A recruiter at a 12-person consultancy was screening CVs using ChatGPT. She would paste in the applicant’s name, work history, and job description, then ask for a shortlisted ranking. Fast, efficient, and genuinely useful. What she didn’t know was that this made her firm a data controller under UK GDPR, that the personal data going into a third-party AI system needed a lawful basis, and that Italy’s regulator had already blocked ChatGPT for doing something structurally similar. No one had told her.
That’s the position many owner-managed businesses are in right now.
What does GDPR actually cover when AI is involved?
UK GDPR applies the moment personal data enters an AI system. Personal data is anything that can identify a person: names, email addresses, HR records, customer notes, voice recordings. If your team pastes any of this into an AI tool, you are acting as a data controller under UK law, and the regulation applies regardless of how small your business is.
The ICO has published detailed guidance confirming that organisations using AI to process personal data must meet requirements around transparency, purpose limitation, accuracy, fairness, and accountability. An AI tool carries no exemption from these. The same rules that govern a CRM or a spreadsheet apply to a large language model that touches your customer or employee data.
The common situations that put owner-managed businesses at risk include copying customer contact lists into AI writing tools, uploading HR files to AI summarisation services, connecting AI assistants to email inboxes or shared drives, and using AI to score or rank job applicants. Each involves personal data. Each creates GDPR obligations that may not yet be in place.
Why do GDPR fines matter for an owner-managed business?
UK GDPR gives the ICO the power to fine up to £17.5m or 4% of global annual turnover, whichever is higher, for the most serious breaches. EU GDPR mirrors this at €20m or 4% of worldwide turnover. For a business with £2m turnover, the 4% figure puts the theoretical maximum at £80,000. That is the upper ceiling, not the expected outcome.
There are two fine tiers. The lower tier covers failures in security, processor contracts, and impact assessments, capped at £8.7m or 2% of global turnover under UK GDPR. The upper tier covers breaches of core processing principles, legal basis, data subject rights, and international transfers, and carries the higher cap. AI-related issues tend to land in the upper tier because they frequently involve fundamental questions about lawfulness, transparency, and fairness.
Enforcement so far has focused heavily on large technology platforms. Amazon was fined €746m by the Luxembourg regulator for automated profiling and opaque data practices. For a well-intentioned owner-managed business facing its first GDPR question connected to AI, the more realistic outcomes are a formal reprimand, a corrective action notice, or a requirement to change practices, provided you cooperate with the ICO and act in good faith. The fine tariff is real, and it is proportionate to gravity, intent, and prior history.
Where will you actually meet GDPR risk when using AI?
GDPR risk in AI use clusters around four patterns regulators are already pursuing: feeding personal data into public AI tools without a contract or lawful basis; granting AI tools more data access than the task requires; using AI to influence decisions about individuals without transparency or human review; and sending personal data to AI vendors outside the UK or EU without adequate transfer safeguards.
Named enforcement cases make the pattern concrete. The French data protection authority CNIL fined Clearview AI €20m in 2022 for scraping billions of facial images to build a recognition database, finding breaches of lawful basis, transparency, and data subject rights. Italy’s Garante temporarily blocked ChatGPT in March 2023, citing unlawful data collection, insufficient transparency, and inadequate age verification. Spain’s AEPD ordered Worldcoin to suspend collecting iris scans in March 2024, citing biometric data processed without proper consent.
These were large operations. But the legal failures they illustrate show up in owner-managed businesses regularly. Pasting client emails into a public AI tool is a lawful basis question. Giving an AI assistant full access to your inbox is a data minimisation question. Letting AI shortlist candidates without explanation is an automated decision-making question. The scale differs; the compliance structure does not.
When does the risk become real, and when can you relax?
The risk becomes concrete when your AI use involves personal data, when that data influences decisions about identifiable individuals, or when you have no clear answer to “what legal basis are we relying on?” Three conditions, any one of which flags real exposure. AI use that involves no personal data at all may fall entirely outside GDPR’s reach.
Logistics optimisation, inventory forecasting, predictive maintenance, and models trained only on synthetic data may carry no GDPR exposure. If you are using AI to analyse your own operational data with no link to identifiable people, the regulation may simply not apply.
Where personal data is involved, the ICO’s guidance is that organisations must be able to explain their AI’s decisions in plain language, provide a route for challenge, and ensure human review for anything that significantly affects an individual. That is the practical bar: can you explain what the AI did, why, and what the person can do about it?
The ICO has signalled that it will engage with owner-managed businesses through guidance and corrective action before escalating to fines, provided the business demonstrates genuine effort. Acting in good faith needs to be visible. Documenting your decisions, running a data protection impact assessment before major AI deployments, and checking your contracts with AI vendors are the kinds of evidence that shape how any investigation proceeds.
What else sits alongside GDPR when AI is involved?
If you sell into EU markets or process data about EU residents, the EU AI Act creates a second set of obligations on top of GDPR. It entered into force on 1 August 2024. Its penalty structure is separate: up to €35m or 7% of global turnover for prohibited AI practices, and €15m or 3% for non-compliance with rules covering general-purpose AI models.
The European Data Protection Board has confirmed that the AI Act does not replace GDPR. The two frameworks apply in parallel wherever AI processes personal data. That means an EU-market AI project could face regulatory attention from both a data protection authority and an AI oversight body at the same time.
For UK businesses focused on domestic markets, the AI Act does not currently apply directly. The UK government’s approach is to rely on existing regulators, including the ICO, to oversee AI rather than introduce a dedicated AI statute. The ICO has responded with specific AI guidance, a risk assessment toolkit, and published expectations around fairness, explainability, and accountability in AI systems. That guidance is the practical framework for UK owner-managed businesses.
Three steps cover the most important ground: run a data protection impact assessment before deploying any AI that touches personal data; document your lawful basis and data minimisation choices; and make sure your contracts with AI vendors include Article 28 data processing terms. Those steps do not make you immune to regulatory scrutiny, but they demonstrate the kind of effort that shapes how any investigation proceeds and, in many cases, prevents it from starting.
