Artificial intelligence entered small businesses without an organized legal and technical assessment. A shop uses ChatGPT for product descriptions. An e-shop tests Claude or another AI assistant for customer questions, with a human checking the answers. An accounting office tests a tool that summarizes documents. A service company writes offers, emails and posts with AI. An employer considers using software that “sorts” CVs.
The first reaction is often practical: if it saves time, why not use it? The second is fearful: is it now prohibited? The right answer lies in the middle. The AI Act, meaning Regulation (EU) 2024/1689 on artificial intelligence, does not generally prohibit the use of tools such as ChatGPT, Claude or other AI assistants. It does, however, set rules according to the risk, the role of the business and the output produced by the system.
Start from the use, not from the tool
The same AI tool can be a simple aid when it writes a draft email, but much more sensitive when it is involved in recruitment, credit, insurance, education or access to essential services.
For a small Greek business, the key question is not “should I stop AI?”. It is simpler and more serious: where do I use it, what data do I put into it, who checks the output, whether the customer must be informed and whether my use touches sensitive decisions such as recruitment, assessment, credit, insurance, education or access to services.
This article is a practical guide. It is not a technical manual and it does not replace legal advice. Its aim is to help a professional distinguish everyday low-risk use from use that needs internal rules, and from use that should not happen without a specific review.
In practice, the legal issue is not to demonize AI. It is to have a simple usage policy: what may be entered into the tool, who checks the output, when the customer is informed and when legal or technical assessment is needed before the system becomes part of daily operations.
What the AI Act is in simple terms
The AI Act is the first unified European regulation for artificial intelligence systems. The European Commission presents it as a framework based on risk assessment: the greater the risk to safety, health, fundamental rights or important decisions about people, the heavier the obligations.
Not all AI tools are treated the same. A tool that suggests social media titles does not carry the same weight as a system that evaluates job candidates or gives personalized instructions without human oversight.
The logic of the regulation is tiered. Some practices are prohibited. Some systems are high-risk and require strict compliance. Some mainly have transparency obligations. Most everyday low-risk tools will not need a heavy file, but that does not mean they can be used without order.
For small businesses this means something very specific: do not start from the name of the tool; start from the use. The same AI tool may be a simple aid when it writes a draft email, but much more sensitive when it is used to exclude a customer, employee or candidate from something important.
The dates that matter in 2026
The AI Act entered into force on 1 August 2024 and applies gradually. The official European Commission page and the AI Act Service Desk show that, already from 2 February 2025, the general provisions, definitions, prohibited practices and the AI literacy obligation apply, meaning the obligation that people who use or operate AI have sufficient understanding of its use and risks.
From 2 August 2025, rules apply for providers of general-purpose models, such as large AI models. This concerns more directly companies that create or make such models available, but it also matters to small businesses because it affects their suppliers.
The major practical date for many businesses is 2 August 2026, when most rules and the transparency obligations of Article 50 begin to apply. The Commission has also announced, as part of the AI Omnibus, a political agreement for later application of certain high-risk obligations. Because the framework is evolving, a small business should not rely on a single date. It should organize its AI use now.
| Date | What it means in practice | What a small business should do |
|---|---|---|
| 1 August 2024 | The AI Act entered into force | Start mapping AI uses |
| 2 February 2025 | Definitions, prohibitions and AI literacy apply | Give basic training to those who use AI and prohibit dangerous practices |
| 2 August 2025 | Obligations apply for providers of general-purpose AI models | Check AI suppliers and their terms |
| 2 August 2026 | Core transparency obligations and wider application begin | Have customer notices, usage policies and risk review in place |
| 2027-2028, depending on category | Some high-risk timelines move because of simplification | Seek specific assessment before using AI in HR, credit, critical services or regulated products |
Are you a provider, deployer or simple user?
The AI Act uses roles. For small businesses, the most common role is deployer: the business uses an AI system in its professional context. It did not build the system itself, but it puts it into its daily operations. A repair shop that adds a chatbot to its website, an e-shop that uses AI for product recommendations or an office that uses ChatGPT to draft texts is usually a deployer.
