If you want to use AI in your company, you need to clearly separate two levels: The GDPR applies immediately as soon as AI tools process personal data., and the EU AI Act This obligation is supplemented with a risk-based logic. For SMEs, this doesn't mean that every automation is a legal problem. For SMEs, it primarily means clarifying before starting which data flows and on which... Legal basis the processing takes place and how the tool is introduced organizationally.
In my projects over many years, I've observed a recurring pattern: Small businesses rarely fail due to technical issues. They fail due to unclear processes, a lack of defined responsibilities, and the fact that no one can clearly define where data goes. This is precisely where uncertainty arises. GDPR, AI in the company and automation. This article is therefore not a legal commentary, but a clear decision-making logic for everyday life in SMEs.
The most important distinction is this: not every AI tool is automatically critical. An AI tool becomes critical when personal data, automated assessments of people, or sensitive decisions come into play.
Correctly classifying GDPR and AI for SMEs
For many companies, the combination of the GDPR and the EU AI Act initially appears more significant than it actually is in practice. The GDPR already regulates the processing of personal data very specifically. Article 6(1) of the GDPR requires a suitable legal basis for any lawful processing of personal data, such as consent, performance of a contract, or compliance with a legal obligation. Source: gdpr-info.eu.
The EU AI Act is added as a second layer. The regulation entered into force on August 1, 2024. However, the obligations do not apply all at once, but are phased in over time, as the EU Commission explains. Source: digital-strategy.ec.europa.euThis is important for SMEs because you don't have to treat every tool the same. The EU AI Act works with Risk classesThe closer a system is to sensitive decisions about people, access, evaluation, or monitoring, the greater the need for auditing.
- GDPR question: Is personal data being processed?
- Organizational issue: Is the deployment internally regulated, documented and approved?
- AI Act question: Does the application belong in an area with increased risk, or is it more supportive and manageable from an organizational perspective?
Most SMEs don't use AI tools for high-risk systems, but rather for marketing, sales processes, documents, internal knowledge databases, or recurring automation. That's precisely why there's no need to panic, but rather to implement them systematically.
The first question before using any tool: What data is actually flowing?
Before you start thinking about data protection texts, contracts, or policies, you need a simple picture of the data flow. In many small businesses, the honest answer at the beginning is: Nobody really knows. One team uses a text tool, another team uploads PDFs, someone connects the CRM to a newsletter system, and suddenly an entire... AI in the MarTech Stack, without the owner having a complete overview.
Therefore, I almost always start with three simple questions:
- What inputs end up in the tool? Free text, customer data, offer data, CVs, support requests, internal documents.
- Which people are affected? Customers, prospects, employees, applicants, suppliers.
- What does the tool do with the data? Simply rephrase, summarize, classify, prioritize, evaluate, or prepare decisions.
This preliminary work sounds trivial, but in practice it's the key. If you clearly see the data flow, it also becomes clear whether anything is needed at all. personal data whether a Data processing is present and whether a third country transfer needs to be checked.
The 7 test points before using AI tools
1. Does the AI tool process personal data?
The GDPR only directly applies when personal data is processed. This includes not only names and email addresses, but also customer numbers, call notes, photos, location data, IP addresses, or combinations that can identify individuals. If you create proposals using customer data or analyze support emails, you are almost always operating within the realm of data protection.
2. What is the legal basis for the processing?
The central question is not whether a tool is modern. The central question is, why You are allowed to process the data. That's exactly why you need one. Legal basis According to Article 6 of the GDPR. In SMEs, typical legal bases are contract fulfillment, legitimate interests, or, in individual cases, consent. An AI application does not replace the legal basis. An AI application itself requires a sound legal basis.
3. Is order processing taking place?
When a provider processes data on your behalf, the question of a contract arises. Data processing That's obvious. Many SaaS and AI tools fall precisely into this category. In practical terms, this means you not only check features and price, but also contract documents, role assignments, and technical settings. For small teams, this is often the point where a quick preliminary review saves more time than cleaning up later.
