44% of Dutch SMBs shared business data with a free AI tool last month, and most had no idea what happens to it
Onderzoek

44% of Dutch SMBs shared business data with a free AI tool last month, and most had no idea what happens to it

· 9 min read

Nearly half of Dutch small business employees shared confidential client or business data with a free AI tool last month. Not just once. On average, 3.1 times per week.

Those are the top-line numbers from TheAIDaily's own survey among 225 respondents at 100 Dutch SMBs. But the figure that actually explains the other two sits elsewhere in the data: only 28% of respondents knew that free AI tools are allowed to store and use their inputs for model training. The rest acted without knowing.

How this research was conducted

TheAIDaily ran a structured survey among 225 respondents at 100 Dutch small and mid-sized businesses (2 to 249 employees). The sample included 75 employers or managers and 150 employees, spread across sectors including retail, professional services, healthcare, and construction. Fieldwork ran from May to June 2026. The margin of error is ±6.5 percentage points at a 95% confidence level.

Three findings worth knowing

1. 44% shared business data with a free AI tool in the past month

Of all 225 respondents, 44% reported entering customer or business data into a free AI tool, such as the free tier of ChatGPT, Gemini, Claude, or Copilot. This is not a fringe behavior. Nearly one in two Dutch SMB employees did this within a single month.

2. Among those users, the average frequency was 3.1 times per week

Three times before Thursday. That is the pace at which business data is flowing into free AI tools among the group that does it. This is not occasional experimentation; it is a baked-in work habit. Shadow AI in Dutch SMBs has stopped being the exception and become the daily routine.

3. Only 28% knew that free AI tools can use their data for training

This is the number that reframes the other two. When asked whether free AI tools are allowed to store or use inputs to improve their models, only 28% of all respondents said yes. The other 72% believed this was not the case, were unsure, or simply did not know.

The implication is significant: most SMB employees who share business data with free AI tools are not making an informed risk trade-off. They are acting on a false assumption. That makes shadow AI in the SMB segment primarily a knowledge problem, and only secondarily a compliance problem.

Why are SMB employees doing this?

The data points in a direction, but the underlying logic is worth unpacking. Four factors explain why 44% of respondents entered business data into a free AI tool last month.

Convenience outweighs policy

Free AI tools require no approval process, no IT ticket, and no waiting. If you need to rewrite a client email or summarize a proposal quickly, you open a browser tab and paste the text. That is faster than waiting for a company-approved tool, if one even exists. In SMBs, where IT departments are small or absent, the path to free tools is structurally shorter than in enterprise settings.

Lack of awareness about data use

The 72% who did not know about data training practices are not an anomaly. Most free AI tools do not surface this information prominently. The data consent language lives in the terms of service, not in a warning that appears when you paste in a customer contract. If you have never read the privacy policy, you genuinely do not know what you are agreeing to.

Here's the thing: this is fundamentally different from negligence. An employee who knowingly accepts a risk is a different situation from one who believes no risk exists. This research suggests the large majority of SMB users fall into the second category.

No policy, no alternative

A majority of the employers in this survey reported having no formal AI usage policy in place. Without clear boundaries, employees fill the gap themselves and default to whatever works fastest. That is not recklessness; it is the predictable outcome of a governance vacuum. When there is no policy, informal policy emerges. And that informal policy tends to be: use what works.

Time pressure

Speed is a survival factor for small businesses. Clients expect fast responses, quotes need to go out the same day, reports get finished in the evening. AI tools compress that time. In that context, whether a tool is free or paid matters far less than whether it is available and fast.

How does this compare internationally?

For context: this is not a uniquely Dutch phenomenon. Gartner has projected that by 2027, more than 40% of all enterprise AI implementations will occur outside the visibility of IT departments, globally. Dutch SMBs are not behind that curve; they are tracking it, but without the compliance infrastructure that larger organizations typically have in place.

Worth noting: the SMB segment is where that gap matters most. A large enterprise has a CISO, a data processing register, and an IT team that vets tools. A small business has an employee who needs to rewrite a client email before end of day. The behavior is similar; the safeguards are not.

