Not Another HRPodcast

A.I, A.I.,....Oh! Why Every Business Needs an AI Policy (Before It's Too Late)

Alastair Swindlehurst

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 41:49

Artificial Intelligence is transforming the workplace—but most businesses are adopting AI faster than they're putting the right safeguards in place.

In this episode of Not Another HR Podcast, HR consultant Alastair Swindlehurst and employment solicitor Rachel Rigg explore the biggest technology and AI pitfalls they're seeing businesses fall into every week.

From employees using ChatGPT with confidential company information to AI-generated grievances, meeting recordings, data protection, automated HR decisions and the latest changes under the Data (Use and Access) Act, this episode is packed with practical advice for employers who want to embrace AI without creating unnecessary legal risk.

Whether you're an HR professional, business owner or manager, this episode explains where organisations are getting it wrong—and what you should be doing instead. 

In this episode

  •  Using ChatGPT and AI safely in the workplace 
  •  Protecting confidential company information 
  •  Why recording every Teams meeting could create problems 
  •  Fireflies, Otter.ai and AI meeting notes 
  •  AI-generated grievances and disciplinary responses 
  •  Automated decision-making and employment law 
  •  Data protection and GDPR considerations 
  •  AI-generated images and workplace harassment 
  •  The new right to complain under the Data (Use and Access) Act 
  •  Practical policies every employer should introduce now 

If your business is using AI—or your employees already are—this is an episode you won't want to miss.

Please find the BBC article here  https://www.bbc.co.uk/news/technology-65202597?app-referrer=deep-link 

📩 Got a question or topic you want us to cover? Get in touch:

EZHR: info@ezhr.uk
Horsfield Menzies: horsfieldmenzies.com

👍 Like, comment, and subscribe for more no-nonsense HR insights.

SPEAKER_03

Welcome to Not Another HR Podcast.

SPEAKER_01

You're joking. Not another one.

SPEAKER_00

Hello and welcome to the Not Another HR podcast with me, Alistair Swindlehurst and Rachel Rick from Horsefield Menzies.

SPEAKER_03

Alistair's your HR consultant. I'm an employment solicitor and together we just witter on about things.

SPEAKER_00

And usual disclaimer, this is not legal advice. If you need proper legal advice, go and see you. I was going to say see a proper legal person, which is generally you to be fair. But it it's more about just making sure that kind of we're going to discuss kind of what's going on to give you context, kind of bring it to life, and then hopefully you can sort of be a bit more sort of enabled in terms of dealing with what you need to deal with in terms of.

SPEAKER_03

And as you can probably tell, um it's the heat wave, which is why the legs are out, which is also my prompt to say everything we're discussing today is based on today. Um and if you are listening to this podcast in the distant future, it might not be relevant anymore.

SPEAKER_00

No, and I think we will be um oh cracky. Uh we'll be getting this out sort of the early part of next week. Probably it's Thursday's recording those, we kind of hit 35, but I think the I think the rain's gonna come.

SPEAKER_03

Oh, thank God. This is not weather for gingers.

SPEAKER_00

This is not weather for gingers.

SPEAKER_03

Look out for your gingers.

SPEAKER_00

I was gonna say, forget menopause is a protected characteristic. As you say, and we hopefully we'll sorry at the saturation on the camera as well.

SPEAKER_03

Ah, thanks, because normally I'm glowing like the palest person on the earth, and that's not inaccurate most of the time.

SPEAKER_00

No, but uh it's probably mean of me to do that.

SPEAKER_03

Yeah, I'll take it as bullying. It's all good.

SPEAKER_00

Absolutely.

SPEAKER_03

Just I mean, one of the things, I mean that's probably gonna come up in a little bit of this, is we're gonna be talking about in this week's episode tech pitfalls businesses, HR folk are falling into.

SPEAKER_00

Yes.

SPEAKER_03

Because we're seeing quite a lot of this at the minute.

SPEAKER_00

I think it's it's becoming more and more prevalent at the moment. Like the more that we talk to people, the more that things are coming out. So, like in the last uh couple of weeks, we've seen some suggestions of people where um it's the use of tech, it's maybe kind of our third parties getting onto machines as well to kind of either do or assist with people's jobs who maybe shouldn't be there as well.

SPEAKER_03

Surprise, surprise.

SPEAKER_00

I forgot to mention that one too.

SPEAKER_03

Oh, we could add it to the list, it's all good.

SPEAKER_00

We've got plenty.

SPEAKER_03

Add it to the list. But yeah, so basically, Alistair and I are seeing so many things to this effect that we thought it'd just be really helpful to run through some of the anecdotes, some of the stories that are coming through in the news. But there's kind of I'd say four main headers that we've got to cover. And the first one is pretty much what you were just saying, it's using tools before you have the controls in place to manage those tools.

SPEAKER_00

But I I think there's still an after-effect of kind of like the work from home movements for sort of post-covid, well during COVID, where we saw everyone sort of kind of dashed to get out of the office, no one really got a proper home set up, and it was just like you know, crack home, do we need to? From then we've kind of then got this whole kind of blended work for work workplace that we have, and uh, there's a lot of people that work from home. Um we know I know people that will work from an office some days, but then they'll also work maybe from a co-working space another day. And it's really interesting in terms of kind of I think the big thing is just how uh relaxed people are about data at the minute and how they allow other people to have access to the data. Yeah. And that's everything from like sign up to newsletters and kind of who you give your data to on a personal level, right through to kind of this is your company's data, yeah, and we'll put it into different places and see what happens on the back of that.