4. Is there a transfer to a third country?
Many AI tools are not entirely located within the EEA, either technically or organizationally. If data flows to or is accessible from a third country, you must comply with the relevant data protection regulations. third country transfer Check. This isn't just a topic for large corporations. It's everyday business as soon as US services, global hosting structures, or external APIs are involved. Purchasing a tool without considering data location is one of the most common mistakes SMEs make when starting out.
5. Is profiling involved?
Profiling is defined in Article 4 No. 4 GDPR as automated processing of personal data for the evaluation or prediction of personal aspects Source: gdpr-info.euThis is relevant for marketing and CRM when a system evaluates leads, estimates purchase probabilities, predicts response patterns, or categorizes people into segments. Not all automation is profiling. But many seemingly harmless scoring or prioritization functions are closer to it than companies initially realize.
6. What transparency obligations exist?
Affected individuals must be able to understand what happens to their data. For SMEs, this means... Transparency obligation Above all: Data protection notices, internal processes, and communication must reflect actual usage. If you use customer data in automated processes, the description shouldn't sound like everything is done manually. Transparency isn't just a formality. Transparency reduces queries, mistrust, and friction.
7. Who is authorized to release the tool and how is its use documented?
This question is often overlooked in small businesses, yet it's crucial. Someone needs to define which data can be entered, which data is off-limits, which teams will use the tool, and what alternatives apply to sensitive processes. This is precisely where a small [tool/method] can help. AI Readiness Check and a simple release logic significantly more than ten unused policy documents.
Typical SME applications in comparison
I often use the following overview, in a similar form, as a starting point when we are in the strategic consulting Prioritize applications. This overview does not replace individual case review, but it quickly shows where organizational diligence is sufficient and where more in-depth review is necessary.
| Application in SMEs | Personal data likely? | Check the data processing agreement? | Transparency requirements relevant? | AI Act risk (roughly) | Practical advice |
|---|---|---|---|---|---|
| Marketing texts based on anonymized product information | Rather not | Depending on the tool | Low | Rather low | A good starting point if no customer data is entered. |
| CRM Lead Scoring and Segmentation | Ja | Yes, often relevant | High | Medium testing requirements | Thoroughly examine the profiling issue and its legal basis. |
| Offer creation using customer master data | Ja | Yes, frequently relevant | Medium | Rather low to medium | Easily doable if data flow, roles, and tool settings are clear. |
| Summary of contracts or PDFs | Oft ja | Ja | Medium | Rather low to medium | Especially for sensitive content, clear upload rules should be defined. |
| Internal knowledge database containing employee or customer data | Ja | Ja | medium to high | Medium testing requirements | Define access rights, data sources, and deletion logic in advance. |
| Applicant pre-selection or automatic suitability assessment | Ja | Ja | High | High testing requirements | You should be very careful here and have it thoroughly checked. |
I see a lot of potential for small teams, especially in quotation and document processes. If you want to know what such a pragmatic approach can look like, you can find more information in my article on... AI-supported offer creation A typical SME scenario with a clear time saving.
When is clean organization sufficient and when do you need deeper examination?
Not every AI implementation requires a large governance project right away. For many SMEs, a sound organizational implementation is sufficient at the outset. The crucial factor is the risk management logic.
Rather low risk
- Texts, ideas or structural proposals based on cleaned or publicly available information
- Internal designs without customer reference
- Automation of small routine tasks without personnel evaluation
Medium testing requirements
- CRM processes with segmentation, prioritization, or predictions
- Automated document processing with customer or employee data
- Internal knowledge databases that also contain personal data
High testing requirements
- Systems that evaluate, rank, or sort people out
- AI-supported decisions with noticeable consequences for applicants, employees, or customers.
