The moment client information goes into an AI tool, you are processing personal data, and often special category data too. The UK GDPR does not carve out an exception because the processing is clever. The familiar duties apply, and a small firm can meet them with a clear head rather than a large budget.

Lawful basis and minimisation

You need a lawful basis for the processing, and you should put in no more personal data than the task requires. Pasting an entire file into a tool to ask a narrow question breaches the principle of data minimisation. Strip out what is not needed, and keep special category data out unless the basis for it is clear.

The provider is your processor

When a tool processes data on your instructions, the provider is a processor, and you need a contract that meets Article 28, setting out what they may do with the data and the security they must keep. You remain the controller and the accountable party. If the tool, or a sub-processor behind it, sits outside the United Kingdom, you also need a lawful transfer route such as the UK addendum or an adequacy finding.

Assess the risk before you start

Where a new tool processes personal data on any scale, a short data protection impact assessment records the risks and how you have reduced them. It is also the document that shows the ICO, or a client, that you thought it through. The confidentiality side sits in client confidentiality when using AI tools.

None of this is exotic. It is the discipline you already apply to client data, extended to one more place that data now travels.

The ICO's guidance on AI and data protection works through these questions at length.

If the questions in this piece have no written answers in your firm, a short review with us produces them: start with a conversation.