SPEAKER_03

Well, this is the wild thing, right? So there's for years people have used things like Grammarly and things like that to help check how they were, you know, writing things in structure, not realizing that the information they were putting into Grammarly wasn't particularly secure, wasn't particularly, you know, basically all of these tools that are now existing. People are using just as as to assist you, but not thinking about what they're putting in and where it goes.

SPEAKER_00

No, and I think the thing is is that I don't think there's the forethought there's the foresight, forethought to kind of go with it, which is I'm not sure forethought's a word, but um Yeah, no one's thought about it.

SPEAKER_03

They just it's just like this is it's like Google, you just Google what you want and it's like okay, but that thing you're checking your grammar for, how sensitive is it?

SPEAKER_00

But it but I think it's that it's that element of of not that sense of l n losing control of the data. Yeah. It's the once it's out there. I think the other side of it as well is, and we've seen a little bit of it, is kind of as people it's the influencer side of things. So again, when you're in the workplace, it's the a a lot of people do encourage kind of like the TikToks and it's the social media side of stuff. But actually, what are you if you do it, what actually what information are you giving to people when you do this as well? And it's the what are you revealing about yourself, so I mean indirectly, yeah as well.

SPEAKER_03

I mean, the more I use Chat GPT, and it's one of those things where you don't realise how much it's absorbed about you until I literally managed to ask it the other day. If I was a dog, what dog would I be? And it was like, well, basically here's all this information that I remember about you, and this is why this is why I think you're a greyhound. And I was like, okay, sure.

SPEAKER_00

But I think but I think that's the thing with it, is that when people use the chat GPT tools, and I think there's two parts to really two parts to this. One is that you just use it, so it's a plug-and-play system. Yeah. So you just start to dump data.

SPEAKER_03

It exists, you can just get to it without any sort of um difficulty whatsoever.

unknown

Yeah.

SPEAKER_03

Free and available.

SPEAKER_00

And no, uh I'd say this and this is the why businesses are creating closed networks for themselves because then the data doesn't go anywhere.

SPEAKER_02

Yeah.

SPEAKER_00

And people don't close the network when they start to use sort of an open AI or a Claude or a Groc or whatever you use.

unknown

Yeah.

SPEAKER_00

I think the other part of it is also the rise of sort of it's always gonna, it feels like it's always coming back to grievance letters and the use of AI and the use of AI as your sort of uh legal professional in the space where people will say, you know what? Um they'll type in the scenario they're having at work. Now the scenario is generally very business-centric. You can identify the situation, there's probably commercial information going in there. Yeah. If you've not if you've not clicked that to say, actually, I'm gonna close a network in what you do, you are at that point in a feeding the machine. You're feeding the machine, but you're also then releasing commercially sensitive data. So if we then go back to your contract of employment without saying too dull, it's you're then in breach of it because it's it's it's an unapproved release of commercial information.

SPEAKER_03

But also, once confidential information is in the public domain, it loses its confidentiality. And so that's a breach in that person putting it on. But someone else later that you're going to try and say, No, you can't do that, that's confidential, you can't use that information in that way. If it's available on open source, yeah, yeah, it's not confidential anymore.

SPEAKER_00

And I think the and it's I think it's the tools are the are the interesting bit because it's well interesting, but everything's interesting at the minute because it's just sort of there's so much change, you know.

SPEAKER_01

Yeah.

SPEAKER_00

It's not interesting for everybody. Um but it's what you do with that. And I think if you look at the I think the other part of this also as well that we're not talking about is uh recording of meetings. And I've never seen like so we're talking to people at the minute, they as a tool to support people like ADHD, they're saying we're just gonna record meetings.

SPEAKER_03

And I'm just like You are collecting so much information you did not need.

SPEAKER_00

Yeah, and they just want one person wants to put an opt-in for all data just to be collected in or meetings to be recorded.

SPEAKER_02

Yeah.

SPEAKER_00

So we're sort of saying, Ugh. It's like I was like, uh the tongue got too big for my head when I got soldier, I think it was a stress. Um but what we've said is that actually rather than doing that, let's try and carve it out a slightly different way. So let's kind of say there's the general meetings piece, yeah. Which, yeah, absolutely record those. I think you've got to take a view on the commercial on anything that's commercially sensitive, and then there's the bit where there's the personal meetings. So if we're looking at pips, if we're looking at absence reviews, things like this, because again, it's where's this you where is this going to because people are just grabbing sort of Fireflies, Otter, uh Microsoft Teams.

SPEAKER_03

And no one's checked it, no one's no one's necessarily thinking about where it goes.

SPEAKER_00

But the thing is, and we see this as w where we'll kind of get into stuff with clients and we'll get sort of videos and transcripts from Teams, but Teams can't even be um great at times because again we've had stuff through where we can see other things that have been referenced because the AI is going against the wrong data. Yeah. So again, people are using sort of getting transcripts from teams, not even checking it as well.

SPEAKER_03

Yeah. And using that as your basis that you run from, yeah. Not knowing that you have, you know, the summary you've taken or the instruction you've taken isn't actually what was discussed. And this is so there's a few things that kind of come to this. So using tools before controls are in place. One is the issue of data security, right? What are you putting on it and where does it go and how safe is it? And that's something that needs to be checked. And it might be one of those things, however boring it is, that employers lock abilities to get onto things like Chat GPT from internet, um, firewalls, etc., so that it it's just something people can't do and they only go through authorised channels, right?

