Somewhere between the boardroom conversation and the software subscription, most businesses are already using AI. It may be a tool that drafts emails, summarises meeting notes, screens job applications or flags anomalies in financial data. For many employers, adoption has happened gradually and informally, without a formal policy, a legal review or a clear line of accountability.
That gap between use and readiness is where the legal and operational risks tend to accumulate.
This article is not an argument against AI adoption. The practical benefits for businesses of all sizes are real, and the pace of development means that employers who ignore the question entirely may find themselves at a disadvantage. But readiness is not simply a matter of choosing the right tool. It involves understanding what your obligations are as an employer, how existing employment law applies to AI-assisted decisions, and what your workforce is entitled to know.
What ‘Using AI’ Actually Means in a Business Context
The term covers a wide range of applications, and the legal implications vary considerably depending on how AI is being used and what decisions it is influencing.
At one end of the spectrum, AI tools assist with administrative tasks: drafting correspondence, generating summaries, organising data. At the other end, AI systems are being used to make or inform decisions about people, including recruitment screening, performance monitoring, absence tracking and, in some cases, disciplinary processes.
The distinction matters. Using AI to help format a report carries very different legal weight from using an algorithm to rank job candidates or monitor employee productivity. Employers who treat all AI use as equivalent risk misunderstanding where their obligations are most acute.
Employment Law Does Not Have an AI Exemption
Existing employment law applies to AI-assisted decisions in the same way it applies to decisions made by a line manager. If an algorithm screens out a disproportionate number of candidates from a particular protected group, that may give rise to indirect discrimination claims under the Equality Act 2010, regardless of whether the outcome was intentional or the result of a biased training dataset.
Tribunals are beginning to encounter cases where AI-influenced processes are part of the factual background. While the case law in this specific area is still developing, the underlying legal principles are not new. Employers remain responsible for the outcomes of their processes, including the parts of those processes that are automated.
This has practical implications for how AI tools are selected, configured and reviewed. An employer who adopts a third-party recruitment screening tool without understanding how it works, or without testing whether its outputs are consistent with equality obligations, may find that the tool’s vendor terms of service offer limited protection when a tribunal claim arises.
Data Protection and the ICO’s Position
UK GDPR and the Data Protection Act 2018 impose specific obligations on employers who use automated decision-making. Where a decision is made solely by automated means and produces a legal or similarly significant effect on an individual, employees and job applicants generally have the right to request human review of that decision.
The Information Commissioner’s Office has published guidance on AI and data protection, and employers using AI tools that process personal data should be aware of their obligations under that framework. This includes conducting data protection impact assessments where AI processing is likely to result in high risk, maintaining appropriate records, and ensuring that individuals are informed about how their data is being used.
For many small and medium-sized businesses, the practical starting point is simply asking: what personal data is this tool processing, and on what legal basis? If the answer is unclear, that is worth resolving before the tool is embedded in a business-critical process.
Workplace Policy: The Gap Most Businesses Have Not Closed
A significant number of businesses currently using AI tools have no formal policy governing their use. Employees may be using AI assistants to draft client communications, generate reports or research information without any guidance on what is appropriate, what is confidential, or what the business’s expectations are.
The absence of a policy creates several risks. It makes it harder to take disciplinary action if an employee misuses an AI tool, because the standard of conduct expected was never clearly set out. It may also expose the business to liability if an employee shares confidential client data with a third-party AI platform without authorisation.
An AI use policy does not need to be lengthy or technically complex. At its core, it should address:
- Which AI tools are approved for use, and in what contexts
- What categories of information must not be entered into AI systems
- How AI-generated content should be reviewed before use
- Who is responsible for decisions that AI has informed or assisted
- How the policy will be reviewed as tools and practices evolve
Employers in regulated sectors, or those handling sensitive personal data, may need to go further. Legal advice on the specific requirements for your sector is worth taking before finalising any policy.
Monitoring, Surveillance and the Right to Privacy
AI-powered monitoring tools are increasingly marketed to employers as productivity solutions. These range from software that tracks keystrokes and application usage to tools that analyse communication patterns or flag attendance anomalies. Some employers have adopted these tools without fully considering the employment law implications.
