Using AI to process customer or employee data does not exempt you from data protection law; it raises the bar. The good news is that the duties are manageable for a small business if you handle them deliberately. Here is a plain-English checklist for UK SMEs in 2026.
1. Establish a lawful basis
You need a lawful basis under UK GDPR for any personal data your AI processes. For internal operational use, "legitimate interests" usually applies, but the ICO expects a documented Legitimate Interests Assessment that weighs your purpose against the individual's rights.
2. Run a DPIA for new AI uses
A Data Protection Impact Assessment is required where processing is likely to result in high risk to people's rights and freedoms. The ICO has explicitly said this includes most new AI use cases involving personal data. A DPIA is not bureaucracy for its own sake; it is the document that proves you thought it through.
3. Minimise the data
Train and prompt with the minimum personal data necessary. If an agent only needs an order number to answer a query, it should not be handed a full customer record. Data minimisation reduces both your risk and your exposure if something goes wrong.
4. Keep a human in the loop for significant decisions
Reforms under the Data (Use and Access) Act 2025 (DUAA) reshaped the rules on automated decision-making. Where a decision has a legal or similarly significant effect on someone, build in meaningful human review rather than letting the model decide alone.
5. Prepare for the June 2026 complaints duty
From 19 June 2026, organisations are legally required to handle data protection complaints under the DUAA. Make sure there is a clear, documented route for someone to raise a concern and get a response.
6. Choose UK-appropriate tooling
Prefer tools that are transparent about where data is processed and that do not train public models on your business data. UK data residency and clear retention terms make the rest of this checklist far easier to satisfy.
None of this should stop you adopting AI. It should shape how you adopt it: deliberately, documented, and with people accountable for the decisions that matter.
Frequently asked questions
Do I need a DPIA to use AI in my business?
In most cases involving personal data, yes. The ICO has said most new AI use cases are likely high risk, which triggers the requirement for a Data Protection Impact Assessment under UK GDPR.
What lawful basis applies to AI processing?
For internal operational use, legitimate interests usually applies, but you must complete and document a Legitimate Interests Assessment balancing your purpose against individuals' rights.
What changed with the Data (Use and Access) Act 2025?
The DUAA reformed UK data protection, including rules on automated decision-making. From 19 June 2026 organisations are also legally required to handle data protection complaints under the Act.
James Paulinson LinkedIn
Co-Founder, SMEAutomate
James Paulinson is the co-founder of SMEAutomate. With two decades across advertising, technology, and consulting, he focuses on helping boutique businesses and founders scale with AI-powered workflow automation.
Related articles
Get automation insights in your inbox
Practical tips for UK SMEs. 1–2 per month. No spam, unsubscribe any time.