Simon Reynolds: Welcome to our webinar on AI in the workplace, managing your UK business’ legal risks. My name is Simon Reynolds. I’m one of the senior legal solutions consultants here at LegalVision, and I’m very lucky to be joined by Harmanjot, one of our senior associates within our commercial team. Before we begin, just a couple of housekeeping items. You’ll receive a recording and slides of this webinar in your email once we wrap up. Throughout the session, please submit your questions in the Q&A box. We’ll do our absolute best to answer any questions at the end of the webinar. Also, please take 30 seconds to complete our feedback survey after the session. We’re always looking to improve, and your feedback is really useful.
By viewing this webinar, everyone is eligible for a complimentary consultation with LegalVision to discuss your business’s specific legal requirements. To claim the consultation, simply leave your contact details in the survey, or you can visit our website and submit your details there.
Now, I’ll pass over to Harmanjot, who will discuss the agenda for today.
Harmanjot: Thanks, Simon. Hi everyone. It’s great to have you all here. As Simon mentioned, today we’ll be talking about AI and managing legal risks in your business. As you can see from the slide, we’ll discuss the regulatory landscape, how GDPR and data protection interact with AI, the employment law implications, discrimination risks, and algorithmic biases. We’ll also talk about liability and insurance when AI decisions go wrong and who actually owns some of the things created using AI. We’ll cover practical risks of using AI in business, and we’ll have a Q&A at the end.
AI is rapidly transforming UK workplaces—from recruitment algorithms and performance monitoring to customer service chatbots and automated decision-making. While AI offers significant efficiency gains and competitive advantages, it also creates substantial legal risks that many businesses are only just beginning to understand. Hopefully, today’s session will equip you with practical knowledge to navigate the complex legal and regulatory landscape surrounding workplace AI, ensuring that your business can innovate while remaining compliant with UK law.
This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.
Harmanjot: The UK government has adopted a pro-innovation, sector-based approach to AI rather than creating a comprehensive AI-specific law. This means businesses need to navigate multiple existing regulatory frameworks instead of having one overarching piece of legislation. The Information Commissioner’s Office (ICO) provides guidance on AI and data protection, emphasising accountability, transparency, and fairness in automated decision-making systems. The Equality and Human Rights Commission has published guidance on algorithmic bias and discrimination, confirming that existing equality laws fully apply to AI systems and the decisions made by AI.
Employment tribunals are increasingly hearing cases involving AI and automated decision-making, establishing important precedents on what constitutes fair use of workplace AI. In 2023, the UK government published its AI regulation white paper, proposing five cross-sector principles: safety, transparency, fairness, accountability, and contestability. While the EU AI Act creates obligations for EU operations and may influence UK standards, the UK government has explicitly chosen not to follow the EU’s risk categorisation approach, instead giving regulators flexibility within their own domains.
Regulators in other sectors, such as the Financial Conduct Authority, are developing AI-specific guidance for their industries, meaning compliance requirements may vary depending on your sector. For example, the Financial Conduct Authority has issued guidance on AI governance in financial services, and the Medicines and Healthcare Regulatory Agency has released frameworks for AI use in medical devices.
Harmanjot: Given that there’s no single governing law or regulation, it’s crucial to maintain comprehensive documentation of your AI systems, including their purpose, data sources, decision-making processes, testing, and human oversight mechanisms. These records will be essential for demonstrating compliance if regulators come calling. Train your staff on AI systems, extending training beyond technical users to HR personnel, managers, and anyone who makes decisions informed by AI outputs.
Vendor contracts should clearly define terms around data processing, algorithmic transparency, liability, and compliance with UK law. Regular reviews of your AI systems are necessary to check not just for technical accuracy, but also for legal compliance, including data protection obligations and discrimination and employment law requirements.
The UK GDPR remains the cornerstone of data protection law post-Brexit. AI systems processing personal data must comply with its requirements, including lawfulness, fairness, transparency, data minimisation, and accuracy. Employers must ensure that AI-powered monitoring systems are proportionate and transparent, informing employees about how they use AI in monitoring productivity, security, or decision-making.
