Implementing AI at work — your legal obligations
We explore how AI is transforming data protection, the risks that organisations now face and what effective compliance looks like today.
Implementing AI at work — your legal obligations
AuthorsLaura KeaneEleanore BeardSara Ludlam
4 min read
Data protection day has always been about raising awareness of privacy rights and compliance obligations. However, the arrival of AI has introduced a level of complexity that most organisations are still grappling with — from hyper-realistic phishing to deepfake fraud and data collection at an unprecedented scale. Regulations are struggling to keep pace and the risks are evolving faster than traditional compliance frameworks can handle.
That’s why our data protection team held a webinar to provide attendees with a clear understanding of the current regulatory landscape, insights into specific AI risks (and how to address them), compliance strategies that work in practice and how to align cybersecurity with data protection.
This really is a must-watch for any organisation using AI — particularly generative AI and large language models (LLMs). You can view a replay of the webinar to get our in-depth guidance and we’ve pulled out some key takeaways below.
Watch our webinar for in-depth guidance
This is essential viewing for any organisation using AI — especially those deploying generative AI and large language models (LLMs).
Implementing AI: the risks for businesses & sensible safeguards
Excitement around the efficiencies that AI can offer often means that the data protection consequences of implementing such technologies are overlooked. There are also the issues of confidentiality and intellectual property (IP) protection to consider.
Those who purchase AI systems for a business often fail to consult their legal and risk compliance teams before doing so. This can result in you signing up to legal agreements that give away your ‘crown jewels’ without realising. It may also increase your risk of breaching legal obligations under the UK GDPR, potentially exposing your business to significant fines.
If you wouldn’t invite your competitors into your business and allow them to access your confidential data, you shouldn’t implement an AI system without the appropriate safeguards in place. The two are equivalent and must be seen as such.
Legal problems will arise when you provide access to an AI system that can crawl your data with no restrictions on use. Some sensible and practical safeguards therefore include preventing access to important and confidential information and checking the terms through which the AI is being supplied to find out who else will be able to access the material that’s shared with the AI system.
Ultimately, as AI systems become more advanced and handle increasing volumes of personal data, the risk of breaches will rise. New questions will also need to be navigated around fairness, transparency and explainability — so building in legal compliance from the outset (and re-evaluating your position regularly) is critical.
AI & your legal obligations
The GDPR principles highlight that if the information you share with an AI system includes personal data, you must fulfil your legal obligations.
These include ensuring that you have:
- a lawful basis on which to allow the AI system to process that personal data
- updated your privacy policies to list ‘processing using AI’ as a potential use
- listed the relevant third parties who may access the personal data further to your use of AI
- put in place appropriate security for that personal data
- designed the use of the AI system in such a way as to minimise the risks of losing that personal data and access
- implemented appropriate policies and training to ensure that staff know what they can and can’t do with the AI system.
Data protection impact assessment (DPIA)
Ideally, your business will have carried out a data protection impact assessment (DPIA) before implementing AI software that’ll process personal data for which you’re responsible.
Breaches of the UK GDPR may result in you being fined — alongside the associated reputational damage — not the AI software owner, since you’re responsible for that personal data.
To carry out an effective DPIA, you’ll need an up-to-date record of processing activity that the business carries out on personal data using the AI system. This is referred to by data protection geeks (like ourselves) as a ROPA.
Talk to us
If you need guidance or help with carrying out a DPIA or ROPA — or if you’d simply like to chat about whether your business is at risk and how to practice effective data protection — give us a call on 0333 004 4488, send us an email at hello@brabners.com or message us.
Sara Ludlam
Sara is a Partner and Chartered Trade Mark Attorney in our commercial and intellectual property (IP) team.
Read more
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
Reddit’s £14.47m ICO fine — what UK businesses need to do as child protection enforcement ramps up
We break down what the ICO found and outline three key steps that UK businesses should take now.
Am I a data controller? GDPR for social media users explained
We look at the UK GDPR and the Data Protection Act 2018 and outline how the GDPR can apply to both organisations and individuals as data controllers.
The Digital Omnibus — proposed key changes to EU data protection obligations
We break down the key proposed reforms in the Digital Omnibus Package and outline what businesses should do to prepare.
Data Protection FAQs
Find answers to our most frequently asked questions about data protection and privacy from our lawyers.
2026 horizon scan — key legal & regulatory changes ahead
We explore the key developments that in-house lawyers should have on their radar and what they mean for your organisation in the year ahead.
Jaguar Land Rover cyber‑attack — protecting your workforce during digital disruption
We explain the impact of the cyber-attack on JLR's workforce and outline what to do to protect your business and minimise the impact if an incident occurs.
Cyber-attacks — 8 essential steps to strengthen your response before it’s too late
We outline eight key steps to put your organisation in the strongest position for a prompt and effective response to any cyber-attack.
Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
We explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
Capita’s £14m data breach fine — a wake-up call for UK organisations
We explore how weak cybersecurity and slow responses can trigger major data breaches and resulting ICO fines.
The EU Data Act — a new era for data governance in Europe
The EU Data Act is a regulation designed to reshape the European data economy by establishing harmonised rules for data access, sharing and portability.
DUA — how to prepare for the UK’s new data privacy regime
Designed to amend the UK’s existing data privacy regime, the DUA Act will affect the UK GDPR, PECR and the Data Protection Act 2018.
M&S, Co-op & Harrods cyber-attacks — key cybersecurity lessons for retailers
We delve further into cyber attacks on three major retailers and outline five key steps to take in any cyber-attack preparedness and response plan.
Apple & Meta handed first EU Commission non-compliance decisions under the Digital Marketing Act
The EU Commission handed out fines of €500m and €200m to Apple and Meta respectively. We outline each fine and the legality of 'consent or pay' models.
Data Protection Day — DUA and other legal developments coming in 2025
Prevention is always better than cure. Assess your compliance with data protection law and the changes that could lie ahead in the year to come.
Transgender athlete participation — navigating data protection laws when collecting sensitive personal data
Athletes might be asked to provide highly sensitive forms of personal data when competing. Here's eight steps to comply with data protection legislation.
Spotify Wrapped — 5 top tips for companies to ensure data privacy in viral marketing campaigns
We explore the evolution of Spotify Wrapped and present five top tips for companies looking to use personal data for viral marketing campaigns.
AI and GDPR — key compliance considerations when buying and using AI tools
The EU Artificial Intelligence Act is here and brings a number of considerations as to how businesses manage personal data, GDPR compliance and privacy policies.
AI at Paris 2024 — how the Olympic Games set the gold standard for sports technology
The use of AI and technology in sporting events is ever-growing — and the Paris 2024 Olympic Games were no exception.
Biometrics — TEN key steps for businesses to comply with data protection rules
Data protection specialist outlines the ten key steps that any organisation should follow when using biometrics.
Data Protection Day 2024 — How your business can keep up with evolving regulations
Organisations must regularly assess and prioritise their data protection practices to remain compliant with legislation.
Data protection – what’s in a dog’s name?
A previous ICO (Information Commissioners Office) case highlighted that a dog’s name could lead to an individual’s...
Meta fined by Data Protection Commission for breaches
Meta has received a significant fine from the Data Protection Commission in Ireland for breaches of GDPR regulations.
When can compensation be awarded as a result of data protection breaches?
An Austrian court ruled that compensation would not be awarded for emotional harm caused by data protection breaches.