What does EU law say?

The EU AI Act creates two obligations that are already in effect for Dutch SMBs.

Article 4, covering AI literacy, has been in force since February 2, 2025. Employers are required to ensure that employees who work with AI systems have sufficient knowledge to do so responsibly. The Omnibus amendment softened this from a hard obligation to a best-efforts standard, but the requirement exists. A situation where 72% of users do not understand how free AI tools handle their data is difficult to reconcile with Article 4.

Article 50, covering transparency for AI-generated content and chatbot interactions, takes effect on August 2, 2026.

For high-risk AI systems, including those used for recruitment, credit assessment, or education (Annex III of the AI Act), the compliance deadline is December 2, 2027. That is the revised date following the Omnibus amendment; the original August 2026 deadline was extended by sixteen months.

Beyond the AI Act, GDPR obligations apply in full. Entering customer data into an AI tool is a data processing activity. If that processing is not documented in your records of processing activities and no data processing agreement has been signed with the AI tool provider, you have a GDPR violation. Whether the tool is free or paid does not change that. The European Data Protection Board's guidelines cover the legal basis requirements in detail.

Four steps you can take now

1. Find out which AI tools your employees are actually using

Ask your team, without judgment, which tools they use and for what. That is your baseline. If you do not know what is already in use, you cannot govern it. You will likely be surprised by how much is already happening.

2. Write a short AI usage policy

It does not need to be long. Three rules are enough: which data may go into an AI tool, which may not, and which tools are approved. Make sure your team knows the rules. ENISA's AI cybersecurity guidelines give you a solid framework to start from.

3. Consider a paid plan for your regular users

Paid versions of ChatGPT, Gemini, and Claude default to not using your data for model training. The cost is low; the risk reduction is significant. For SMBs with employees who use AI daily, a business subscription at ten to twenty euros per user per month is the simplest risk mitigation available.

4. Train on awareness, not just restrictions

The 72% who did not know how free AI tools handle data were not acting in bad faith. A short team session, one hour, focused on what happens to data when you paste it into a free tool is enough to shift that number. Training focused on understanding is more durable than a policy that just lists prohibitions.

44%. An average of 3.1 times per week. And 72% who did not know what was happening to that data.

Shadow AI is already a daily practice in Dutch SMBs. The combination of convenience, time pressure, and a knowledge gap means that sensitive data is routinely flowing to external AI providers: outside IT oversight, outside data processing registers, and outside the governance structures that larger organizations do have in place.

The EU AI Act gives until December 2027 for the heaviest compliance requirements. But Article 4, the AI literacy obligation, is already in force. And the GDPR has never waited for a deadline.

Organizations that act now will not need to catch up in 2027.

Michael Groeneweg
Written by Michael Groeneweg AI consultant at Digital Impact and founder of UnicornAI.nl

Michael is an AI consultant at Digital Impact in Rotterdam and the founder of UnicornAI.nl, where he builds AI solutions and SaaS integrations for businesses. An entrepreneur for ten years, he has spent the last few refusing to touch anything that doesn't have AI woven into it, at work and at home, to the mild dismay of the people around him. His travels have turned into a running experiment in what AI can and can't do from a cafe terrace in Lisbon or a train station in Tokyo. He obsessively tests new tools, builds solutions for clients, and believes nobody should buy the hype, but nobody can keep pretending AI doesn't change everything either. Loves good coffee, long flights, and people who build with AI instead of just talking about it.

Written by a human, with AI assisting research and editing. More on our method in the AI disclosure.

You might also like

AI agrees with you 50% more than humans do. Here is how to fix that.
Industrie

AI agrees with you 50% more than humans do. Here is how to fix that.
Claude agents can now run on a schedule without a server

Claude agents can now run on a schedule without a server
Anthropic pulled its SDK billing overhaul on the morning it took effect
AI Nieuws

Anthropic pulled its SDK billing overhaul on the morning it took effect