01
Say when personal data goes into AI
If customer or staff data is fed into any AI tool, your privacy notice must disclose it. Silent processing is the common breach.
Plain-English guide
If your business uses AI in any form — asking ChatGPT, a website chatbot, automation, or building your own tools — a few simple things keep you on the right side of the law. Most small firms don't know them. Here they are, plainly.
If your UK business uses AI with personal data you must say so in your privacy notice, have a lawful basis, keep a human check on major automated decisions, tell customers when they're talking to a bot, and never leak data into public AI tools.
Most owners think "AI" means some big futuristic system. In practice, you're almost certainly already using it. Asking ChatGPT to draft a quote or a customer email is using AI. A chatbot on your website is AI. The "smart" features quietly added to your accounting software, your CRM, your booking system — that's AI too. So is any tool that scores, sorts, or shortlists people, and so is building your own tool by describing what you want to an AI.
The rules don't care what you call it. They care about two things: is personal data going into the tool, and is the tool making or driving a decision about a person? If either is true, the guidance below applies to you — whatever the software is branded as.
The good news: for a typical Cornish trade or small business, staying compliant is genuinely simple. It's a handful of sensible habits, not a compliance department. Here's the lot.
Required now — UK law
These come straight from UK GDPR, the Data Protection Act and the Equality Act, applied to AI. None of them are hard; skipping them is what gets small firms into trouble.
01
If customer or staff data is fed into any AI tool, your privacy notice must disclose it. Silent processing is the common breach.
02
Know why you’re allowed to use that data — and keep special-category data (health and similar) out of public AI tools entirely.
03
If AI materially decides something about a person — hiring, credit, dismissal — they have a right to human review and an explanation. UK law reaffirmed this in 2025.
04
A chatbot shouldn’t pose as a human. A simple line does the job.
05
Stop staff pasting client info into free tools. Use business-tier AI with data-retention off. This is the biggest real-world risk.
Two duties sit here. The first is data transparency: if you feed a customer's name, email, job details or messages into an AI tool, your privacy notice has to mention that AI processing happens and roughly what for. The second is interaction transparency: if a visitor is talking to a chatbot, they shouldn't be tricked into thinking it's a person. A one-line "you're chatting with our AI assistant — a human can take over any time" covers it. Neither is expensive; both are routinely missed.
Every use of personal data needs a lawful basis under UK GDPR — for most small-business AI use that's legitimate interests or contract. You don't need to overthink it, but you do need to be able to say why you're allowed to process the data. The hard line is special-category data: health, ethnicity, religion, sexual orientation, biometrics and similar. That data carries a much higher bar, and it should never go into a public AI tool. If your work touches medical records or anything clinical, that's exactly the territory a general AI tool has no business handling.
If AI makes — or substantially drives — a decision that has a legal or similarly significant effect on someone, that person has the right to meaningful human involvement and an explanation. Hiring, dismissal, credit, pricing that materially affects someone: these are the flashpoints. The UK's data reforms in 2025 kept this protection in place. Practically, the rule is simple: never let AI be the final word on a significant decision about a person. A human reviews it, owns it, and can explain it.
This is the one that actually bites in the real world. A member of staff pastes a client's details, a contract, or a spreadsheet into free ChatGPT to "save time", and that data has now left your control — potentially used to train the model, stored who-knows-where, outside your privacy notice. It's the most common exposure by a distance. Fix it with business-tier tools that let you switch off data retention and training, and a short staff policy on what may and may not go into public tools.
Advisable — stay ahead
Not strictly required today, but the firms doing these will sail through whatever comes next — and avoid the messy incidents in the meantime.
What staff can and can’t put into AI tools. Cheap, and it prevents most incidents before they happen.
AI makes things up. Someone checks its output before it reaches a customer — because you’re liable for what you send.
Where’s your data hosted, and do they train their models on it? Two minutes that saves headaches.
AI-generated content and code isn’t cleanly yours by default. Don’t assume ownership on anything that matters.
A light record of where AI touches your business makes any future compliance trivial.
Building your own tools
More owners are building their own tools by describing what they want to an AI. It genuinely works — but the AI writes the feature, not the safety. AI-generated apps routinely ship with leaked keys, no access controls, unvalidated inputs and customer data sitting wide open. The moment that tool holds personal data, every rule on this page applies to it — and "the AI built it" is not a defence if it leaks.
If you're going down this route, the non-negotiables are: keep secrets and API keys out of the browser, put proper access controls on anything holding customer data, validate every input, and set spend caps so a bug can't run up an unbounded bill. If that list already sounds like a lot, that's the honest signal to get a second pair of eyes before you go live — a short security review is far cheaper than a breach.
If you sell beyond the UK
The EU has a dedicated AI law with real teeth. The part that surprises people is its reach: it can apply to a UK business if your AI system's output is used in the EU or you serve EU users — being based in Cornwall doesn't put you outside it. For most small firms the relevant duties are the transparency ones: clearly labelling AI chatbots and AI-generated content so EU users know what they're dealing with. Higher-risk uses (things that score or profile people in significant ways) carry heavier obligations.
The Act is phasing in over time and the detail is still moving, so if EU customers are part of your plan, treat this as a "know it exists and check before you expand" item rather than something to panic about today. If you only trade in the UK, it doesn't bite — but it's worth keeping on your radar as you grow.
Add a line to your privacy notice saying you use AI tools to help run the business, and what for. One sentence.
Write a one-page staff AI policy — what can and can't go into AI tools, and which tools are approved. Circulate it.
Switch to business-tier AI where staff use it daily, and turn off data retention/training in the settings.
Name a human owner for any AI output that reaches customers or drives decisions about people.
Label your chatbot so visitors know it's AI, with an easy route to a person.
Most of this comes down to four things: a line in your privacy notice, a one-page staff policy, a human checking AI output, and not leaking data into public tools. I can set those up with you in a fixed-price AI-readiness check — no jargon, no open-ended bills.
This is plain-English guidance for Cornwall businesses, not formal legal advice — where something genuinely needs a lawyer or data-protection specialist, I'll tell you straight.
Ask about an AI-readiness check