AI at Work in 2026: What an SMB Is Actually Allowed to Do (GDPR + AI Act, August 2)

Your sales rep has been pasting client emails into ChatGPT for six months. Your accountant has Claude proofread financial statements. Nobody signed a DPA, nobody updated the processing register. And on August 2, 2026, the AI Act takes effect for high-risk systems. Without realizing it, you are a "deployer" under the European regulation.

I see this situation at the majority of SMBs I work with. The good news: compliance is not an obstacle, it is a selling point. Here is exactly what you are allowed to do, what is prohibited, and the 7 steps to get compliant before the fall.

AI shadow IT is already inside your company

According to a Kezify study published in early 2026, 60 to 80% of French SMBs have employees using generative AI tools without management approval. The phenomenon has a name: shadow IT. It is nothing new, except that this time the data flowing through these tools is not just a spreadsheet shared on a personal Google Drive. It is client names, contract amounts, candidate resumes.

The problem is not the tool. It is the complete absence of any framework.

Why is AI shadow IT more dangerous than traditional shadow IT?

When an employee uses the free version of ChatGPT, the data entered can be retained indefinitely by OpenAI and potentially reused for model training. No DPA protects the company.

According to a 2025 IAPP study, 80% of European SMBs using generative AI have not updated their GDPR processing register. If the CNIL comes knocking, there is no documentation to prove the processing was assessed.

I witnessed this firsthand at a 45-person client: the HR manager was using ChatGPT to pre-screen resumes. Names, addresses, disability disclosures, all of it went through the free version. No legal basis, no candidate notification. When a rejected candidate exercised their GDPR right of access, the company could not respond.

GDPR and AI Act: the actual legal framework for an SMB in 2026

Two regulations apply simultaneously. The GDPR, in force since 2018, covers all personal data processing. The AI Act (EU Regulation 2024/1689), published in the Official Journal on July 12, 2024, adds an AI-specific layer.

How to know if your SMB qualifies as a "deployer" under the AI Act

If your company uses an AI system as part of its professional activity, it qualifies as a "deployer" (Article 3 of the AI Act). You do not need to develop the model. Using ChatGPT to draft sales emails, Claude to analyze contracts, or Copilot to generate code is enough.

According to the firm Crescendo Avocats, use cases classified as high-risk include automated recruitment, employee evaluation, and credit scoring. If your SMB uses AI in any of these areas, the reinforced obligations of August 2, 2026 apply directly to you.

The enforcement timeline is staggered. Since February 2, 2025, prohibited AI practices are sanctionable (subliminal manipulation, social scoring). Since August 2, 2025, rules on general-purpose AI models (GPAI) apply to providers like OpenAI or Anthropic. August 2, 2026 activates the obligations for high-risk systems: technical documentation, human oversight, transparency toward users.

The penalties are not symbolic. Up to EUR 35 million or 7% of global annual turnover for prohibited practices. Up to EUR 15 million or 3% for non-compliance with high-risk system obligations. The European Commission designed the deterrent effect to rival the GDPR.

What is the difference between GDPR and AI Act for an SMB?

The GDPR protects personal data: it requires a legal basis, a processing register, and informing the data subjects. The AI Act protects against risks posed by AI systems themselves: discriminatory bias, opaque automated decisions, lack of human oversight.

The two regulations complement each other. If you use Claude to analyze resumes, you must comply with the GDPR and the AI Act. As Sparkana puts it, the best approach is to consolidate the work: the GDPR's Data Protection Impact Assessment (DPIA) covers a large share of the AI Act's requirements.

ChatGPT, Claude, Copilot: which version for professional data?

This is the question 9 out of 10 business owners ask me. The answer fits in one sentence: the free version of any tool is unacceptable for professional data.

Should you ban the free version of ChatGPT at work?

Yes. The free version of Claude, Gemini, or any other LLM poses the same problem: no DPA, no guarantee on data location, no commitment against reuse for training.

Here is what the professional tiers offer as of June 2026:

The difference is crystal clear. With ChatGPT Business or Claude for Work, you have a GDPR data processing agreement (DPA) that binds the provider. With the free version, you are sending your clients' data into a black box with zero legal protection.

I broke down the functional differences between the two platforms in this no-nonsense comparison. For the question of license volume, this article on moving from Claude Pro to Claude Team provides the concrete thresholds.

How does data residency simplify GDPR compliance?

The GDPR requires that data transfers outside the European Economic Area be governed by safeguards (standard contractual clauses, adequacy decisions, etc.). When Anthropic offers hosting in Frankfurt or Paris with Claude for Work, the data never leaves the EU. The transatlantic transfer issue disappears entirely.

According to Lumivi (citing Bpifrance Le Lab), 55% of French SMBs were using generative AI by late 2025, but half of them through free solutions with no integration. Those uses remain non-compliant.

The right AI model in 2026 is no longer just the most capable one. It is the one you can deploy within a compliant infrastructure.

The AI compliance checklist for your SMB (7 steps)

I do not believe in EUR 50,000 compliance projects. I believe in concrete actions a business owner can launch this week. Here are the 7 steps I recommend, drawn from my consulting work at GoLive Software.