SPEAKER_00

You've got you've got to have your approved channels.

SPEAKER_03

Approved channels that are closed, and you know, you understand that that information is not then going into the ether, or that people have a real understanding about what they can put on it.

SPEAKER_00

Well, I think that's the other bit, it's it's educating about what you can put in the system. Yeah. Because again, you can you can if you're trying to create a document, you can take things to a certain point, but you kind of go this section here, we absolutely can't put on a public public forum.

SPEAKER_03

Yeah.

SPEAKER_00

So and people aren't talking to people about and a policy's not going to be enough. No, no, no, not in the slightest. And um it's as soon as if your data kind of gets out there and it can be out there for from everything that's talk that's going on, you need to be there. I think the other bit is also about we've got to get back into the form of consent on data, because again, that's that's ebbed away, and again, that's probably a post-2020 issue that we've really seen. We've seen that more and more with kind of going, well, we're all on a team well, because we do less physical meetings these days. It's just like, oh, just record the message.

SPEAKER_03

That's fine, I just it's happened. It's already happening, what are you gonna do about it? Yeah.

SPEAKER_00

Yeah, and I think like we we were on a call the other day and we we kind of someone asked for it to be recorded and we said no, you know what I mean? We don't want it to be recorded. No. And you could see people around the table and go, oh my god. You know what I mean? Shook us.

SPEAKER_03

But this is it. So so look, data security, one of the things we were talking about, um, when you're thinking about how you use it, where does it go, what can people put on it. Would you encourage people to have in their disciplinary policy that you can't be using outside you know, um large language models for confidential information, internal, like you know, that kind of grievance piece about other people, what's going on in the workplace.

SPEAKER_00

So I think you need to put large like anything that you're using needs to be proved. It needs to be on kind of your kind of like whitelist of what you've got. I think you need to make sure that people aren't recording things covertly as well. Like more and more, like you can sort of see people, like you see phones just kind of drops into the middle of the middle of a table.

SPEAKER_03

I'm just gonna leave this here.

SPEAKER_00

Yeah, and it's um it's like we're doing a disciplinary, we're gonna not disciplinary, we're gonna be doing an investigation with someone, and um we're gonna ask that put that person to demonstrate the room by themselves at that point. Um but again, where you where you think that's appropriate, and again, because I've been I've certainly been in disciplinaries where you can hear you've been told no one's there.

SPEAKER_03

And it's like why who is coughing?

SPEAKER_00

It literally is that there was there was there there was a heavily accented voice to the side, um, which was not the person that we were chatting to because they didn't know how they didn't have a heavy accent.

SPEAKER_03

Oh my god. Um but this is it, so so you you've got there's a degree of control you need.

SPEAKER_00

Yes, and I think there's the but it's also setting up the terms in terms of like how you're gonna manage remote meetings, it's kind of how you engage access. The other bit is actually how you how you flag breaches, or if you think you've you've flagged you've created a breach as well. Yeah, yeah, we don't we don't I'd say certain people within organisations are really good at seeing breaches as well. Um others aren't, and um I think there's a lot of data that passes through.

SPEAKER_02

Yeah.

SPEAKER_00

I think people I think but this is the whole education piece about taking a step back and going these tools are great and they are good and they can really help you and they can make you a hell of a lot more efficient.

SPEAKER_01

Yeah.

SPEAKER_00

There's two sides, it's about kind of getting the approval internally. The other thing, as well, and we've seen with some marketing and media elements of what we do, is about the use of AI and sort of the um think of banana one. So you can generate your own AI images and videos.

SPEAKER_03

Right, yeah, of course.

SPEAKER_00

Um we've we've got people in the creative arts that are using some of the AI. But again, if you're as part of your social media strategy, if you're using AI images, using people within that, have you got their approval, have you got their consent?

SPEAKER_02

Yeah.

SPEAKER_00

Because again, if you get somewhat, if you used to think it was AI and get someone to do something, they weren't particularly happy.

SPEAKER_03

Well, this is it, yeah. It's a whole can of worms, isn't it? It's a complete sort of um I was gonna use a really inappropriate word then, but it's it's an absolute matrix of pitfalls. But one of the other things is retention. So one of the best strategies you can have, because everything you put into your closed AI as well, or how you use your computer at work, um, processing personal data, is all responsive under disclosure for a tribunal or subject to access requests. And so one of the best things you can do is just have a 24-hour deletion policy that you do not hold on to what goes in or out of AI in your business. Because, you know, imagine the situation of a manager saying, Oh, I'm having a really hard time with person, I've said this, they've said that, what do I do, etc. You don't really want that to be something that you are holding on to for years and years and years.

SPEAKER_00

And that's the problem with is is that the systems like sort of Claude and OpenAI do hold on to the data. The other thing as well is that we're seeing more and more is that people saying, I've taken our business plan, and what I've tried to do is try and interrogate it by kind of putting some put some scenarios and questions through it, and then it's just become this whole kind of mess of dung at this moment in time. And and it's and it's tricky because people want to be as intelligent as quickly as possible, but it's just not you can't do it.

SPEAKER_03

We're running before we're walking a lot of the time.

SPEAKER_00

Yes. And the thing is I would say don't not use it.

SPEAKER_03

Yeah.

SPEAKER_00

Absolutely still use it.

