Skip to content

Plain-English guide

Using AI in your business?
Here's what you actually need.

If your business uses AI in any form — asking ChatGPT, a website chatbot, automation, or building your own tools — a few simple things keep you on the right side of the law. Most small firms don't know them. Here they are, plainly.

If your UK business uses AI with personal data you must say so in your privacy notice, have a lawful basis, keep a human check on major automated decisions, tell customers when they're talking to a bot, and never leak data into public AI tools.

First: what actually counts as "using AI"

Most owners think "AI" means some big futuristic system. In practice, you're almost certainly already using it. Asking ChatGPT to draft a quote or a customer email is using AI. A chatbot on your website is AI. The "smart" features quietly added to your accounting software, your CRM, your booking system — that's AI too. So is any tool that scores, sorts, or shortlists people, and so is building your own tool by describing what you want to an AI.

The rules don't care what you call it. They care about two things: is personal data going into the tool, and is the tool making or driving a decision about a person? If either is true, the guidance below applies to you — whatever the software is branded as.

The good news: for a typical Cornish trade or small business, staying compliant is genuinely simple. It's a handful of sensible habits, not a compliance department. Here's the lot.

Required now — UK law

What you must have in place

These come straight from UK GDPR, the Data Protection Act and the Equality Act, applied to AI. None of them are hard; skipping them is what gets small firms into trouble.

01

Say when personal data goes into AI

If customer or staff data is fed into any AI tool, your privacy notice must disclose it. Silent processing is the common breach.

02

Have a lawful basis

Know why you’re allowed to use that data — and keep special-category data (health and similar) out of public AI tools entirely.

03

Human check on big decisions

If AI materially decides something about a person — hiring, credit, dismissal — they have a right to human review and an explanation. UK law reaffirmed this in 2025.

04

Tell customers when it’s a bot

A chatbot shouldn’t pose as a human. A simple line does the job.

05

Don’t leak data into public models

Stop staff pasting client info into free tools. Use business-tier AI with data-retention off. This is the biggest real-world risk.

Transparency: tell people what's happening

Two duties sit here. The first is data transparency: if you feed a customer's name, email, job details or messages into an AI tool, your privacy notice has to mention that AI processing happens and roughly what for. The second is interaction transparency: if a visitor is talking to a chatbot, they shouldn't be tricked into thinking it's a person. A one-line "you're chatting with our AI assistant — a human can take over any time" covers it. Neither is expensive; both are routinely missed.

Lawful basis and special-category data

Every use of personal data needs a lawful basis under UK GDPR — for most small-business AI use that's legitimate interests or contract. You don't need to overthink it, but you do need to be able to say why you're allowed to process the data. The hard line is special-category data: health, ethnicity, religion, sexual orientation, biometrics and similar. That data carries a much higher bar, and it should never go into a public AI tool. If your work touches medical records or anything clinical, that's exactly the territory a general AI tool has no business handling.

Human oversight of automated decisions

If AI makes — or substantially drives — a decision that has a legal or similarly significant effect on someone, that person has the right to meaningful human involvement and an explanation. Hiring, dismissal, credit, pricing that materially affects someone: these are the flashpoints. The UK's data reforms in 2025 kept this protection in place. Practically, the rule is simple: never let AI be the final word on a significant decision about a person. A human reviews it, owns it, and can explain it.

Don't leak data into public models

This is the one that actually bites in the real world. A member of staff pastes a client's details, a contract, or a spreadsheet into free ChatGPT to "save time", and that data has now left your control — potentially used to train the model, stored who-knows-where, outside your privacy notice. It's the most common exposure by a distance. Fix it with business-tier tools that let you switch off data retention and training, and a short staff policy on what may and may not go into public tools.

Advisable — stay ahead

What keeps you ahead of the curve

Not strictly required today, but the firms doing these will sail through whatever comes next — and avoid the messy incidents in the meantime.

A one-page AI use policy

What staff can and can’t put into AI tools. Cheap, and it prevents most incidents before they happen.

Keep a human accountable

AI makes things up. Someone checks its output before it reaches a customer — because you’re liable for what you send.

Check the tool’s terms

Where’s your data hosted, and do they train their models on it? Two minutes that saves headaches.

Mind the copyright

AI-generated content and code isn’t cleanly yours by default. Don’t assume ownership on anything that matters.

Note where you use AI

A light record of where AI touches your business makes any future compliance trivial.

Building your own tools

If you're vibe-coding your own solution

More owners are building their own tools by describing what they want to an AI. It genuinely works — but the AI writes the feature, not the safety. AI-generated apps routinely ship with leaked keys, no access controls, unvalidated inputs and customer data sitting wide open. The moment that tool holds personal data, every rule on this page applies to it — and "the AI built it" is not a defence if it leaks.

If you're going down this route, the non-negotiables are: keep secrets and API keys out of the browser, put proper access controls on anything holding customer data, validate every input, and set spend caps so a bug can't run up an unbounded bill. If that list already sounds like a lot, that's the honest signal to get a second pair of eyes before you go live — a short security review is far cheaper than a breach.

