20 May 2026

AI adoption is accelerating – but are we keeping sight of the risks?

By Jess Pembroke, Director of Information Law Services

I’ve written before about how the responsibility for AI governance is increasingly falling to information governance and data protection professionals often by default rather than design. As organisations move quickly to adopt AI tools, it is frequently Information Governance/Data Protection teams who are asked to interpret legal obligations, assess risk, challenge assumptions and provide reassurance to senior leaders, often without additional resource or training. What struck me most, however, wasn’t the technology itself but how quickly its use is outpacing wider organisational understanding of the legal and governance obligations that come with it[1].

Most senior leaders now recognise that AI adoption is accelerating across every sector. What is less well understood are the information governance risks that sit alongside. These issues are very live issues that organisations are already being challenged on in the courts and in the media.

Automated decision-making and human oversight

One of the most significant risks arises from automated decision-making under the UK General Data Protection Regulation (GDPR). The Data Use and Access Act 2025 changes this in the UK, moving us away from the tighter EU GDPR rules. However, the law still places limits on decisions made solely by automated means where they have a legal or similarly significant effect on individuals and especially where special category data is involved.

This is particularly relevant in areas such as recruitment, promotion, performance management and equalities or health. In many cases, the use of AI in these contexts is either prohibited or only permitted under very narrow conditions. Meaningful human involvement is not optional; it is essential for the use of the AI to be lawful.

AI products can be seen as an IT issue but colleagues outside of data/IT and legal teams, particularly in Human Resources[2], need to be fully aware of the constraints. AI tools are being marketed as cost saving and problem solving but they may create more problems than they solve.

DPIAs are not optional

As with any new system that processes personal data, most AI use cases will require a Data Protection Impact Assessment (DPIA).

AI often introduces heightened risks because of its scale, opacity and potential impact on individuals’ rights. DPIAs are not a bureaucratic hurdle; they are a practical tool to identify risks early, test assumptions and ensure appropriate safeguards are in place before deployment.

Reuse of existing data: a hidden risk

Another common misconception is that existing data can simply be reused in AI tools or analytics purposes. Data limitation principles still apply. Just because data was lawfully collected for one purpose does not mean it can automatically be repurposed for AI training or insight generation.

Organisations need to be clear about what their data was collected for, whether secondary use is compatible, and how this has been communicated to individuals.

Privacy notices need to look forward, not back

AI capability evolves quickly. Privacy notices that only describe current processing may quickly become outdated.

Organisations should be thinking about what they might want to do with AI in the future and ensuring privacy information is drafted and regularly reviewed.

The risk of “shadow AI”

Another real and present risk is staff using free, consumer AI tools and inputting personal or corporate data with little or no protection.

Many organisations prohibit this in a written policy, but policy alone is often not enough. Increasingly, we are seeing organisations restrict or block access unless AI tools are procured and configured at an enterprise level, with appropriate contractual, security and governance controls.

Support and Training on AI

We support organisations with:

  • DPIAs for AI and other high-risk processing
  • Privacy notice drafting and review
  • Supplier and AI tool due diligence

Join our AI & Data Protection Law Course
Ideal for those looking to prepare for AI’s evolving risks and responsibilities that come with AI use, who want practical, accessible training. This course will next run on 9 June (9:30am-1pm). Book your place now!

[1] UK could adopt EU single market rules under new legislation – BBC News

[2] Responsible AI in Recruitment – GOV.UK

Recent News

Interior of the British Institution (Old Master Exhibition, Summer 1832), Yale Center for British Art via ArtUK
18 May 2026

How to Stay Young! Looking Ahead to Key Sector Events – and International Museum Day!

read story
A steam train travelling on a track situated along the sidewalk above the level of the shops in New York; carriages and horse-drawn trolley buses are in the street. Wood engraving by J.R. Brown. Wellcome Collection.
13 May 2026

Commercial licensing: Choosing the right partners

read story
29 April 2026

New Course Announcement: AI, Copyright and Cultural Heritage

read story
Mediamodifier via Unsplash
22 April 2026

Small Fine, Big Message: Is the ICO fining the public sector again?

read story

Back to News

Discover more from Naomi Korn Associates

Subscribe now to keep reading and get access to the full archive.

Continue reading