SPEAKER_03

Just think about how it's being used.

SPEAKER_00

Yeah, and it and it's simple things as be intentional about how you're using it, have your whitelist, it's the putting it putting a plan together to educate people to sort of say that. It's a in in the same way if someone thinks they've breached the data, it's having a co-ingoff period period to begin with.

SPEAKER_02

Yeah.

SPEAKER_00

Uh so actually, if someone self-reports within sort of 48 hours to say, you know what, I've used I've used so-and-so, and I've I've realized I've put the data on there and it's you know, and it's potentially accessible, you can at least then try and do something about it that way. Um and I think it's extending kind of being very, very clear about kind of what isn't acceptable.

SPEAKER_03

Yes.

SPEAKER_00

Which we're not very good at.

SPEAKER_03

No, and to be fair, it's one of those things that you kind of find out what's not acceptable because it happens rather than because it AI can be used in so many ways. No one can sit down and anticipate all the potential misuses, but you just have to be as clear as possible about it's like any disciplinary policy or any sort of policy where it's like this list is not exhaustive, but here are some examples so you can see what we're bother like what we're bothered about.

SPEAKER_00

And what we I think if you just take sort of sort of um new assets or kind of new systems just generally, the really good businesses we work with are really open to new systems, but there's an onboarding process to it.

SPEAKER_03

This is it. So open to, don't shut it down, but like bring it on. We don't want people being like, oh, I'm not I'm not using that.

SPEAKER_00

Yeah, because the moment that you make it sort of this thing that you can't use, it becomes this covert thing. So it's actually all right.

SPEAKER_03

But it's gonna happen anyway.

SPEAKER_00

Yeah, yeah. And and the thing is the amount of times that people will like pe uh and we'll see it, it's like we see it more in FS, but like where people will say you can't email your own personal email address and you can't you can't use say open AI. Yeah. So we what we have seen is people kind of emailing all their personal details. Yeah. You'll you'll shut down open AI in in the workplace. So all they'll do is that they'll email their personal email address and they'll bang it through a personal kind of open AI.

SPEAKER_03

And you're just perpetuating it.

SPEAKER_00

And that's why if if you shut down too many options and it's a tool that people need to use.

SPEAKER_03

You are forcing it through that way.

SPEAKER_00

Yeah, yeah. And and that's the bit where it's the world is changing. You've got to sort of sort of hop on the bus because it's it's gonna go without with with or without you.

SPEAKER_03

So one of the other things I wanted to talk about was automated decision making. So if you're in tribunal and a judge says to you, go on, why did you dismiss that person? What was in your mind? And you went, Well, Chat GPT said Yes. Then it's just got no credibility at all. So managers using it to make decisions has two issues for me. One of which is there's no ownership then of that call. But the other one is, okay, um there are actual specific provisions under GDPR about if your data is used, personal data is used in automated decision making, you have rights for some human oversight, etc. And so you might be falling foul of data protection law.

SPEAKER_00

Yes. And the thing is that sort of AI-led decision making needs a sophisticated solution of what it is.

SPEAKER_02

Yeah.

SPEAKER_00

And I think the challenge that we're seeing is that people that are using it for that decision making are are not putting sophisticated and not using sophisticated structures.

SPEAKER_03

It's all in the prompt.

SPEAKER_00

Yeah, yeah, and and it's so I'm again it's the it's not being against it, but if you can use it, use it properly.

SPEAKER_01

Yeah.

SPEAKER_00

And it's the if you are s there is there is what we're seeing or what I'm seeing reported is that there is internal bias within systems. We are the problem is always kind of with a human input on these things is that there's the the biggest error is always in sort of human error.

SPEAKER_02

Yeah.

SPEAKER_00

Because, you know, some we used to describe describe as a picnic, it's a problem in chair, not in computer. Which I was thought they're like, yeah. Um the and with that is that we are more likely to make mistakes. Um I think I think a lot of the people that lean on this is more through laziness rather than through um a desire to be underhand, and they don't and they don't realise the position they're putting themselves in. That's exactly as as they do it.

SPEAKER_03

No one's going out of their way to be like, you know what, this isn't for me, I'm just gonna outsource.

SPEAKER_00

Like yeah. And but I think it's this but I we see it more from the I want to be a recruiter, so what I'll do is I'll just harvest as many CVs as I can. Great. We'll put farm them off. Yeah, yeah, and and it's like, oh that's probably been a bit unfair, but it's like we'll get as many CVs as we can. Well then we'll kind of give them sort of our search criteria, but again again, you're looking for the CVs to be the right thing as well.

SPEAKER_03

Yeah.

SPEAKER_00

And are you looking for the right data within that totally? Because at the minute it's it's it's just I think because and it also this steps back to this other bit, is because we're losing that control, or we're not putting the control measures in, it becomes messier and messier and messier and messier.

SPEAKER_03

It does, yeah, absolutely does. So um the other thing is employees and how they're using it, yes, grievances, yes, other things like that, but also predominantly asking even closed authorised platforms, I've got this weird lump. What do I do about it? Or, you know, um my leg hurts. What should you know, and as a result, people are collecting all of this health information that they didn't know.

SPEAKER_00

Well, the the other thing as well is because it comes from managers, because we we get a lot of managers that that get they are not they don't have huge teams.

SPEAKER_02

Yeah.

SPEAKER_00

So actually they feel quite concerned about uh understanding the situation properly.

