If you run a small business, you don’t experience “privacy risk” as a headline. You feel it as delayed invoices, uncomfortable client calls, time lost to admin, and the quiet erosion of trust that takes months to rebuild. That is why the Autoriteit Persoonsgegevens (AP), the Dutch privacy regulator, raising the alarm over data leaks via workplace AI chatbots matters to you, even if you have no IT department and no appetite for drama.

The AP says it is receiving a growing number of reports of incidents where sensitive information was shared through AI chatbots, with more in 2025 than in 2024. The pattern is not malicious hacking. It is ordinary people trying to work faster. Employees paste text into public tools, often free versions, because it feels efficient, and because it does help in the moment. The problem is that once information leaves your controlled systems, you may not know where it ends up, how long it is kept, or who can access it. “We can’t confirm the exact scope” is not a sentence that makes clients pay on time.

The recent example at the municipality of Eindhoven is a public-sector story, but the mechanism is painfully familiar: a quick test, repeated for a few weeks, and suddenly confidential documents have been fed into open chatbots. Swap “youth care files” for your world, CVs, salary notes, client contracts, supplier pricing, draft settlement terms, internal performance messages, and you see the risk line immediately. One small business situation is enough: a colleague copies a client’s contract clause into a chatbot to “simplify the wording,” forgetting the appendix includes names, bank details, or project specifics. Nobody intended harm, yet you have a potential data breach on your hands, and an awkward explanation to deliver.

Law and regulators can sound distant until you translate them into responsibilities. Under the AVG (the Dutch name for GDPR), you are responsible for protecting personal data you handle, even if the leak happens through an employee’s “helpful” experiment. The EU AI Act adds another layer: you will be expected to ensure people know how to use AI systems responsibly, AI literacy, in plain language, plus clear rules about what may and may not be entered. Lawyers now call the uncontrolled use of unapproved tools “shadow AI”: technology happening in your business without your oversight. You cannot monitor every keystroke, and you shouldn’t try; but you do need to make the safe path the easy path.

So what does a practical, non-theoretical response look like for a micro-entrepreneur? Start by treating prompts as if they were emails sent to the wrong recipient: assume they travel. Draw a bright line around what never goes into a public chatbot, anything that identifies a person, anything under confidentiality (NDA), anything commercially sensitive (quotes, margins, pricing formulas, negotiation positions). Then reduce temptation: provide a permitted tool or a safer environment if you can, and if you cannot, at least put the rule in writing and repeat it in normal language. Most of all, connect it to daily work: “If we leak client data, we lose trust; if we lose trust, we lose renewals; if we lose renewals, cash flow tightens.” People remember consequences more than policies.

This is not a call to fear AI. It is a call to use it like a grown-up business tool: with boundaries, habits, and a bit of discipline. If you make one small adjustment this month, make it this: decide, communicate, and model what is safe to share, then keep your team’s need for speed in mind while you do it. The goal is not perfection. The goal is fewer surprises, fewer apologies, and a business that stays efficient without becoming fragile.