A provider is the person or company that develops or places the AI system on the market under its own name. A small business can become a provider if it builds its own chatbot and sells it to others, or if it incorporates AI into a product or service that it offers as its own solution.
Many businesses do not build AI from scratch, but heavily configure a ready-made system: they upload a knowledge base, give instructions and put it in front of customers. Even then, the business has responsibility for the use, the data and the promises made to the user.
ChatGPT for everyday work: what to watch
Using ChatGPT or a similar tool for ideas, draft texts, translations, summaries or internal organization is usually low-risk, provided that sensitive or confidential data is not entered and that there is human review. The problem is not that you wrote an email with AI. The problem is copying customer data, contracts or business secrets without knowing where they go and how they are stored.
A practical policy for a small business can be short, but it must be clear. It should say which tools are allowed, for which uses, what may not be entered, who approves use in customer communication and when review by a responsible person or legal adviser is required.
| ChatGPT use | Usual risk | Rule for a small business |
|---|---|---|
| Ideas for social media or a blog | Low, if no personal data is entered | Allowed with accuracy and style review |
| Summary of a public text | Low to moderate | Check fidelity and keep the source |
| Translation of a customer contract | Moderate to high | Not without permission, anonymization and confidentiality review |
| Reply to a customer about rights/obligations | Moderate to high | Use only as a draft, never as automatic final advice |
| Assessment of job candidates | High | Do not do it without specific legal/HR review |
| Automatic decision on credit, discount or customer rejection | High | Require specific assessment and human oversight |
The basic principle is simple: the closer AI is to a decision that affects a person, the more careful the business must be. The more assistive and internal the use is, the more simply it can be organized, without ignoring confidentiality.
Chatbot on a website or e-shop
A chatbot is more sensitive than an internal tool because it talks to customers. Even if it answers simple questions, the user must understand that they are not talking to a human when this is not obvious. The transparency obligations of Article 50 of the AI Act will become practically critical from 2 August 2026. In 2026, the European Commission published draft guidelines on transparency obligations precisely for systems that interact with people or generate synthetic content.
For a small business, the safest solution is to inform the user clearly from the start: “You are talking to an automated assistant. For contract, payment, complaint or legal claim matters, a human will respond.” Excessive wording is not needed. What is needed is not to create the impression that a human checks every answer when that is not the case.
The second point is personal data. A chatbot in an e-shop may collect a name, email, order number, address or description of a problem. That brings in the GDPR. The privacy policy must explain what data is collected, for what purpose, who the provider is, whether there is any transfer outside the EU and how long conversations are kept.
The third point is the limit of the answers. A chatbot can provide opening hours, return policy, order status or basic instructions. It should not promise things that bind the business if it has no such authorization. For example, the phrase “you are definitely entitled to compensation” is risky. A better answer is: “I will forward your request to the competent department for review.”
AI literacy: the obligation many ignore
AI literacy does not mean that all employees must become artificial intelligence engineers. It means that those who use AI on behalf of the business must have sufficient knowledge of the basics: what the tool can do, what it cannot do, what risks exist, how personal data is avoided, how accuracy is checked and when human/legal assessment is requested.
Article 4 of the AI Act has applied since 2 February 2025. The European Commission’s official Q&A explains that the obligation takes into account technical knowledge, experience, education and the context of use. So a small business does not need a multinational-level program. It does, however, need to show that it did not let everyone use AI however they wanted.
In practice, a two-hour internal training session, a short usage policy and a monitoring file may be enough for the first level of order. Who was trained? Which tools does the company use? Which data is prohibited? Who approves a new use?
The mistakes a small business should avoid
The first mistake is using an employee’s personal account for company work. If the employee leaves or customer data has been entered, the business loses control. Corporate use needs company accounts, access permissions and basic rules.
