AI is no longer a buzzword. It is a daily tool.
Across the UK, small and medium-sized businesses use it to write content, reply to customers, screen job applicants and cut down on admin. For owners dealing with tight budgets and even tighter schedules, it saves time and money.
But one question keeps getting ignored. When AI makes a mistake — who is responsible?
The answer might surprise many business owners. And according to lawyers, that surprise is becoming a serious legal problem.
Adoption is high. Awareness is low.
The UK Government’s 2026 AI Adoption Research found that one in six UK businesses now uses at least one AI tool. More than half use it every single day. Around 27% use it at least once a week.
AI is not being tested anymore. It is running real operations.
But legal platform LawDistrict says most small businesses have little understanding of what the law expects from them. Lawyers working on the issue say the gap is growing fast — and businesses are being exposed because of it.
The big mistake
Most small business owners believe the same thing. If they use a third-party AI tool, the legal responsibility belongs to the vendor.
That belief is wrong.
Ali Pinarbasi is a UK data protection solicitor working with LawDistrict. He says the law is clear on this point.
“Outsourcing AI capabilities does not absolve businesses of their obligations under the UK GDPR,” he said.
In plain terms — using someone else’s tool does not make the risk theirs. The business using the tool is still responsible. That means having a legal basis for processing data, limiting what gets shared, informing customers and putting the right contracts in place.
LawDistrict’s campaign lists four mistakes that small firms keep making. First, assuming the AI provider handles compliance. Second, not telling people how their data is used. Third, skipping risk assessments. Fourth, ignoring the legal risks of using AI in hiring or firing decisions.
Trust is the real casualty
Most people in the UK don’t know their personal data could be used to train AI systems. When they find out, trust breaks down fast.
For a small business, trust is everything. A delayed reply is forgivable. Finding out your data was used in ways you never expected is not.
The stakes go even higher when AI starts making decisions about people.
LawDistrict notes that some UK businesses are already using AI to help decide who gets hired or let go. When a tool decides who gets an interview or whose performance gets flagged, the business must be able to explain how that process works. Decisions cannot be fully automated where legal protections apply. And the risk of bias must be taken seriously.
AI tools are not neutral just because they are technical. They reflect the data they were trained on. That is not a flaw — but it is a responsibility.
The step most businesses skip
A Data Protection Impact Assessment, or DPIA, helps businesses find problems before they cause damage. For AI tools, this means checking how data moves through the system, whether too much data is being collected, and whether a human reviews decisions before they affect real people.
Pinarbasi said: “It’s essential to assess not just how the AI tool functions, but how data is collected, processed, and potentially reused.”
Most small businesses skip this entirely. Many don’t even know it exists.
The numbers tell the story
This is not a theoretical risk. LawDistrict’s campaign found that 13 percent of organisations have already dealt with breaches involving AI systems. Another 8 percent don’t know if they’ve been hit. Of confirmed incidents, 60 percent involved compromised data. Another 31 percent caused direct disruption to operations.
For a small business, one serious incident can be enough to cause lasting damage.
What good AI use looks like
The solution is not to stop using AI. The solution is to use it with clear rules.
Businesses should decide which tools are approved. They should set limits on what data staff can enter. They should check whether the provider uses that data for training. They should make sure customers and employees know how AI is being used. And they should confirm that a human reviews AI-assisted decisions before they are acted on.
AI helps small businesses move faster. That is real and valuable.
But speed without control is not an advantage. It is a liability.
The businesses that get this right will be the ones asking the right question — not just what their AI tool can do, but what they are on the hook for every time it does it.
For more, visit Pure Magazine