Employees have a right to a reasonable expectation of privacy, including in the workplace. Covert or disproportionate monitoring may breach that expectation and, depending on the circumstances, could give rise to claims under data protection law or contribute to a constructive dismissal claim if an employee resigns in response.
The ACAS guidance on monitoring at work is a useful reference point. It recommends that employers be transparent about any monitoring, explain the purpose, and ensure that the level of monitoring is proportionate to the legitimate business aim being pursued. Consulting with employees or their representatives before introducing significant monitoring changes is also advisable, and may be required where a recognised trade union is involved.
The key question is not whether monitoring is ever permissible, but whether it is proportionate, transparent and legally grounded. Employers who introduce AI monitoring tools without addressing those questions are taking on risk that is largely avoidable.
Recruitment and the Risk of Algorithmic Bias
AI recruitment tools are now widely available, and their appeal is understandable. Screening large volumes of applications manually is time-consuming, and the promise of a more consistent, objective process has genuine appeal. In practice, however, AI recruitment tools can replicate or amplify the biases present in their training data.
If a tool has been trained on historical hiring data from a workforce that was not diverse, it may learn to favour candidates who resemble previous successful hires, effectively encoding historical bias into a process that appears neutral. Employers who rely on such tools without auditing their outputs may find that their recruitment process produces discriminatory outcomes, even where no discriminatory intent exists.
Under the Equality Act 2010, indirect discrimination does not require intent. A provision, criterion or practice that puts people with a protected characteristic at a particular disadvantage, and which cannot be objectively justified, may be unlawful regardless of how it was designed.
Employers using AI in recruitment should consider: how the tool was trained, whether the vendor has conducted bias testing, what human oversight exists in the process, and how decisions can be explained to unsuccessful candidates who request feedback.
Redundancy, Restructuring and AI-Driven Change
For some businesses, AI adoption will involve genuine workforce change. Roles may be restructured, reduced or eliminated as tasks become automated. Where that happens, the ordinary rules on redundancy, consultation and fair dismissal apply in full.
Employers cannot use AI-driven efficiency as a shortcut around statutory redundancy processes. Where 20 or more redundancies are proposed within a 90-day period, collective consultation obligations under the Trade Union and Labour Relations (Consolidation) Act 1992 are triggered. Individual consultation obligations apply regardless of the number of redundancies involved.
Businesses planning significant operational changes involving AI should take employment law advice at an early stage, before announcements are made and before any process begins. Getting the process right from the outset is considerably less costly than remedying it after a tribunal claim.
What Employees Are Entitled to Know
Transparency is a recurring theme across data protection law, employment law and the emerging guidance on AI governance. Employees are generally entitled to know when AI is being used in processes that affect them, particularly where those processes relate to performance, pay, promotion or disciplinary matters.
Keeping AI use opaque, even where it is technically lawful, tends to erode trust and can complicate matters significantly if a dispute arises. An employee who discovers that their performance was assessed partly by an algorithm they were never told about may have a stronger grievance, and a more sympathetic tribunal, than one who was informed and given an opportunity to raise concerns.
Practical transparency does not require technical disclosure. It means telling employees, in plain terms, that certain processes involve automated or AI-assisted elements, what those elements are, and how decisions are ultimately made.
A Practical Starting Point for Employers
Readiness for AI is not a single destination. It is an ongoing process of understanding what tools are in use, what obligations attach to them, and how policies and practices need to evolve as the technology develops.
For most businesses, a sensible starting point involves three things. First, an audit of the AI tools currently in use across the business, including those adopted informally by individual teams or employees. Second, a review of existing employment contracts, data protection policies and staff handbooks to identify gaps. Third, legal advice on the specific obligations that apply to your sector, your workforce and the particular tools you are using or considering.
The legal framework around AI in the workplace is still developing. The UK government has been consulting on its approach to AI regulation, and further guidance from the ICO and ACAS is likely as adoption increases. Employers who build a sound foundation now, grounded in existing employment and data protection law, will be better placed to adapt as that framework matures.
AI is not going to slow down. The question for employers is not whether to engage with it, but how to do so in a way that is legally sound, practically workable and fair to the people it affects.
