Last month I ran a technology audit for a financial services firm in Reading. When I asked about AI usage, the managing director said nobody was using it. Then I spoke to the team. Eight out of twelve employees were pasting client data into the free version of ChatGPT daily — proposals, email drafts, spreadsheet summaries. Nobody had told them not to. Nobody had given them an alternative.
This is the reality for most UK SMEs in 2026. AI adoption isn’t a future decision — it’s already happening, often without any oversight. The question isn’t whether your business should use ChatGPT. It’s whether you’re using it in a way that won’t land you in regulatory trouble or leak your competitive advantage.
The GDPR problem nobody talks about
Under UK GDPR (retained from EU law post-Brexit), any personal data your business processes must be handled with a lawful basis, stored securely, and not transferred outside the UK or adequate jurisdictions without proper safeguards. When an employee pastes a customer’s name, email, and project details into the free tier of ChatGPT, several things happen that most business owners don’t realise.
First, that data is sent to OpenAI’s servers in the United States. Second, on the free and Plus tiers, OpenAI may use your inputs to train future models — meaning your customer’s data could influence outputs shown to other users. Third, you have no Data Processing Agreement in place, which means you’re technically transferring personal data to a third-party processor without a legal basis.
The ICO hasn’t made a landmark enforcement against an SME for ChatGPT use yet. But the Italian data protection authority temporarily banned ChatGPT in 2023, and the ICO has published clear guidance that AI tools must comply with existing data protection law. The regulatory direction is obvious: this is going to be enforced, and the businesses that prepared early will be in a far better position.
Free tier vs enterprise: what actually changes
The difference between free ChatGPT and enterprise-grade AI is not just features — it’s legal protection. Here’s what matters for a UK business.
ChatGPT Free and Plus (up to $20/month per user) offer no Data Processing Agreement, your data may be used for training, and there are no admin controls over what employees share. ChatGPT Team ($25-30/month per user) adds a DPA, excludes your data from training, and gives workspace-level admin controls. ChatGPT Enterprise (custom pricing, typically $60+/month per user) adds SOC 2 Type II compliance, SSO, usage analytics, and dedicated support.
For most SMEs with 10 to 50 employees, the Team tier is the sweet spot. You get the legal protections you need at a cost of roughly £250 to £500 per month for a team of ten. Compare that to the potential cost of an ICO investigation or, worse, a data breach notification to every affected customer.
What should never go into any AI tool
Even with an enterprise plan and a DPA in place, there are categories of data that should never be entered into any third-party AI system. I give every client a simple red-line list.
Customer personal data beyond what’s strictly necessary — full names combined with addresses, dates of birth, or financial details. Employee HR records including disciplinary notes, salary information, or health data. Passwords, API keys, or access credentials of any kind. Source code that constitutes your core intellectual property. Documents subject to legal privilege or NDA. Anything from regulated industries (financial, medical, legal) that involves client-specific information.
The rule I use is simple: if you wouldn’t email this information to a stranger, don’t paste it into ChatGPT. Even the enterprise tier sends data to external servers. The DPA protects you legally, but it doesn’t eliminate risk.
Building an acceptable use policy
Every business using AI tools needs a written policy. It doesn’t need to be fifty pages. A good AI acceptable use policy for an SME fits on two pages and covers four things.
First, which tools are approved. Name them specifically — ChatGPT Team, Claude for Work, Microsoft Copilot — and state that no other AI tools should be used for business data without approval. Second, what data categories are prohibited. Use the red-line list above. Third, who reviews outputs before they go to clients. AI-generated content should always be reviewed by a human before it reaches a customer. Fourth, how to report mistakes. If someone accidentally pastes sensitive data into an unapproved tool, they need a clear, blame-free process for reporting it so you can assess the risk.
I helped one logistics company in the Thames Valley put this policy together in a single afternoon. Within a month, their team was using AI more — not less — because they finally knew what was safe. Productivity went up and the managing director stopped worrying about compliance. If you’re not sure where your cybersecurity posture stands, an assessment can identify the gaps quickly.
Security risks beyond GDPR
Data protection is the most visible risk, but it’s not the only one. There are three security considerations that I raise with every client considering AI adoption.
Prompt injection attacks are real. If you build customer-facing AI features — chatbots, automated support, AI-powered forms — attackers can craft inputs that manipulate the AI into revealing system instructions, bypassing access controls, or generating harmful outputs. Any AI that touches your customers needs to be tested for these attack vectors. The cybersecurity checklist I published covers the broader security foundations every SME needs.
Shadow AI is the bigger problem. When employees use unapproved tools on personal accounts, you lose all visibility. Data leaves your organisation through channels you can’t monitor, audit, or recover from. The fix isn’t banning AI — that just drives it underground. The fix is providing approved alternatives that are easier to use than the workarounds.
Supply chain risk is growing. If your software vendors are using AI to generate code, analyse your data, or make decisions, you need to know about it. Ask every vendor: do you use AI to process our data? If so, which models, where is the data processed, and what safeguards are in place? Add this to your vendor assessment process.
When to build custom vs use off-the-shelf
Most UK SMEs should start with off-the-shelf tools. ChatGPT Team or Enterprise, Microsoft Copilot, or Claude for Work handle 80% of common use cases: drafting communications, summarising documents, generating reports, answering internal questions, and brainstorming.
You should consider custom AI solutions when you need the AI to work with your proprietary data in a way that off-the-shelf tools can’t — for example, a customer-facing chatbot trained on your specific products, pricing, and policies. Or when regulatory requirements mean your data cannot leave your infrastructure. Or when the accuracy requirements are high enough that general-purpose models produce too many errors for your use case.
Custom doesn’t always mean expensive. A retrieval-augmented generation (RAG) system that answers questions from your own knowledge base can be built for £5,000 to £15,000 and runs at £100 to £300 per month. Compare that to the £3,000 per month you might spend on ChatGPT Enterprise licenses for twenty users, and the maths sometimes favours building your own — especially if the AI is customer-facing and represents your brand.
A practical roadmap for AI adoption
If you’re starting from zero, here’s the sequence I recommend to every UK SME.
Week one: audit what’s already happening. Ask your team directly which AI tools they use and what data they put in. Don’t punish — you need honest answers. Week two: choose an approved platform and sign up for the business tier. Get a DPA in place. Week three: write your acceptable use policy and brief the team. Week four: identify your first high-value use case and run a pilot. Measure the hours saved. Month two onwards: expand to additional use cases based on what worked.
The AI readiness assessment is designed to help you identify exactly where to start. And if you want a structured conversation about what’s realistic for your business, the AI Readiness Quiz takes five minutes and gives you a personalised score.