AI adoption among SMEs is accelerating, but governance and legal awareness may be lagging behind.
Small businesses have always been good at finding shortcuts.
They find cheaper tools, faster workarounds and clever ways to compete with bigger rivals. So it is no surprise that many UK small firms have taken to AI quickly. It offers what small businesses need most — time.
AI can write emails, reply to customers, summarise meetings, help with hiring and cut down on admin. Used well, it gives a small firm real firepower.
But treating AI like just another productivity hack is where things start to go wrong.
The gap between use and understanding
A briefing from LawDistrict says 40% of UK SMEs now use AI tools. At the same time, many are missing basic legal safeguards around data protection, transparency and automated decisions.
That gap matters. AI doesn’t just speed up work. It processes data, draws inferences and can shape decisions that affect customers, staff and job applicants.
The UK Government’s 2026 AI Adoption Research found that around one in six UK businesses now uses at least one AI tool. Among those businesses, natural language processing and text generation are the most common uses — with 85% of AI users relying on them.
That is a telling detail. Businesses are not using AI in obscure back-end systems. They are using it for language — emails, documents, customer replies, job descriptions, meeting notes and CV screening.
That is exactly where personal and sensitive data tends to appear.
The mistake most small businesses make
LawDistrict’s campaign points to one error above all others. Most small businesses assume the AI provider handles legal compliance. That assumption is wrong.
Ali Pinarbasi is a UK data protection solicitor working with LawDistrict.
“Outsourcing AI capabilities does not absolve businesses of their obligations under the UK GDPR,” he said.
That is the line every small business owner needs to understand.
If a business puts customer, employee or applicant data into an AI tool, it may still be fully responsible for what happens to that data. It must have a lawful reason for processing it. It may need a data processing agreement. It must check whether the data gets reused. And it must make sure the individual has been properly told.
None of that changes just because a third-party tool is involved.
The trust problem
LawDistrict says 53.8% of UK adults don’t know their data may be used to train AI models.
That should worry any business that depends on customer trust.
A customer may be fine with a company storing their order details. They may feel very differently if their complaint, health query or personal details end up inside an AI system — with no clear explanation of why.
This is where the debate stops being about technology. It becomes about honesty.
If a business uses AI, it should say so where it matters. If an AI system may process customer or staff data, people should not have to guess.
When AI shapes people’s lives
The risks go further when AI starts affecting real decisions.
LawDistrict says 27% of UK business leaders report using AI to inform hiring or firing decisions. That is a serious number.
Recruitment and dismissal are not routine tasks. They affect people’s livelihoods. AI may help organise information, but decisions about people need fairness, context and human judgement.
A small business that lets a tool filter candidates or flag staff for dismissal — without proper checks in place — is not being efficient. It is taking a risk it may not be ready for.
The check that brings discipline
Data Protection Impact Assessments exist for exactly this reason.
A DPIA forces a business to ask the right questions. What data is being collected? Why is it needed? Where does it go? How long is it kept? What could go wrong?
Pinarbasi said: “It’s essential to assess not just how the AI tool functions, but how data is collected, processed, and potentially reused.”
Most small businesses skip this step. Many have never heard of it.
The security numbers are hard to ignore
LawDistrict’s briefing puts the risk in concrete terms.
13% of organisations have already experienced breaches involving AI systems. A further 8% don’t know whether they have been hit. Of confirmed incidents, 60% involved compromised data and 31% caused direct disruption to operations. And 97% of affected organisations had no AI-specific access controls in place at all.
For a small business, one incident like that can cause lasting damage.
What this means in practice
The answer is not to stop using AI. The answer is to use it with clear rules and proper oversight.
AI adoption without governance is not progress. It is exposure.
Britain’s small businesses don’t need to fear AI. But they do need to stop treating it like a toy.
The next stage of AI adoption should not be about who can add the most tools the fastest. It should be about who can use them responsibly, transparently and within the law.
That may sound less exciting than full automation. But for any business that wants to last, it matters far more.
