Your data may be going into a company’s AI tool and many small firms may not be telling you

When a customer sends a complaint or uploads a CV, they assume a person will read it.

That is changing fast.

Small businesses across the UK now use AI to handle customer messages, screen job applications, write marketing copy and manage admin. It saves time. It cuts costs. For many small firms, it has become part of everyday work.

But most of the people on the other end don't know it's happening.

More than half of UK adults are in the dark

LawDistrict has published a warning for small businesses. 40% of UK SMEs now use AI tools. Yet many are breaking basic data protection rules without realising it.

The core problem is simple. Customers, job applicants and staff don't know how their personal data is being used.

LawDistrict found that 53.8% of UK adults don't know their data could be used to train AI models.

That is not a small gap. That is a majority of the public.

UK GDPR is clear on this. Businesses must explain how personal data is used. That includes any use involving AI.

Ali Pinarbasi is a UK data protection solicitor working with LawDistrict. He says businesses cannot assume people already expect AI to be involved.

They must explain if data is used for AI. They must say if it could improve AI models. And they must name the legal basis for doing so.

AI is already embedded in daily business

The UK Government's 2026 AI Adoption Research found that one in six UK businesses now uses at least one AI tool. Among those businesses, 80% use it at least once a week.

This is not a future concern. It is happening now.

What is actually at risk

Think about what a customer message can contain.

A name. An address. A payment question. A health concern. A personal complaint.

Now think about a CV. It holds employment history, education, location and contact details. A staff note can include sensitive workplace information.

If any of that goes into an AI tool, the business must know what comes next.

Does the provider store it? Use it for training? Send it overseas? Can it be deleted? Who can see it? Is there a contract in place?

These are not complicated legal questions. They are basic ones. And they decide whether a business is breaking the law.

The number one mistake small firms make

LawDistrict says the most common error is simple. Small businesses assume the AI provider handles compliance.

Pinarbasi said: "Outsourcing AI capabilities does not absolve businesses of their obligations under the UK GDPR."

The software company is not responsible. The business is.

That means having a legal basis for processing data. It means signing a data processing agreement. It means keeping human oversight in place. And it means not sharing more data than is needed.

The breaches are already happening

The numbers from LawDistrict are serious.

13% of organisations have had breaches involving AI systems. Another 8% don't know if they have been hit. Of confirmed cases, 60% involved compromised data. 31% caused direct disruption to operations.

97% of affected organisations had no AI-specific access controls in place.

For a small business, one breach can mean legal costs, regulatory action, lost customers and lasting damage to its name.

Hiring is one of the biggest risk areas

LawDistrict says 27% of UK business leaders use AI to help with hiring or firing decisions.

If candidates don't know AI is involved, that is a transparency failure. If no human checks the outcome, that is a legal risk.

AI can look fair while producing biased results. A tool trained on old hiring data can quietly disadvantage certain groups. Businesses using AI in recruitment must understand how it works. And a human must stay in the loop for every important decision.

What needs to happen now

The steps are straightforward.

Before using AI with personal data, businesses should check what data is being processed. They should read the provider's terms carefully. They should update privacy notices. They should limit what data gets entered. And they should carry out a Data Protection Impact Assessment if needed.

Staff need clear rules too. No sensitive data should go into public AI tools without approval.

The privacy battle is already here

For customers and staff, the message is simple. AI may already be part of how small businesses handle your information. The law says those businesses must tell you.

The next big privacy issue may not come from a global tech company. It may come from a local shop, agency or employer quietly using AI and staying silent about it.