SPEAKER_02

Yeah, yeah, yeah.

SPEAKER_00

So again, they'll they'll get part of that part of the information to try and understand someone's someone's position. And try and fill the gap. And yeah, but again, this is the thing where I think people people again will often forget about actually medical data is the most privileged information that you can have about an individual.

SPEAKER_02

Yeah.

SPEAKER_00

And it's something that people will just always go, you know what, it's fine. You know what I mean?

SPEAKER_03

And it's like, no, we have to have we have to meet specific criteria to process a special category data. We also, one of the things people really forget about is data protection impact assessments. So basically, when you're bringing something like this in, think about what's the high risk here. Is it we just had a small spider emergency, and actually, what I forgot to say is we've got the amazing Maisie here with us on work experience who just dealt with that like a chant. So we've had to have a small break while Alice just smashed a spider.

SPEAKER_00

So I was gonna say, yeah. It deserved it.

SPEAKER_03

So um special category data. What people forget to do is do data protection impact assessments, think about the tools, think about how they're going to be used, and inadvertently what it might pick up. And then you can think about what you do to mitigate that. So retention periods is one of the key ones. If you don't hold on to it, you're minimising the impact of having processed that data.

SPEAKER_00

And I think but I think there's there's gonna be a sea change in terms of attitudes to things. So again, we probably see when we're speaking to people like the area that they're least interested in.

SPEAKER_01

Yeah.

SPEAKER_00

Be b beyond sort of HR and employment law is data.

SPEAKER_01

Yeah.

SPEAKER_03

What do you mean? We don't have data. I'm totally with you. It's one and it's really difficult to comply with data protection laws that currently exists.

SPEAKER_00

But but I've you know I've I was I was with a session with like a big four consultancy and they and they kind of we were chatting about 'cause one of the things that people come to us and say, so we with our standard policies, oh c can we just um uh can we just repurpose like the the the employee one for kind of the company data one? And I'm like, no no no no no you've got to do it correctly, make sure you get this right. Especially if you if you if you're a B2C and you and you're kind of getting people's um personal details.

SPEAKER_02

Yeah.

SPEAKER_00

I thought I was in a room with a guy and uh and the firm should remain nameless, but this guy was like, oh yeah, just go on to another just go to someone someone else's website and just copy and paste theirs. And you just I sat there with my head in my hands just like going like, oh my god.

SPEAKER_03

I know that's mental. It's really hard, and that's the thing that's forward-facing, so everyone's gonna see that.

SPEAKER_00

Yeah, yeah, and it's like but for me, that's the thing is that you've got someone who should be taken, you know, as a larger firm, they should be taking it more seriously.

SPEAKER_03

Well, did you see the WhatsApp decision? This is a I wasn't really planning to talk about this today, but when WhatsApp got fined for not having a really good privacy policy in place, they're fined something like 225 million euros in breach. And so if you're a big company, I mean like your average Easy HR is probably not gonna be on the list for such a huge fine. No offence. Um but it's gonna be one of those, or you know, where it's that case where it's a big example, especially a data-led business, you're not gonna get that um benefit of the doubt.

SPEAKER_00

No, and and I think it's the bit where if you if you've been actively reckless in what you've done or you've not been so and again it comes back sufficiently curious about what you've done.

SPEAKER_03

You know better and you choose not to, yeah, then that's on you.

SPEAKER_00

It is. And I think that th that there's a real danger at this moment in time that if if people um with the ISO, like the ISO have changed the the DSAR stuff earlier this year in terms of you can go back and ask people you can assert things so so people can have to be clear about what they want and you can you can delay the process slightly if they're not engaged with the process to get to get that. That's absolutely fine. But similarly, I think they're gonna push that obligation back onto employers as well. So I think they're gonna go they're gonna go, yeah, yeah, like we're gonna work with you, but actually there's gonna be a point we're saying like you've also got you've got to take more responsibility for what you're doing.

SPEAKER_03

Step up.

SPEAKER_00

Yeah.

SPEAKER_03

So we've talked about um using tools before controls are in place, having security, having frameworks, thinking about your policies, your education piece, how long you hold that data for, and looking at it. One of the other things, and this is really interesting, so when we talked about what we were gonna discuss today, this hadn't come out yet.

SPEAKER_01

No.

SPEAKER_03

But an AI law firm won their first civil claim yesterday.

SPEAKER_00

Yes.

SPEAKER_03

Which is just bananas. Yeah. Yeah. And look, I think there's a lot of people threatened by this, but at the end of the day, we're talking about this is uh a particular AI firm that's limited to the small claims court, which could to be honest, there's a lot of unrepresented people that could really do with a bit of help, and it's actually SRA regulated.

SPEAKER_00

But I think the difference with that is when it's SRO regulated, so to get there, it it's incredibly structured, and I would argue there's probably more of a decision tree in the background. Absolutely.

SPEAKER_03

It's not going to be rogue.

SPEAKER_00

No. And I think the d the danger that we've got with something like this is that it encourages people to think that actually if I use um Claude, then actually I'll be able to uh a large language model is very different to engaging a specific AI law firm.

SPEAKER_03

Yeah.