The second mistake is uncritical data copying. Many people upload invoices, customer lists, CVs, emails or contracts to AI because they “want a summary”. If the provider, the contract, the privacy policy and the storage settings have not been checked, this can create GDPR, trade secret and confidentiality problems.
The third mistake is publishing AI text without review. AI can make mistakes, invent sources, confuse laws or write in a misleading way. In articles, advertisements, legal information, prices, terms of sale and customer replies, human review is not decorative. It is necessary.
The fourth mistake is using AI in HR without serious review. Automatic CV scoring or candidate ranking can touch high-risk areas. It is not the same as a simple draft job advertisement.
The fifth mistake is confusing the AI Act with the GDPR. One does not replace the other. An AI use may be low-risk under the AI Act but problematic under the GDPR if you feed personal data without a legal basis or notice. A DPIA may also be needed where processing with new technologies is likely to create a high risk to rights and freedoms.
A practical 10-step framework
You do not need a heavy compliance department. You need a minimum framework that can withstand a review, complaint or mistake.
| Step | What I do | Evidence I keep |
|---|---|---|
| 1 | Write down which AI tools are used | Tool list, provider, use |
| 2 | Separate uses into internal, customer-facing and decision-making | Short risk register |
| 3 | Prohibit specific data in public AI tools | Internal usage policy |
| 4 | Train staff who use AI | Date, material, participants |
| 5 | Check provider terms and privacy settings | Terms link/file, notes |
| 6 | Update the privacy policy where there is a chatbot or AI processing | Updated privacy policy |
| 7 | Add a clear notice that the user is talking to a chatbot | Notice text on the website |
| 8 | Define when a human intervenes | Escalation procedure |
| 9 | Avoid AI in HR/credit/sensitive decisions without specific review | Management decision or legal opinion |
| 10 | Periodically check whether the use or provider has changed | Review date |
The most important thing is consistency. If the policy says “we do not upload personal data”, but employees do it every day, it is not worth much. If the chatbot promises returns or compensation without a human, the practice cancels the rule.
Examples by type of business
| Business | Useful AI use | Red line |
|---|---|---|
| E-shop | Product descriptions, FAQ, ticket classification | Full customer data in an unchecked tool, binding answers about returns without a human |
| Accounting office | Draft updates, summaries of public circulars | Tax returns, payrolls, tax numbers or customer details in a public AI tool |
| Consulting or law office | Outline, language improvement, structure ideas | Court documents, sensitive details or final legal conclusion without human review |
| Customer support | Chatbot for opening hours, orders and tracking | Complaints, compensation, reports or legal claims without escalation to a human |
| HR/recruitment | Draft job advertisement | Automatic scoring, rejection or ranking of candidates without specific review |
The logic is common: the closer AI is to confidential data or a decision that affects a person, the stricter the framework must be.
What to put in the business AI usage policy
A small AI usage policy does not need to be 30 pages. It can be 2-4 pages, as long as it answers the basics clearly.
First, which tools are allowed. Second, which uses are allowed: draft texts, ideas, translations of public material, internal organization. Third, which uses are prohibited without approval: customer personal data, financial details, CVs, medical data, contracts, confidential documents, automated decisions.
Fourth, who checks the output. Every AI text that is published, sent to a customer or affects a right must pass through a human. Fifth, what happens if there is an incident, such as mistakenly entering a customer list into an AI tool. The policy should require immediate internal reporting, not concealment.
When a lawyer or DPO is needed
Not every simple AI use needs to go through a lawyer. Specific review is needed, however, when AI processes personal data at scale, when it makes or influences decisions about people, when it is used in recruitment, or when it concerns children, health, financial assessment or access to essential services.
The DPO, if there is one, should be involved early in uses that touch personal data. If there is no DPO, there should at least be a person responsible within the business who can work with a technical adviser, legal adviser or IT provider. Artificial intelligence is not only a legal issue, but also an organizational one.
Short checklist before buying an AI tool or chatbot
Before paying for an AI tool, ask for answers to the basics:
- Where is the data hosted?
- Is our data used to train the model?