How to start the compliance process with no dedicated budget

1. Map existing AI usage. Send out a 5-question internal survey: which tool, for what purpose, what data, how often, free or paid version. You will have your baseline in 48 hours.

2. Switch to professional versions. ChatGPT Business at EUR 25/user/month or Claude for Work. The cost is negligible compared to the CNIL risk.

3. Sign DPAs with each provider. OpenAI and Anthropic offer downloadable DPAs. Sign them and archive them alongside your processing register.

4. Update the GDPR processing register. Add one line per AI tool: purpose, data categories, retention period, sub-processor, hosting location. The CNIL provides a free template.

5. Inform data subjects. If your employees, candidates, or clients have their data processed by an AI tool, your privacy policy must disclose it (GDPR Articles 13 and 14).

6. Assess the AI Act risk level. If you use AI for recruitment, performance evaluation, or client scoring, you fall into the "high-risk" category. Document the human oversight measures in place.

7. Train the team. A 10-line awareness email is enough to start: never paste personal data into an unapproved AI tool. Repeat every quarter.

This checklist covers 90% of the risk for an SMB of 10 to 250 employees that uses AI as a tool, not as a product. If you are starting from scratch on AI integration, this failure-proof guide lays the groundwork before compliance even enters the picture.

Compliance as a competitive advantage

I say it often to my clients: GDPR + AI Act compliance is not a cost. It is a sales argument.

Why your B2B clients will demand AI compliance

Large companies and public agencies are including AI clauses in their RFPs: "Describe the AI tools you use. Provide the DPAs. Specify the hosting location." I saw these clauses in three public tenders in April and May 2026.

An SMB that answers "here is our register, our DPAs, our retention policy" gains an immediate edge. It is the same dynamic as GDPR in 2018: companies that got compliant early won contracts.

According to Fluxcore, 62% of French businesses fear penalties tied to AI use. That fear is a signal: your prospects are looking for partners who reassure them. Be the one who can show a framework, not the one making it up as you go.

The SMB that integrates AI cleanly into its operations, with a clear legal framework, does not waste time on compliance. It wins clients that its competitors cannot reassure.

"AI compliance is not just another project. It is the condition for AI to remain an accelerator instead of becoming a legal liability."

Vincent Roye, June 2026

August 2, 2026 is not a date to dread. It is a filter that will separate the SMBs using AI seriously from those improvising in the shadows. The 7 steps outlined here take less than a week to launch. The cost boils down to a few pro licenses and a bit of documentation rigor. And the return is legal peace of mind, client trust, and the ability to deploy AI where it truly creates value, without looking over your shoulder.

Frequently asked questions

Can you legally use ChatGPT at work in 2026?

Yes, provided you use a professional version (ChatGPT Business or Enterprise) with a signed DPA and have documented it in the GDPR processing register. The free version offers no contractual guarantee on data protection. An employer who lets teams use the free version with client data risks CNIL penalties.

Is ChatGPT GDPR-compliant?

ChatGPT in its Business or Enterprise version offers a DPA, SOC 2 and ISO 27001 certifications, and the option to host data in Europe. These elements make it possible to build GDPR compliance. The free version, however, does not offer a DPA and may retain data indefinitely, making it incompatible with any professional use involving personal data.

What does the AI Act actually change for an SMB?

The AI Act classifies AI systems by risk level. For most SMBs using tools like ChatGPT or Claude for office tasks, the obligations remain limited (transparency, informing users). The heavier obligations (technical documentation, formalized human oversight, CE marking) only apply to "high-risk" use cases such as automated recruitment or credit scoring. The key deadline is August 2, 2026.

Which version of Claude or ChatGPT should you choose for professional data?

Claude for Work (data residency in Frankfurt/Paris, guaranteed zero-training, configurable retention from 7 to 365 days) or ChatGPT Business (EUR 25/user/month, EU hosting as an option, DPA included). Both offer the minimum guarantees for compliant professional use. The choice between them depends on your functional needs, not on compliance: both check the essential GDPR boxes.

What are the concrete risks of AI shadow IT in a company?

AI shadow IT exposes a company to three risks: a CNIL penalty of up to 4% of global annual turnover (GDPR) or EUR 15 million (AI Act), a leak of sensitive data to servers outside the EU with no contractual framework, and the inability to respond to data subject rights requests (access, deletion, portability). In B2B, the reputational risk is often the costliest of all.

Vidéos YouTube

• How To Protect Your AI Agents with HIPAA, PCI and GDPR · Jotform AI Agents
• If You Make AI Content, This New Law Is About You · Gcore

Articles & ressources

• AI Act août 2026 : ce que les TPE/PME françaises doivent vraiment faire · sparkana.fr
• PI & IA · AI Act : ce que les TPE et PME doivent faire avant le 2 août 2026 · crescendo-avocats.com
• IA et RGPD en PME : le guide de conformité · prizm-ia.com
• RGPD et IA pour PME : automatiser sans se mettre hors-la-loi · fluxcoregroup.com
• IA RGPD et hébergement européen PME : guide complet 2026 · lumivi.fr