eCommerceNews UK - Technology news for digital commerce decision-makers
United Kingdom
Uk office ai regulation meeting gdpr privacy compliance pressure
#
Data Protection
#
e-Learning
#
Risk & Compliance

Most firms unprepared for AI rules as GDPR pressure grows

Fri, 6th Mar 2026
Author image
By Mark Tarre, News Chief

A survey of compliance, legal and IT professionals found that only a small minority consider their organisations fully prepared for the regulatory requirements now shaping the use of artificial intelligence. Many also reported limited or ineffective staff training.

The research, carried out by compliance eLearning provider VinciWorks, polled 230 professionals on preparedness for rules affecting AI use across regulated industries. Just 3.5% described their organisation as fully prepared for the current AI regulatory landscape.

Uncertainty was widespread. About 29% said they were still working out which rules apply to their organisation. Another 28% said they were aware of relevant rules but had no clear plan, while 6% said they were unsure of their position. Overall, 63% said they could not describe their organisation as prepared for the emerging environment.

Training shortfall

The results point to a significant gap in training and internal awareness. Only 22% said their organisation provides AI awareness training they consider effective.

Nearly half (48%) said their organisation has no AI training but would like to provide it. Another 12% said there were no plans to offer training, while 12% said some training exists but is not very effective.

The findings suggest many organisations are relying on informal knowledge as AI tools spread across business functions. For compliance and IT teams, the lack of structured training can complicate governance, record-keeping and internal assurance, particularly where personal data is involved.

GDPR pressure

Respondents identified several areas where data protection requirements create practical difficulties for AI use. The most common issue was automated decision-making rules (27%). Data minimisation and retention followed (23%), with oversight of vendors and model providers next (21%).

These results point to challenges across multiple parts of the data protection framework rather than a single point of friction. AI systems can draw on large datasets, produce outputs that are hard to explain, and rely on third-party providers, increasing the burden of mapping data flows and documenting compliance decisions.

UK organisations using AI that processes personal data already face regulator expectations under existing law. The Information Commissioner's Office has said data protection obligations apply when organisations use AI systems that process personal data.

Nick Henderson-Mayo, head of compliance at VinciWorks, said the survey reflects a broader shift in how AI governance is being enforced.

"GDPR is bundled into AI compliance. Regulators are applying existing data protection laws to AI systems right now, and they expect organisations to be able to explain what their systems are doing, justify their lawful basis and demonstrate that individuals' rights remain meaningful. If you're using AI that processes personal data, the ICO expects you to comply with your data protection obligations today," said Henderson-Mayo.

Operational disruption

While some organisations report limited immediate impact on compliance operations, a smaller group is already experiencing significant disruption. Nearly two-thirds (64%) described AI as only slightly disruptive or not at all disruptive to their compliance programme so far. By contrast, 12% said AI had been very or extremely disruptive.

The figures suggest uneven adoption. Some organisations are still testing use cases and setting policies, while others have moved further into deployment across functions. That affects the amount of compliance work required, including risk assessments, procurement checks and reviews of how AI tools interact with personal data.

Confidence was similarly mixed. Only 9% said they felt very confident their organisation's use of AI is compliant. A third (33%) said they were not very confident or not confident at all, while the largest group (30%) said they were only somewhat confident.

Respondents also highlighted the challenge of keeping pace with regulatory change. AI governance in Europe and the UK is evolving through a combination of new AI-specific rules and the application of existing regimes such as data protection. In practice, organisations may need to manage governance across multiple teams, including legal, compliance, data protection, security and procurement.

VinciWorks said the results reflect converging pressure from sustained GDPR enforcement, the implementation phase of the EU AI Act, and the UK's sector-led approach to AI governance. Firms reported low levels of readiness and limited training as they assess how their AI use fits within current obligations.

Related stories
UK broadband switching jumps 24% as April bills rise
Sparky Space launches AI platform to bridge learning gap
UK CFOs say manual spend management lags modernisation
payabl. launches Visa Click to Pay for European merchants
Blackhawk launches digital wallet for unified stored value

Top stories

OpenAI expands Codex with desktop & workflow tools
Canva launches AI 2.0 to turn prompts into editable designs
Testlio launches AI chatbot testing service amid scrutiny
Mastercard & Lobster.cash team up for AI agent payments
Rithum launches SupplyExplorer to speed supplier discovery