AIRiskAware
インサイトに戻る英語で読む

この記事は現在英語でのみご利用いただけます。

United Kingdom 8 min read 2026

AI Governance for UK Small Businesses: What the ICO, ACAS, and UK GDPR Actually Require

UK small businesses using AI tools face UK GDPR obligations and ICO enforcement. Here is what actually applies and what to prioritise without the complexity of the EU AI Act.

AI Governance for UK Small Businesses: What the ICO, ACAS, and UK GDPR Actually Require

Key Takeaways

  • UK GDPR applies to all UK businesses regardless of size. If your AI tools process personal data of UK individuals, you have data protection obligations including lawful basis, transparency, and automated decision-making rights.

  • The UK has not passed a comprehensive AI Act — existing sector regulators (ICO, FCA, CMA, Ofcom) apply their own guidance to AI in their domains.

  • The CMA's AI in markets guidance means AI-driven pricing, recommendation systems, and consumer communications are already subject to enforcement under existing consumer protection law.

  • ACAS guidance on AI at work (2023) represents best practice that Employment Tribunals will reference in cases involving AI-assisted employment decisions.

  • ICO has actively enforced against AI misuse including facial recognition in retail (Southern Co-op 2023) — small businesses are not exempt.

  • A practical AI register listing what AI tools you use, what personal data they process, and what decisions they inform is the most useful starting point and what the ICO asks for first.

"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"

The UK AI governance landscape for small businesses

The UK has not passed a dedicated AI Act. Your obligations come from existing regulators — ICO (data protection), FCA (financial services), CMA (consumer protection). These are enforceable obligations, not aspirational standards.

UK GDPR: your core obligation

If your AI tools process personal data, UK GDPR applies regardless of your size. Key requirements: every AI use of personal data needs a documented lawful basis; your privacy policy must explain how AI uses personal data; data minimisation means AI tools should only receive data actually necessary; and if AI makes decisions that significantly affect individuals, you need to be able to provide an explanation and allow human review. The ICO's small business guidance at ico.org.uk provides practical templates.

Practical starting point

List every AI tool you use commercially. Identify which process personal data. Check your privacy policy covers these uses. Review whether AI-assisted decisions affect individuals in legally significant ways. Document your lawful basis for each AI use involving personal data. This AI register is what ICO investigators ask for first.