SPEAKER_00

Yeah, and I think I think it's coming, and actually I would I would always say to people is like what what I and we do is largely a process. It's the have you follow the process. The complexity comes in around sort of human and emotional reaction to things. And that's when people do daft things, and that's where it gets it gets messy and all a bit woolly and and not great that way. I think the what we're seeing more and more is that people are leaning on to um AI to help with kind of responses to grievances, and they are using it as their sort of uh legal advisor. I think the fact that we've got the the firm that's won it, I think that's a it will be it's to your point, it'll be in a very specific set of circumstances. Very specific.

SPEAKER_03

This is not a case of all of a sudden AI is coming for all of our jobs and that kind of narrative. This is this is probably a really specific area where it will really benefit from a bit of supporting that process.

SPEAKER_00

And I think what we're I think the thing that that we're seeing is that we can see when something's input through AI and going, this is how I defend my position. Because if we don't write that letter in the linear structure that AI needs to kind of understand the data at this moment in time, and that will change, but you can see it all goes to pot. Like with uh and if you have any sort of level of complexity amongst documentation and it's not referred to in the right way and there's some something slightly off, it won't get it.

SPEAKER_03

No.

SPEAKER_00

And we've we've actually seen clients put our advice through AI and gone, well, what about this, what about this, what about this? And we know it's gone through AI because they're not taking the time to actually change the formatting.

SPEAKER_03

The response is immediate.

SPEAKER_00

Yeah, it's like you get you get like a four-page diatribe, and it's like, well, one, that's that you could never write that email in that time, and the second thing, um it's all the M-dashes and the and the and the button buttons.

SPEAKER_03

I mean, I feel targeted because I love an M-dash, but like, so I now have to take them out where I would naturally use them because I don't want people to think it generated it.

SPEAKER_00

No, no, because we we were chatting to someone, and it was a CFO, and he was like, I love an M-dash. I was like, oh no.

SPEAKER_03

I love an M Dash.

SPEAKER_00

I said, but yeah, I said no, I said that that's become the hallmark. That's ship sale, no.

SPEAKER_03

But what's really hard, so we've talked before about tribunal delays, right? But what we also have is okay, AI is generating these huge grievances, and all of a sudden it's every little infringement in the history of this person's employment and not just the actual thing they're bothered about, but then they become more entrenched because what AI large language models are good at is reinforcing, they tell you what you want to hear. That's their that's their job is to be convincing in what they respond to you with, and so it is making people so entrenched in thinking that they've got a multi-million pound claim.

SPEAKER_00

Yeah, and and and the thing is that's always been there to a degree, and I and I would also like you you have that certainly for my world, you'd have that mate down the pub.

SPEAKER_03

So you deal with someone and they've got like this Terry down the pub, it'd be like, Oh yeah, you can I love it when you get a my friend's mum works in HR, and it's like great.

SPEAKER_00

Honestly, it's like if you listen, I'll just kind of try to shoot myself. Because again, it's the it the amount of people we speak to, it's like my mum works at NHR, and it's like, yeah, I'm sure she does, but I'm sure she just promises the pay the pension forms.

SPEAKER_03

But do you also remember how you stole that thing out of the till? So, you know, good luck with that one, but yeah, yeah.

SPEAKER_00

But I think this is the thing where because of this, the people that are stupid enough to do the things that are wrong in the first place are stupid enough to believe the doubling down, yeah, yeah, and and it is, and and it's you know, this isn't saying all people are stupid because some people do some daft things and and they're great people, but they've just made a mistake.

SPEAKER_02

Yeah.

SPEAKER_00

But I would like I've always said over the year, I've been doing this 20 odd years now, and it's like the people that we generally get to to dismiss, um, it's not a naive mistake. No, very, very rarely is it a naive mistake. It is people that are actively actively being stupid or being reckless and not be not prepared to take responsibility for their own actions.

SPEAKER_03

It's kind of why I love my job.

SPEAKER_00

Sick off.

SPEAKER_03

I think it would feel I think I would feel a lot more morally compromised if it was, you know, this kind of big bad employer thing that you kind of get fed a lot of the time. But but yeah, so it's look, um one of the other things I wanted to say about AI legal advice on the rise, um, and it kind of comes back to some of the things we've said before. There was a really early case, I think it was in a BBC article, where basically someone who had blown the whistle, who needed protection, put like asked Chat GPT something and had it fed back to them that they were the perpetrator of wrongdoing in their own case because of how the information had been absorbed by the large language model and spat back out, being like, oh, we know this person's name. They are a bad person and they did all these awful things. So it's not a hypothetical risk.

SPEAKER_00

Yes.

SPEAKER_03

Is one of the things I wanted to add. But yeah.

SPEAKER_00

No, and we'll take that case out and then put it in the sh in the notes for the show.

SPEAKER_03

Oh god, if I can't find it now.

SPEAKER_00

I was gonna say that that there's there's a challenge.

SPEAKER_03

I'm fairly sure I'll be able to find it. But right, one of the things you mentioned at the start, AI generated images. One of the things that I know focusing on sexual harassment, we have more of an obligation to protect now than we did two, three years ago. There are extra employer responsibilities that now exist. And so you have to think about the fact that generative AI can be used to create offensive images of people or otherwise, and we're seeing that kind of like you said, if you use a picture of someone and make them do something that they wouldn't have done normally, then you are that is a new way of creating harassing content for people.

SPEAKER_00

Yeah, I I think it it's the consent, it's the consent part is massive, and it's the you'd want final approval from people if you do you do do that, but I also think it sits alongside the sort of the general kind of trend for uh you you user-generated content as well. And then there's probably a wider IP question around that. So again, it's the although people say um I gave my consent, I actually that consent really kind of if I'd said no, it was gonna go out anyway. Yeah. So I might I felt I felt another option but to do that.

