AboutBlogBusiness First AIFounder FreedomBook a conversation

How AI governance differs from data governance in practice

May 17, 2026
A person seated at a desk reviewing printed documents with a laptop open beside them
TL;DR

Data governance manages how you collect, store, and protect personal information under UK GDPR. AI governance manages how automated systems use that information to make or support decisions. AI governance sits on top of data governance, not instead of it. Owner-managed firms need the foundation in place first, then layer AI-specific controls wherever automated tools affect decisions about people.

Key takeaways

- Data governance covers how you handle personal information under UK GDPR; AI governance covers how automated systems use that information to make or influence decisions. - AI governance sits on top of data governance, not instead of it. Weak data governance undermines any AI controls you put in place. - The obligation scales with risk. Low-risk AI uses need basic staff policies; high-risk uses such as hiring or credit decisions need documentation, oversight, and a human reviewer. - ICO guidance on automated decision-making under UK GDPR Article 22 is already in force: where AI materially affects decisions about individuals, firms must offer human review and the ability to contest outcomes. - If you supply AI-enabled services to EU clients, the EU AI Act sets fines of up to €35 million for prohibited AI practices, separate from GDPR penalties.

Owner-managed firms across the UK are fielding three different conversations at once: a GDPR review from their solicitor, a data governance project from their IT provider, and now an AI governance discussion from someone they met at a conference. Many founders assume these are the same compliance requirement with different labels. They are not, and the gap between them is where real exposure sits for any firm already using AI tools in day-to-day operations.

What is data governance and what is AI governance?

Data governance manages your information: what personal data you hold, who can access it, how long you keep it, and your legal basis for processing under UK GDPR. AI governance manages automated behaviour: what decisions AI systems make, whether those decisions are fair and accurate, and who is accountable when something goes wrong. The two overlap, but they ask different questions and need different controls.

Think of it in layers. Data governance is the foundation: the rules about how your information is stored, classified, secured, and deleted. AI governance builds on that foundation, adding controls around how models use data to produce outputs that affect people or business decisions. Poor quality or uncontrolled data will undermine any AI controls you put in place.

The practical consequence is that you cannot skip data governance and jump straight to AI governance. If you do not have a clear record of what personal data you hold and who can access it, an AI system drawing on that data inherits every gap, and accountability for both sits with you as the controller.

Data governance has been required under UK GDPR since 2018. AI governance is newer, principles-based, and applied through sector regulators rather than a single piece of legislation. The UK government’s 2023 policy paper set five principles for AI regulation: safety, transparency, fairness, accountability, and contestability. These underpin AI governance in practice.

Why does this distinction matter for a small services firm?

For a firm of 5 to 50 staff, data governance is not optional. UK GDPR requires you to document what personal data you hold, keep it accurate, delete it when the purpose is spent, and secure it appropriately. AI governance adds a layer on top, becoming relevant as soon as you use tools that affect decisions about people: hiring, lead scoring, pricing, or complaints handling.

The ICO has demonstrated this is not a risk confined to large organisations. In 2022 it fined Tuckers Solicitors, a UK law firm, £98,000 after a ransomware attack exposed court bundles. The regulator found the firm had failed to implement basic technical controls including patch management and encryption. That was a data governance failure, and it shows the stakes at the smaller end of the market.

AI governance kicks in when data starts driving automated decisions. An AI tool that helps your team draft blog posts is low risk. An AI tool that screens CVs and ranks candidates before a human sees them triggers ICO guidance on automated decision-making, including obligations around transparency, fairness testing, and the right for individuals to contest the outcome.

McKinsey’s 2023 global AI survey found 55% of organisations had adopted generative AI in at least one business function, but only 21% had established policies governing employee use. That governance gap does not exempt small firms.

Where will you actually meet AI governance in practice?

