Home/Insights/AI & Analytics · Data Governance
AI & Analytics · Data Governance

AI, your data and UK data protection: what a leader needs to get right

SD

Simon Devine

Managing Director

July 2026·5 min read
AI, your data and UK data protection: what a leader needs to get right

Feeding your business data into an AI tool is a data protection decision, not just a technology one. UK GDPR obligations do not pause because the tool is impressive, and the questions the ICO will ask are ones you should be asking your vendor before you sign anything.

The demo is exciting. The part that bites later is quieter: whose data went into the tool, and who can see what comes out of it. AI does not arrive with its own exemption from the rules, and a mid-market business that treats it as if it does is taking on a risk it has not named. This is not a reason to do nothing. It is a short list of things to get right so you can move with confidence rather than later regret.

AI does not suspend data protection.

UK GDPR and the Data Protection Act still apply, in full, to anything an AI tool does with personal data. If a model is trained on, or answers questions about, your customers, employees or contacts, the same obligations you already have, lawful basis, purpose, security, the rights of the people in the data, all still hold. The technology is new. The duties are not. This guide is practical rather than legal, and anything touching personal data is worth a word with your data protection adviser, but the shape of it is not complicated.

The two questions to answer before you switch anything on.

Most of the risk is covered by two questions. First, what personal data does this tool touch, where does it come from, and on what basis are you using it that way. Second, who can see what it returns. An assistant surfaces whatever it can reach, so if access is loose, the friendly chat box becomes the quickest route to someone seeing a salary, a health note or a customer record they had no business seeing. Answer those two and you have dealt with most of the exposure.

Where mid-market businesses trip up.

The most common mistake is not exotic. It is people quietly pasting business or client data into a public, consumer AI tool to save themselves time, with no idea where that data then goes. Close behind is switching on an assistant over an estate with no proper access control, so it cheerfully answers questions it should refuse. And third, no lineage, so when a decision made with AI is later challenged, nobody can show how the number was reached or what it was based on. None of these is about the cleverness of the model. All of them are about the plumbing around it.

Keep it inside your own tenant.

The single most useful principle is to keep your data inside your own controlled environment. Microsoft Fabric, Power BI Copilot and the Fabric data agent operate within your own Microsoft tenant, under your existing identities and security, rather than sending your data off to a public service. That is a different proposition entirely from pasting the same information into a free chatbot. Using the AI built into the platform you already govern is how most mid-market businesses get the value without taking on the exposure.

Practical, not paralysed.

A sensible baseline is short. Agree, in plain terms, what may and may not be put into which tools. Make sure access through any assistant respects the security you already have, tied to your existing identities. Keep lineage so any AI-assisted number can be traced and defended. And give people a sanctioned, safe tool so they are not tempted to reach for an unsafe one. That is enough to move sensibly. The goal is not a policy binder nobody reads. It is the confidence to say yes.

So this week, ask one question around the business: is anyone pasting company or client information into a public AI tool to get their work done faster. It is the most common exposure and the most avoidable, and the fix is usually to give people a governed alternative rather than to forbid the thing they were trying to do. Getting access, lineage and sanctioned tooling right is the heart of our analytics strategy work and of building AI safely on a Microsoft Fabric estate. Move with care and you can move quickly. Skip it and the cost arrives later, with interest.

SD

Simon Devine

Managing Director

Part of the Hopton Analytics team, delivering governed analytics programmes for UK mid-market organisations.

Get started

Ready to put this into practice?

Reading about better analytics is a start. Working with us is how it happens.

Book a free analytics audit
AI, Your Data and UK Data Protection: Key Considerations | Hopton Analytics