SPEAKER_03

And consent has to be freely given and genuine and in the balance of power between the two individuals. Where you have an employer asking an individual, you're probably never really going to have meaningful consent in that way.

SPEAKER_00

And and I think I think in the desire to kind of stand out the noise on things, and whether it's kind of rage beauty or kind of otherwise, I think there is a danger that those people that aren't the best people, who are more likely to the people the people that don't do things in the right way, um they're gonna try and do create content which actually makes them stand out and stand out from the crowd. Yeah. And probably for the wrong reasons as well.

SPEAKER_03

But even on a more basic level, do your harassment policies use this as an example to just say you should not be using do you know the sorts of people who would go out of their way to do something? Or, you know, oh I've written this funny little story where I've made um I've used two of the names of our colleagues and I've made them have an affair in this funny little story that I've written, which is something that I've had um come across my desk. So it's one of those things where it's like um make sure that your harassment policies deal with the fact that stuff created this way is potentially because harassment is regardless of intent, right? It's the purpose, it's the effect, it's the outcome.

SPEAKER_00

But for me is that I've I think if you're getting into this kind of space, actually it's easier to demonstrate because you don't just accidentally create something. Yeah. So you've genu and again, the better the prompts, the mu the more comprehensive.

SPEAKER_03

Oh god, those prompts are gonna be damning. I can't wait.

SPEAKER_00

Yeah, yeah. So it so actually to it to a to a degree, this is the bit where if someone is is creating sort of that harassment through um through kind of AI generated images, videos, anything like that, i it it has gotta be there's no defence in that situation because again it's the you've not just like kind of like hit your keyboard and then like a coffee cup's hit enter, and it's created.

SPEAKER_03

Oh no, I fell and I wrote this as I went down.

SPEAKER_00

Yeah, yeah. And then it's it's all of a sudden fallen onto an email or into a WhatsApp chat and then been distributed to send all. You know what I mean?

SPEAKER_03

Yeah.

SPEAKER_00

That that just doesn't work.

SPEAKER_03

But as an employer, you can only run the statutory defence, i.e., this individual's behaviour is so outside of the realms of acceptable behaviour that they should be liable and we shouldn't, if you are training and you're actively anticipating.

SPEAKER_00

But then this comes back to the conversation we're not all the way through this, which is actually if you would it's whitelisting things, you you give access to certain teams on certain things. Again, the marketing team have got to be really careful when they start again when they're testing stuff, and I get that kind of people will do stuff which they never intend to see the light of day, but they're trying to test things to do certain things. Um and have you heard about the thing about in game in software development? There's a thing called like time to cock.

SPEAKER_03

Right.

SPEAKER_00

And and it's about kind of it's how quickly people within sort of games try and make a phallic thing. Oh they do. Oh, my God. It's a genuine I didn't know about this. But but I think but but this is but this is an issue with but this is a mentality issue that we run into because people will do these types of things.

SPEAKER_01

Yeah.

SPEAKER_00

And we've got perfectly respectable people within their jobs that that will try and do things like this. And when they start playing with stuff like OpenAI, or they start playing with the banana one, which I always forget the name of, um, they will do rude and inappropriate things.

SPEAKER_01

Yeah.

SPEAKER_00

And it whether it's intent to go into the world or not.

SPEAKER_01

It exists.

SPEAKER_00

Yeah. And we've gotta make we've gotta make sure that people don't that people understand the impact of their actions. You can't stop people from doing things. Yeah. But what we can do is say to people, it's advise it's advised that you don't do that. If you want to do it at home, fine. You know what I mean? Do it do what you want at home. You know what I mean? We're not here to judge. I don't know.

SPEAKER_03

I don't know if we're I don't know if we're free and clear on that either. But basically, it's a respect thing, isn't it? It's a it's uh it's a um whether or not there is a necessarily employment or data protection legal reason not to, it's just generally a kind of like just don't be that b don't be that guy.

SPEAKER_00

Yeah, don't be a dick.

SPEAKER_03

Don't be a dick. Don't be a dick.

SPEAKER_00

Don't be a dick.

SPEAKER_03

Um right, one of the last things, the right to complain came in on the 19th of June.

SPEAKER_00

Yes.

SPEAKER_03

Which is under the Data Use and Access Act 2025, because I know you love a statute. I know you're sat here being like, that's actually my favourite statute, Rachel. I'm so glad you mentioned it. Um it's gotta be up there, right?

SPEAKER_00

So sorry, sorry, just I wired out for a second.

SPEAKER_03

Oh, it happens. Um but right, so basically, uh individuals now have the right to complain to a data controller to say, I'm not happy with how you're processing data while processing my data, or you didn't do a DSAR right, or you're not asking for my consent when you're doing these things. And now employers have or data controllers have 30 days to acknowledge.

SPEAKER_01

Yeah.

SPEAKER_03

They then need to investigate and they need to respond as without undue delay, is the kind of incredibly vague term. And this to me is the ICO saying, we are getting too much of this, you sort it out.

SPEAKER_00

But I think the ICO have always been for the past two or three years, if you speak to anyone, they'll say if you if you if there's a complaint about the ICO, actually it's not that serious because they've got such a backlog that they're only really interested. No, you've got to be really bad at kind of responding to a DSA.