- Is there an option to disable training/use of prompts?
- Is a data processing agreement signed where needed?
- Can I delete conversation histories?
- Are there logs and access rights per user?
- Can I add human approval before critical answers?
- How is the end user informed that they are talking to AI?
- What support does the provider give for AI Act/GDPR compliance?
- What happens if the tool makes a mistake or leaks information?
If the provider cannot answer the basics, the low price is not enough of an argument. The most dangerous tool is the one that goes into production without anyone knowing what it does.
FAQ
Can I use ChatGPT in my business?
Yes, but with rules. For ideas, drafts and assistive use, there is usually no problem if you do not enter personal or confidential data and if you check the output.
Must I tell the customer that I used AI?
If the customer interacts with an AI system, such as a chatbot, they must be clearly informed when this is not obvious. For public-interest content and synthetic content, particular attention is needed to transparency obligations.
If I use a ready-made chatbot from a third-party company, is only the provider responsible?
No. The provider has its own obligations, but the business is responsible for how it installs it, what data it collects, what it says to the customer, what limits it sets and whether it complies with GDPR and consumer rules.
Do I need to do a DPIA?
Not always. Assessment is needed when processing, especially with new technologies, is likely to create a high risk to rights and freedoms. A chatbot with simple FAQ may not need a DPIA, while AI for HR, customer profiling or sensitive data may need one.
Can I put customer details into ChatGPT?
Only if there is a clear legal basis, notice, a suitable provider, contractual safeguards and technical measures. In practice, for small businesses the safest rule is not to enter personal data into public AI tools without specific approval and anonymization.
Is it illegal to use AI for recruitment?
It is not generally illegal, but it is a high-risk area. Automated classification, scoring or rejection of candidates can create serious obligations and discrimination risks. It should not be done without specific legal and technical review.
Conclusion
The AI Act did not arrive to cut the productivity of small businesses. It came to set limits where artificial intelligence affects people, data and rights. Write down which tools you use. Train your people. Do not upload personal data without review. Inform users clearly when the customer talks to a chatbot. And do not let AI make decisions about people without specific assessment.
Artificial intelligence can help a small business work faster. But customer trust is not automated. It is built with transparency, control and responsibility.
Sources and research notes
- European Commission, AI Act regulatory framework: European Commission - AI Act regulatory framework
- AI Act Service Desk, Timeline for the implementation of the EU AI Act: AI Act Service Desk - implementation timeline
- EUR-Lex, Regulation (EU) 2024/1689 Artificial Intelligence Act: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
- AI Act Service Desk, Article 2 Scope: https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-2
- AI Act Service Desk, Article 4 AI literacy: https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-4
- European Commission, AI Literacy Questions & Answers: European Commission - AI literacy questions
- European Commission, first AI Act rules applicable: https://digital-strategy.ec.europa.eu/en/news/first-rules-artificial-intelligence-act-are-now-applicable
- European Commission, guidelines on prohibited AI practices: https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act
- European Commission, consultation on transparency obligations under Article 50 AI Act: https://digital-strategy.ec.europa.eu/en/consultations/consultation-draft-guidelines-transparency-obligations-under-ai-act
- European Commission, draft guidelines on transparency obligations under Article 50: https://digital-strategy.ec.europa.eu/en/library/draft-guidelines-implementation-transparency-obligations-certain-ai-systems-under-article-50-ai-act
- European Commission, General-purpose AI obligations under the AI Act: https://digital-strategy.ec.europa.eu/en/factpages/general-purpose-ai-obligations-under-ai-act
- European Commission, General-Purpose AI Code of Practice: https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai
- Hellenic Data Protection Authority, responsibilities and duties: https://www.dpa.gr/en/hdpa/responsibilities_duties_powers
- Hellenic Data Protection Authority, Data Protection Impact Assessment: Hellenic DPA - Data Protection Impact Assessment DPIA
Comments
Share your thoughts about this article.
No comments yet. Be the first to comment.
Submit a comment