What you need to know right now
Practical UK compliance guidance written for founders using AI tools — not for lawyers. No jargon. No hedging. Just what applies to you and what to do about it.
AI in your business: what you're actually responsible for
If your business uses any AI tool that touches personal data, you have obligations under UK GDPR that most founders have never been told about. This is a plain-English breakdown of what they are and how to meet them.
The six lawful bases explained — and which one your AI process actually uses
Legitimate interest is not a free pass. Most AI use cases require either consent or contract. Here is how to tell the difference and how to document your decision.
The EU AI Act is in force. Here is what UK businesses actually have to do
Despite Brexit, UK companies with EU customers, partners or data flows have real exposure under the EU AI Act. This is a plain-English breakdown of what applies to you and what doesn't.
How the ICO investigates AI-related complaints — and what triggers an inquiry
The ICO has been clear about its enforcement priorities for 2025 and 2026. AI data processing is near the top of the list. Here is what an inquiry looks like and how to not be in one.
Your AI vendor's terms allow them to train on your client data. Did you know?
Most AI platforms include broad data use rights buried in their terms of service. If you're passing client data through those platforms, you may have already breached your own client agreements.
What a Record of Processing Activities actually needs to say about your AI tools
Most ROPA templates were written before AI tools were mainstream. Here is what your record needs to include when AI is in the processing chain — and what the ICO will look for if they ever ask.
Read enough to know you have a problem?
Book a free 30-minute clarity session. We'll assess your specific situation and tell you exactly what your exposure looks like.