Under Article 22 of the UK GDPR, individuals have the right not to be subject to decisions made solely by automated processing that produce legal effects or similarly significant effects. AI decisions in recruitment, dismissal, or promotion require specific safeguards to protect employees and job applicants.
Harmanjot: Businesses remain legally responsible for decisions made or informed by AI systems they deploy, even if the AI was developed or provided by a third party. Vicarious liability principles mean you’re liable for discriminatory or unlawful acts carried out by your AI systems, just as you would be for human employees. Product liability laws may provide a route to claim against AI vendors if their system was defective, but this doesn’t eliminate your primary liability.
You can mitigate some of the risk by seeking contractual indemnities from AI vendors. This may help recover losses but only if the vendor remains solvent and the contract terms are enforceable. Review your insurance policies to understand what’s covered and discuss with your insurance provider whether the AI tools you deploy are adequately covered or whether add-ons are necessary.
Harmanjot: When developing or customising AI systems, it’s crucial to protect proprietary algorithms, training methodologies, and data sets. Your business data used to train AI models may constitute trade secrets under UK law, but only if you take reasonable steps to keep it confidential. If using third-party AI services, ensure you understand their terms of service, particularly whether your data will be used to train the vendor’s models or shared with others, which could erode your competitive advantage.
Harmanjot: Establish an AI governance committee with representatives from legal, HR, IT, and business leadership to oversee AI adoption and coordinate risk management. Develop a comprehensive AI acceptable use policy that defines what AI tools employees can use, for what purpose, and with which data restrictions. Implement an approval process for new AI systems, ensuring that the tools are thoroughly vetted before deployment.
Communicate clearly with employees about the AI systems used in their management, explaining how these systems work and how they inform decisions affecting them. Provide opportunities for employees to raise concerns about AI systems and ensure you take their feedback seriously. Establish feedback mechanisms to report when AI outputs seem wrong or unfair, and keep detailed logs of AI-informed decisions.
Q&A
Simon Reynolds: If we use AI for CV screening, do we need to tell every job applicant that their application will be reviewed by an AI system?
Harmanjot: Clear and upfront communication is key to building trust and meeting your transparency obligations under the GDPR. While your privacy policy is important, it’s also crucial that applicants understand how AI is involved before they submit their application. Best practice is to include a statement during the application process explaining that AI will be used for initial screening and how it supports recruitment decisions. If the AI plays a significant role, let candidates know they can request a human review under GDPR. This will help demonstrate your commitment to fairness.
Simon Reynolds: We’re training an AI model using years of customer data and employee insights. How do we ensure competitors can’t access this through the AI vendor’s systems?
Harmanjot: Work with your vendors to ensure you have the right technical and contractual provisions in place. Confirm that your contract stipulates ownership of the data and prohibits the vendor from using your data to train models for others. Many reputable vendors have processes in place for data segregation. Ask vendors about their security certifications and look for private deployment options to keep your data separate. Ensure your contract includes audit rights and provisions for data handling when the contract ends.
Simon Reynolds: If we discover our existing AI system has been producing biased outcomes, what’s our legal obligation? Do we have to inform everyone affected?
Harmanjot: Your response depends on the nature and extent of the bias. Proactive transparency typically strengthens trust. While specific notification obligations vary, being upfront about discovering and fixing problems demonstrates fairness. Document what happened, what you learned, and how you’ve strengthened your AI governance to prevent future issues.
Simon Reynolds: What should we do when staff use free browser-based AI tools like ChatGPT to enhance their day-to-day tasks?
Harmanjot: While it’s challenging to monitor all employee activity, policies and technical measures can help set parameters. Implement clear usage policies outlining what employees can and can’t do. Consider blocking tools that create security risks, and provide training to help staff use these tools safely and responsibly.
Simon Reynolds: This concludes the main part of the webinar. Please don’t hesitate to submit your details in the survey at the end to claim your complimentary consultation. We value your feedback, so please take a moment to complete the survey. Thank you for attending today’s session. Stay warm and dry, and we look forward to chatting with you soon.
We appreciate your feedback – your submission has been successfully received.