SPEAKER_03

Also, the information commissioner has just been um well, he's resigned, I think, pending the outcome of an investigation.

SPEAKER_00

I think it was in mutual agreement at that point.

SPEAKER_03

I think he was posting a lot of things on LinkedIn without the ICO signing it off. Anyway, they've got they've got stuff they're dealing with at the minute internally, so you know, um I'm not saying now is your time to get away with things, but they're clearly overburdened, they've got a lot on their plates. So the right to complaints come in. The main thing I am interested in about this, because it is just it's a data process, make sure you have somewhere it can go. But complaints about how data is being processed can very easily become whistleblowing.

SPEAKER_00

Yes, and I think the the point within this, again, this comes through the care in terms of processing data and actually having the policies in place to say because again, because because people will just get policies and data from they don't read what's in the wrong sort of data processing policy. And actually the proper process processing and again this comes back to um where you've got data, what tools you're using, where they're storing your data. Yeah. So again, it's that if you're saying you're doing everything within the EU and actually it's going out, you don't know where it's going in terms of to a global sort of server server farm, then you're in breach of your own data policy at that point. Again, it's the do you know what's going on at China, Russia? There's no clarity about that. But again, it's it's the having come back to having the approved stuff, having having the approved processes. This will be a massive issue, but I think it's gonna take sort of four or five years to kind of work its way through in truth, because I think we've got to have the back and forth on f on things, and the uh the ICR was incredibly slow at r resolving things, but I agree with you, it's that this is like a a boulder that's just started to move now.

SPEAKER_03

Yeah.

SPEAKER_00

And I agree on the whistleblower like the whistleblown one's gonna be.

SPEAKER_03

I think that's the main thing, is that I'm not really worried about this from an enforcement perspective. I'm worried about it from a who is owning what process, and do they know when to spot something that's coming through this that actually needs to be dealt with by a whistleblowing process?

SPEAKER_00

But I don't think people understand whistleblowing at the best of times.

SPEAKER_03

Yeah, maybe they just ask you for too much.

SPEAKER_00

I think they get it from a like an accounting and from a um health and safety point of view. So it's that is the fraud are are people's lives at risk?

SPEAKER_03

The big cover-ups. Yeah, yeah, yeah.

SPEAKER_00

Yeah. But in respect of the well, what does that actually mean for whistleblowing in terms of data?

SPEAKER_03

Yeah. And it's any breach of the law can count as whistleblowing. So that's the difficulty, is that's so broad.

SPEAKER_00

Yeah. And but then the other part of that as well, the law is effectively kind of what your policy is.

SPEAKER_03

Yeah.

SPEAKER_00

And if your policy then doesn't reflect what you do, then you're effectively in breach of the law at that point.

SPEAKER_03

So again, catch 22, find out what you're processing. But yeah.

SPEAKER_00

And and this is the bit where it it's the be, you know, sufficient, you know, you've got to be interested in what you're doing. And it's the now is probably a good time to kind of revisit things. There's a lot and I think the the change is stuff like this will get missed.

SPEAKER_03

Yeah, 100%.

SPEAKER_00

And it will then then turn into a bigger issue.

SPEAKER_03

It's just gonna be a mess. So try and do what you can to not let it be a mess.

SPEAKER_00

It's gonna be a hot mess.

SPEAKER_03

Hot mess.

SPEAKER_00

Hot mess.

SPEAKER_03

Like us. Right, that was everything on my kind of tech pitfalls, HR problems, things we're seeing across desks. Yeah.

SPEAKER_00

I think yeah. I think that's I think I think we're I think we're gonna see things quite enough sort of in the next few months as well. I think we're gonna hit that recess for uh Parliament in the summer. Although uh what I'm looking forward to is to see on Andy's approach to Come on, Andy. But we're not we're not gonna see a rollback on employment.

SPEAKER_03

No, absolutely not. I think But there's a lot of consultations at the minute and it'll be interesting to see what comes out of those.

SPEAKER_00

And the other one, the thing I've read, heard is he may roll back on employees' national insurance. Oh Which I think would be a positive.

SPEAKER_03

Which we've talked about a lot.

SPEAKER_00

Yes.

SPEAKER_03

Yeah.

SPEAKER_00

Um but I th I think I would hope that there's some more kind of uh enablement of businesses with a mother. And I think that the general noises I think is that there would be, but it needs a manifesto to begin with.

SPEAKER_01

Yeah.

SPEAKER_00

Which is always a sticking point when you're in charge. But hey Brill.

SPEAKER_03

Well, that's been not another HR podcast. Thank you for joining us.

SPEAKER_00

Yeah. If you've got any questions, again we we do like them, we do like feedback.

SPEAKER_03

And if Alistair has a need for praise.

SPEAKER_00

Huge amount of need. Um if you need to get in contact with us, you can contact me at info at ezhr.uk or catch us at ezhr.uk. And we've updated the website, which I'm incredibly happy about. Thank you. Yeah.

SPEAKER_03

That's exciting.

SPEAKER_00

I need to do some more images for it, but yeah, we've got we've taken some nice photos the meantime. Yeah, yeah.

SPEAKER_03

Yeah. And you can find me at horsehillmenzies.com. I'm Rachel Rigg. Um and yeah, thank you for joining us.

SPEAKER_00

All the best. Thank you. See you next time.

unknown

Bye.

SPEAKER_03

Welcome to Not Another HR podcast.

SPEAKER_01

You're joking. Not another one.