The most common place small firms first encounter AI governance is a staff incident rather than a regulatory audit. Someone pastes a client contract into ChatGPT, or a hiring tool flags a candidate in a way the team cannot explain. These moments reveal gaps in rules, oversight, and accountability that data governance alone was never designed to cover.

In 2023, Samsung restricted internal use of generative AI after employees pasted confidential source code and meeting notes into ChatGPT. The governance failure had nothing to do with how data was stored. Staff were interacting with an AI tool with no rules in place about what they could or could not feed into it.

Three situations tend to surface AI governance requirements first for owner-managed UK services firms.

The first is staff use of general-purpose AI tools. Any team member using ChatGPT, Copilot, or a similar product for client-facing work needs a clear policy on what can and cannot go into those tools. Consumer versions of these products may use your inputs for training by default. Enterprise agreements with data-processing addenda work differently. You need to know which version your team is using.

The second is third-party AI embedded in existing software. If your CRM scores leads, your HR platform ranks candidates, or your customer service tool triages complaints automatically, you have AI governance obligations even though you did not build the AI yourself. As the controller, the ICO expects you to have assessed fairness risks and to maintain human oversight of decisions with significant effects.

The third is EU-facing work. If you supply AI-enabled services to clients in the EU, the EU AI Act begins to apply. It classifies AI uses by risk level and sets fines of up to €35 million for prohibited practices.

When do you need AI governance, and when can you step back?

The obligation scales with risk. Using AI to draft internal notes on non-sensitive topics sits at the low end: basic rules on what staff can paste into public tools are enough. Using AI to assess credit risk, screen job applications, or triage client complaints with legal implications sits at the high end and requires proper oversight, documentation, and a human decision-maker in the loop.

The ICO’s guidance on automated decision-making under UK GDPR Article 22 is clear on this. Where AI makes or materially influences decisions with legal or similarly significant effects on individuals, people have the right to human review and the ability to contest the outcome. For a small firm, this generally means one thing: AI suggests, humans decide.

The UK government’s 2024 Cyber Security Breaches Survey found only 31% of UK micro and small businesses have a formal cyber security policy in place. Cyber security controls underpin data governance, and data governance underpins AI governance. If your firm is in the majority without a formal policy, the priority order is straightforward: basic security controls first, data governance next, then AI-specific controls layered on top where needed.

Proportionality is the other useful guide. Over-engineering governance for a tool that rewrites internal emails adds cost without reducing risk. The test is whether the AI output affects a decision that has consequences for a real person. If it does, governance is warranted. If the AI is an internal productivity aid on non-sensitive material, a short staff acceptable-use policy is generally enough to start.

What else sits close to this in the compliance picture?

Three things sit close to this in the compliance picture. The EU AI Act, which UK firms supplying AI-enabled services into Europe must track, classifies AI uses by risk level and fines prohibited practices up to €35 million. The ICO’s guidance on automated decision-making under UK GDPR is already in force. And the NCSC’s Cyber Essentials scheme provides the security baseline both frameworks depend on.

The EU AI Act distinguishes four risk categories: prohibited uses banned outright, high-risk uses such as employment screening and credit assessment that carry documentation and testing obligations, limited-risk uses with transparency requirements, and minimal-risk uses with no additional obligations beyond existing law.

For regulated UK firms, the Bank of England and FCA’s 2022 discussion paper on AI in financial services added its own layer. It set expectations on model risk management, explainability, and accountability, and made clear that boards remain responsible for AI decision-making even when the model is a third-party product.

The NCSC’s Cyber Essentials scheme, while primarily a cyber security standard, covers the technical foundations both governance frameworks depend on: multi-factor authentication, device encryption, patch management, and access controls. For many small firms it’s the most practical first checkpoint before taking on more complex AI governance work.

For vendor contracts, it is worth checking whether your AI tool supplier specifies their role as a data processor, names sub-processors, and confirms data location. For foundation-model APIs, the question of whether your data is used for training by default is worth reading carefully before you commit.

