With artificial intelligence (AI) becoming widespread in recent years, it’s clear that AI plays a critical role in driving innovation and problem-solving. Many small businesses are now adopting AI to reduce costs, boost efficiency, and stay competitive. However, while AI offers significant advantages for SMEs, it’s equally important to understand the potential risks and legal responsibilities involved, especially when it comes to EU AI Act compliance for SMEs and other emerging regulatory frameworks.
To balance the risks and the benefits, the European Union introduced the Artificial Intelligence Act (known as the EU AI Act) earlier this year and is expected to take effect 24 months later, with specific provisions applied at different intervals.
What is the EU AI Act and how is it relevant to UK SMEs?
The EU AI Act is a legislative framework that seeks to foster the development of AI technologies by respecting fundamental rights and adopting appropriate safeguards pertaining to AI. It is designed to govern the use of AI within the EU and applies to organisations operating within the EU, whether they are users, importers, manufacturers or providers of AI systems. Even if your organisation is based outside the EU, you will be caught under the EU AI Act if you supply your AI systems within the EU market.
The legislation contains categories of AI systems based on their risk levels as below:
- Unacceptable Risk AI: These are prohibited applications as they are capable of influencing harm to themselves or others, such as those used in real-time remote biometric identification, monitoring natural persons and for the purpose of deploying manipulative techniques.
- High-Risk AI: If a system is deemed to be at “high risk”, they are subject to stringent regulations. This means that it is important to conduct extra risk assessments to ensure risk management, data governance, technical documentation and transparency. Industries that are susceptible to high-risk AI systems include but are not limited to healthcare, IT, education, transportation and employment.
- Limited-Risk AI: Chatbots, for example, will fall into this category, which needs to adhere to specific transparency requirements, such as informing users that they are interacting with a machine.
- Minimal-Risk AI: They are subject to less scrutiny and only require minimal compliance. Spam filers, for example, will fall into this category.
Why is it important to comply?
Similarly to the UK General Data Protection Regulation (UK GDPR), failing to comply with the rules can lead to severe financial penalties, where you can be fined up to €30 million or 6% of your organisation’s annual turnover. This means that not only do the severe penalties impact the tight budget SMEs are under, but they will also have a significant impact on an SME’s ability to rebuild their reputation. As trust and confidence are crucial in the world of AI, SMEs are more likely to lose their clients if they face penalties and may find it challenging to recover from the consequences.
You may assume that since the UK is no longer part of the EU, the legislation will be irrelevant. However, many UK SMEs have strong ties with their EU counterparts, and being aware of the legislation serves a number of benefits. For example, an organisation that focuses on the importance of accountability, fairness and transparency are highly likely to build trust from their clients, as it suggests their commitment to comply with ethical AI practices.
What steps can SMEs take to comply with the EU AI Act?
Whilst the EU AI Act might seem daunting to SMEs, even taking simple steps is sufficient to comply with the legislation. There are many steps you can take, which include but are not limited to:
- Conducting an AI Audit – Identify any areas requiring adjustments to comply with the new legislation and evaluate your AI systems to understand how they fall within the EU AI Act’s risk categories.
- Secure Personal Data – In the same way as the UK GDPR, it is important to ascertain if your AI systems collect and process personal data. If your AI systems deal with personal data, it must be protected carefully to prevent misuse or any breaches.
- Stay Informed – With AI evolving rapidly, keeping updated regularly on the latest developments will allow you to assess what you can and cannot do, and adapt your strategies accordingly.
- Record-Keeping – Maintaining comprehensive records of AI system assessments and management measures ensures you are engaging with the legislation.
- Participation in Training – By participating in training sessions, which is especially crucial for SMEs, your staff will have a better understanding of the risk levels of your AI tools and carry out risk assessments to avoid any financial penalties as a consequence of breaching the legislation.
Farringford Legal is committed to supporting our clients who are going through these changes. By taking appropriate risk measures and regularly monitoring the use of your AI systems, we believe that the EU AI Act will not just prevent any breach or misuse of your clients’ personal information, but it will also help you to confidently invent your systems.
Thank you to Kaoruko Shirasaki, solicitor at Farringford Legal for this article.
Farringford Legal is your growth partner, providing affordable, expert legal services across England & Wales with a client-centric, entrepreneurial approach. We are not just lawyers; we are allies in your business journey, adapting as your business evolves, deeply trustworthy, always responsive.
www.farringfordlegal.co.uk | info@farringfordlegal.co.uk