If you sell beyond the UK

The EU AI Act — and when it reaches you

The EU has a dedicated AI law with real teeth. The part that surprises people is its reach: it can apply to a UK business if your AI system's output is used in the EU or you serve EU users — being based in Cornwall doesn't put you outside it. For most small firms the relevant duties are the transparency ones: clearly labelling AI chatbots and AI-generated content so EU users know what they're dealing with. Higher-risk uses (things that score or profile people in significant ways) carry heavier obligations.

The Act is phasing in over time and the detail is still moving, so if EU customers are part of your plan, treat this as a "know it exists and check before you expand" item rather than something to panic about today. If you only trade in the UK, it doesn't bite — but it's worth keeping on your radar as you grow.

What to do this week

  1. 01

    Add a line to your privacy notice saying you use AI tools to help run the business, and what for. One sentence.

  2. 02

    Write a one-page staff AI policy — what can and can't go into AI tools, and which tools are approved. Circulate it.

  3. 03

    Switch to business-tier AI where staff use it daily, and turn off data retention/training in the settings.

  4. 04

    Name a human owner for any AI output that reaches customers or drives decisions about people.

  5. 05

    Label your chatbot so visitors know it's AI, with an easy route to a person.

Not sure where you stand?

Most of this comes down to four things: a line in your privacy notice, a one-page staff policy, a human checking AI output, and not leaking data into public tools. I can set those up with you in a fixed-price AI-readiness check — no jargon, no open-ended bills.

This is plain-English guidance for Cornwall businesses, not formal legal advice — where something genuinely needs a lawyer or data-protection specialist, I'll tell you straight.

Ask about an AI-readiness check

Straight answers

Do I really have to tell people I use AI?
If you put their personal data into an AI tool, yes — your privacy notice has to say so under UK GDPR. And if customers are chatting to a bot, they should know it’s a bot, not a person. Silent use is where most small firms slip up.
Is it illegal to paste customer info into ChatGPT?
Not automatically — but it can breach UK GDPR if there’s no lawful basis, no mention in your privacy notice, or if it’s sensitive data like health details. The safe move is business-tier tools with data-retention turned off, and never special-category data in public models.
Does the EU AI Act affect my Cornish business?
Only if you sell to or serve EU customers — then its transparency rules on chatbots and AI-generated content can reach you regardless of the fact you’re in the UK. Trading UK-only, it doesn’t bite yet. Worth knowing before you expand.
What’s the single most common mistake?
Staff pasting client information into free public AI tools. It’s the most frequent real-world data exposure, and a one-page staff policy prevents nearly all of it.
Is there a UK AI Act I need to comply with?
Not as a single law. The UK has taken a “pro-innovation”, regulator-led approach rather than one AI Act. What actually binds you today is UK GDPR and the Data Protection Act, ICO guidance, and existing law like the Equality Act — applied to how you use AI.
Can I use AI to help decide who to hire or fire?
Be very careful. If AI makes or heavily drives a decision that has a legal or similarly significant effect on someone — hiring, dismissal, credit — UK law gives that person the right to a human review and an explanation. You also risk discrimination claims under the Equality Act if the AI is biased. Keep a real human accountable for the decision.
Do I own what AI generates for me?
Not cleanly. Ownership of AI-generated text, images and code is legally unsettled, and some tools’ terms claim rights or train on your inputs. Don’t assume anything AI produces is automatically yours — check the tool’s terms before you rely on it commercially.
What counts as “using AI” anyway?
More than you’d think. Asking ChatGPT to draft a quote, a website chatbot, AI features baked into your CRM or accounting software, AI that scores or sorts applicants, and building your own tools with AI all count. If a tool is making decisions or handling personal data, the rules apply.
Do I need a DPIA?
A Data Protection Impact Assessment is required when processing is likely to be high-risk — for example, large-scale profiling, automated decisions with significant effects, or handling special-category data with AI. For everyday admin use it may not be needed, but for anything that scores or profiles people, it usually is. When in doubt, it’s cheap insurance.
What about the new UK data law changes?
The Data (Use and Access) Act updated the rules around automated decision-making, keeping the right to human involvement for decisions with legal or similarly significant effects. The practical takeaway hasn’t changed: don’t let AI make big calls about people with no human in the loop.
Is my data safe if the AI tool is American?
International data transfers have their own UK GDPR rules. Many mainstream tools have UK/EU data options or appropriate safeguards, but you should check where your data is processed and whether it’s used to train the model. Business-tier plans usually give you those controls; free tiers usually don’t.
How do I actually get this sorted without the headache?
For most small firms it comes down to four things: a line in your privacy notice, a one-page staff AI policy, a human checking AI output, and not leaking data into public tools. I set those up in a fixed-price AI-readiness check — plain English, no open-ended bills, and I’ll tell you honestly if something needs a specialist.