- Applications in particularly sensitive processes with high reputational and liability risks
My pragmatic standard is: the more an AI tool judges people or prepares decisions about people, the less it is purely a software issue and the more it is a question of leadership and responsibility.
That's precisely why I rarely start with a tool list when working with SMEs. I begin with the goal, the process, and responsibilities. Only then does selecting a tool make sense. If you apply AI solely to unclear processes, you'll end up automating mostly chaos. If you create structure first, you'll... AI and digitalization solutions to a real relief factor.
My compact approval checklist for owners and small teams
If you need to quickly decide internally whether a tool can be approved, use this order. The list is intentionally short and can be used immediately in small companies.
- 1. Clearly define the purpose: What specific problem does the tool solve?
- 2. Data types recorded: Is personal data entered or generated?
- 3. Identify affected groups: customers, prospects, employees, applicants, partners.
- 4. Identify the legal basis: Why is this processing permissible?
- 5. Check the provider role: Is order processing taking place?
- 6. Check data location: Is there a transfer to a third country?
- 7. Check the functional logic: Does the tool evaluate or predict people? Then clarify the profiling question.
- 8. Adjust transparency: Align data protection notices and internal communication with actual use.
- 9. Establish usage rules: Which data is allowed, which is prohibited, and who is authorized to release it?
- 10. Document the decision: tool, purpose, risk, approval, responsible person, next review date.
If three or more points remain unclear, that's not a sign of failure. It's a sign that a preliminary, more detailed assessment or a structured pre-check would be advisable. This is exactly how it can be done. BudgetKeeping risk and internal costs low for SMEs.
Questions? Answers!
Does the GDPR also apply if I only use an AI tool internally?
Yes, as soon as the AI tool is internal personal data When data is processed, the GDPR applies regardless of whether the processing is externally visible. For you, this means that even internal efficiency tools require a clear review of data types, legal basis, and consent.
Do I automatically need a data processing agreement for every AI tool?
No, but this question needs to be actively checked for each tool. If a provider processes data on your behalf, then... Data processing very likely relevant, and this check protects you from later contract and data protection problems.
Is every automated marketing process already profiling?
No, not all automation is automatic. ProfilingProfiling becomes relevant when personal data is used automatically to evaluate or predict the behavior, interests, or probabilities of individuals.
What is the most common mistake SMEs make when transferring goods to third countries?
The most common mistake is only looking at the data location after purchasing a tool. If you third country transfer By checking early, you avoid unnecessary switching costs, data protection gaps, and internal uncertainty.
Do I need to inform customers or employees if I use AI in processes?
When personal data is processed, the Transparency obligation This is a recurring issue. For small businesses, it's practically solvable if data protection notices and internal rules honestly and comprehensibly reflect the actual process.
Does the EU AI Act even affect small businesses?
Yes the EU AI Act This can also affect SMEs, but not every use case is affected equally. For many SMEs, the most important question is not initially the extensive regulation, but rather the clear classification of risk categories and the specific use case.
Am I allowed to input customer data into generative AI tools?
This cannot be answered with a simple yes or no. You need to check whether personal data is required, what the legal basis is, how the provider processes the data, and whether internal rules limit its use.
How do I get started with AI in my company without immediately creating a major construction project?
Start with a small, clearly defined process that doesn't involve sensitive data and offers measurable benefits. This approach builds trust within SMEs, reduces errors, and makes future expansion significantly easier.
My conclusion
GDPR and AI for SMEs These issues are primarily a matter of clarity. The technology itself is usually not the real problem. The real problem lies in unclear data flows, a lack of defined responsibilities, and hasty decisions regarding tools. By first prioritizing purpose, data, roles, and risk, you transform uncertainty into a sound basis for decision-making.
I am convinced that small businesses don't need to lag behind in AI, nor do they need to block everything. Small businesses need a responsible form of digitalization that saves time, respects people, and genuinely improves processes. That's precisely where technology creates meaningful progress instead of just added complexity.
