SMEs are using AI for enhanced efficiency but are they putting customers and clients at risk? Matt Riley, Data Protection and Information Security Officer, Sharp Europe, looks at how meeting privacy and compliance as important as strategic growth. He also covers how often SMEs should review AI policy documentation and the potential future AI regulatory approaches.
SMEs are increasingly using AI for automation, improved customer experiences, and data-driven decision-making, leading to enhanced efficiency, cost savings, and strategic growth.
AI is having a huge impact on the workplace. One recent survey found that 80% of senior employees believe AI will prove its business impact within two years, while 70% of employees want to develop their AI skill sets.
While there are clear business benefits to be had from the technology, organisations using AI tools need to ensure they meet data privacy and legal compliancy at all points across the business.
In this article we discuss the following key aspects and key questions arounds AI privacy and compliance:
Legal and Ethical Challenges of AI:
- What are the most significant legal and ethical challenges SMEs face when integrating AI?
- How do existing data privacy regulations, such as GDPR, apply to AI?
Privacy Risks of AI:
- What is the most overlooked privacy risk when businesses deploy AI?
- What are the compliance risks for SMEs when using third-party AI vendors or services?
AI Policy and Documentation:
- How long should an AI policy for business last?
- What is a data protection impact assessment for AI?
- How should AI decision-making processes be documented within a business?
Future Regulatory Approaches:
What are the most significant legal and ethical challenges SMEs face when integrating AI?
AI tools are being used in businesses to speed up efficiencies and create smarter workflows. However, we are seeing that many businesses are implementing AI without going through the necessary legal procedures they would normally follow for other technologies. This lack of proper legal processes is a challenge as it opens data concerns and confidentiality issues. For example, AI solutions being used without the proper data protection assessments or confidential data becoming public.
AI tools have been designed to be easy to use, which can lead companies to skip proper evaluation and compliance steps. This may not be an issue for basic AI applications, such as content creation, images, or simple workflows, but may well become more significant as organisations advance their AI usage.
As AI develops, without proper oversight and guidance businesses will open themselves up to legal challenges, as failure to comply with required regulations like GDPR, especially regarding automated decision-making could bring penalties to the business.
In terms of ethical challenges, there are issues surrounding a lack of transparency, in which businesses are increasingly relying AI solutions without understanding how they have been trained, or what biases they might contain based on the data they have been trained on.
How do existing data privacy regulations, such GDPR, apply to AI?
Data privacy regulations such as the UK GDPR (General Data Protection Regulation) and the EU GDPR apply to the use of AI too. This is something that many users are not aware of, but businesses must still follow those existing legislative processes.
Beyond the privacy piece, there is also the slightly wider look at data usage in terms of what the AI is being trained on, and not only what it is outputting. For example, with AI, it can be argued that there is a legal requirement for a full data protection impact assessment. This will depend on the type of processing, but the AI may well be consuming an extensive amount of special category data therefore requires a full data protection impact assessment. Even if this is not the case, an assessment of the privacy risks should still be undertaken.
What is the most overlooked privacy risk when businesses deploy AI?
The most overlooked privacy risk when using AI tools within a business is in regards to what is happening with the data being used. The AI dataset presents issues in its creation and raises educational concerns about data handling and output sharing. Under EU law, businesses have a legal responsibility to train their employees to use AI tools in a responsible and secure manner.
AI tools can help speed up business processes but there is presently not sufficient consideration around the security of the data being used. This goes beyond personal to commercial data too. For example, when it comes to intellectual property or confidential data, you need to conduct a thorough evaluation to understand what risks could be posed by inputting this data into an AI tool.
What are the compliance risks for SMEs when using third-party AI vendors or services?
As with any emerging technology, AI tools within business settings need to be introduced slowly, with caution and with sufficient training. Employees need to be educated not only on how to efficiently use the tools but be trained on the risks they could face when using them.
As a result, any businesses looking to deploy AI solutions in a meaningful way should have an AI policy. It will help create a governance structure that encompasses information security, data protection, and any additional data security needed into one place. In this way, it will help a business utilise these AI solutions in the most safe and secure manner.
When thinking about creating an AI policy for SMEs, starting with a readiness assessment, such as the one offered around Microsoft Copilot is recommended. It offers insights into how businesses can use the tools within Microsoft safely, securely, and reap the benefits of them.
How long should an AI policy for business last?
Like any risk assessment, AI tools within a business needs ongoing support and maintenance. As AI usage evolves, a business must understand the changes happening to the wider world, the changes happening with the AI itself, the way it's been used, and what is changing within the business.
As a result, AI policies should be revised every six months for at least the next few years because it's changing so fast.
What is a data protection impact assessment for AI?
A Data Protection Impact Assessment (DPIA) for AI is a structured process used to identify and minimise privacy risks associated with artificial intelligence systems that process personal data. It involves systematically examining how an AI system collects, uses, and stores personal information.
A data protection impact assessment itself is only required in certain circumstances and each one will be different for each business. Furthermore, most SMEs won’t be required by law to carry one out, but we feel they absolutely should be doing some form of assessment around privacy on AI, and their security of AI. The depth of this assessment will often be linked to their appetite for risk.
Sharp Europe, for example, has introduced a wide range of processes internally just to understand what AI does for the business, why it’s in use, and what it is doing behind the scenes. In this way, we’re getting a better understanding of what it is learning, and how we can use it safely and securely.
We are doing this because, in the future, there are going to be increasing requirements around security and data privacy for the use of AI tools. For example, when creating, manipulating or generating images or content, users will need to have a statement that says this was created or manipulated with AI.
By carrying out a risk assessment on the data being used and what is being created, businesses can assess what they are doing now and what they need to change, if anything, to be in line with regulatory impacts.
How should AI decision making processes be documented within a business?
Any AI solution is only as good as the information it is trained on. Therefore, when adopting AI within a business documenting how it has been taught, what information is has been taught on, and what information it has been given access to, will be a key part of any regulation going forward.
When building an AI solution there are two paths that can be taken. The first is to build a bespoke model, the second is to use a third-party provider, such as Microsoft. Building a bespoke AI solution will allow for specialised data to be used but will take longer to build.
Due to the smaller pool of data used it is also open to biases. Opting for a third-party solution, which uses a dramatically larger set of data points will reduce any risks of bias within the information.
By carrying out risk assessment on the AI solution a business can start to see any potential risks with the outputs it is creating. Namely, identify any biases within the data, which can skew the results if not aligned properly.
How will regulatory approaches to AI evolve in the next one to two years?
The EU AI Act came into regulation in February 2025 and sets out a clear set of risk-based rules for AI developers and deployers regarding specific uses of AI. The expectation is that the UK AI Act will follow a similar route but be less regulatory.
For employers, there is an AI literacy clause within the regulation that requires them to be training their team regularly on AI. Presently, there is no clear guidance as to what this training should entail.
We expect over the next year or two, greater clarity will be formed around this, with third-party companies coming to the market helping businesses train their staff and tick AI compliance boxes.
For SMEs worried about compliance, the new acts are about making the right choices, ensuring AI literacy is high and training employees to spot potential issues around AI deployment.
In Conclusion:
As AI usage grows and regulations become mandatory, businesses will need to demonstrate compliance with more robust data protection measures. As a result, SMEs lacking the necessary expertise to implement and manage AI technologies effectively, or unsure of how to manage privacy and security effectively will need support and guidance to overcome compliance issues.
By working with an IT Services provider that can offer insight and expertise, businesses can ensure the strains of compliance are met, freeing them to focus on productivity and growth.
If you would like to know more about how Sharp Europe can help your business with AI privacy and compliance, contact us.