If any of this is prompting questions about where your firm sits on this spectrum, Book a conversation.

Sources

- ICO (2023). Guide to the UK General Data Protection Regulation. Core reference for data governance obligations including records of processing, lawful bases, and retention principles. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/ - ICO (2023). Explaining decisions made with AI. ICO guidance on fairness, transparency, human oversight, and DPIAs when using AI for profiling and automated decision-making. https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/explaining-decisions-made-with-ai/ - UK Government (2023). AI regulation: a pro-innovation approach. Sets five principles for AI regulation (safety, transparency, fairness, accountability, contestability) applied through sector regulators rather than a single AI Act. https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach/ai-regulation-a-pro-innovation-approach-policy-paper - EUR-Lex (2024). Regulation (EU) 2024: Artificial Intelligence Act. EU AI Act text including risk classification and fines of up to €35 million or 7% of global turnover for prohibited AI practices. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2021:206:FIN - Bank of England and FCA (2022). Discussion Paper DP5/22: Artificial Intelligence and Machine Learning. Sets regulatory expectations on model risk management, explainability, and board accountability for AI decision-making in UK financial services. https://www.bankofengland.co.uk/paper/2022/artificial-intelligence-and-machine-learning - NCSC (2023). Cyber Essentials: Requirements for IT Infrastructure. The security baseline underpinning both data and AI governance, covering MFA, patch management, access controls, and device encryption. https://www.ncsc.gov.uk/cyberessentials/overview - McKinsey (2023). The State of AI in 2023: Generative AI's Breakout Year. Global survey showing 55% of organisations had adopted generative AI in at least one business function but only 21% had established policies governing employee use. https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai-in-2023-generative-ais-breakout-year - UK Department for Science, Innovation and Technology (2024). Cyber Security Breaches Survey 2024. Finds only 31% of UK micro and small businesses have a formal cyber security policy, illustrating the governance baseline many SMEs need to close first. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024 - ICO (2022). Monetary penalty notice: Tuckers Solicitors LLP. Enforcement action fining a UK law firm £98,000 for failing to implement appropriate technical and organisational measures following a ransomware attack. https://ico.org.uk/action-weve-taken/enforcement/tuckers-solicitors-llp-mpn/ - The Economist (2023). Companies are rushing to ban ChatGPT. Reports Samsung's 2023 restriction on internal generative AI use after employees pasted confidential source code into ChatGPT, illustrating AI governance failures beyond data storage. https://www.economist.com/business/2023/05/04/companies-are-rushing-to-ban-chatgpt

Frequently asked questions

Do I need separate policies for data governance and AI governance?

You do not need to build two entirely separate frameworks from scratch. Start with a solid data governance baseline covering what personal data you hold, legal bases, access controls, and retention schedules. Then add AI-specific rules on top: which tools staff may use, what they may input, how decisions are reviewed, and what happens when an AI output affects someone significantly. The ICO's SME self-assessment toolkit is a practical starting point for the data layer.

Does using ChatGPT or Microsoft Copilot trigger AI governance obligations?

It depends on what you use it for. Drafting internal documents on non-sensitive topics is low risk and a basic acceptable use policy is enough. Using it to assist with decisions that affect specific people, such as drafting performance reviews, screening candidates, or assessing financial situations, raises the stakes. In those cases ICO guidance expects you to keep humans in the decision loop, check for fairness risks, and be able to explain the outcome if challenged.

What does the ICO say about AI governance for small UK businesses?

The ICO treats AI governance as an extension of data protection law rather than a separate regime. Its guidance on AI and data protection sets expectations for fairness, transparency, accuracy, and human oversight when using AI for profiling or automated decisions. Where AI has legal or similarly significant effects on individuals, firms must carry out a Data Protection Impact Assessment, regardless of size. The ICO's updated guidance and SME self-assessment toolkit are the most accessible starting point for a small UK firm.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd