea help review the technical side?
Yes. For practical checks around website forms, chatbots, analytics, AI tool settings, data flows, privacy-facing content, and vendor configuration, contact N. Cristea.
AI due diligence AI governance AI risk assessment AI tools business AI transparency data minimisation DPIA AI EU AI Act GDPR AI compliance UK GDPR

Related Articles

AEO

Bing AI Performance and IndexNow: Small Business SEO Checks

Jun 27, 2026 AEO

AI Search Controls for Website Owners: What to Check Now

Jun 26, 2026 IT support

Server Monitoring Basics for Small Business Websites: A Practical Guide

Jun 18, 2026
Cookie choices

Your privacy choices matter.

We use an essential cookie to remember your preferences. Optional analytics and diagnostics help us understand visits, identify issues, and improve the site, but they stay off unless you allow them.

Read the privacy notice