AI Data Protection and Risk
What UK Businesses Need to Know
Employees are using AI tools with or without permission. The question is not whether AI is being used in your business. It is whether your business has the governance in place to manage it safely.
43% of UK SMEs have no plans to use AI
Source: British Chambers of Commerce, 2024
Fewer than 1 in 5 UK SMEs have adopted AI
Source: Microsoft/WPI Strategy, May 2025
Is ChatGPT Safe for Business Use?
Consumer Tier Risks
Data sent to OpenAI may be used for model training unless you opt out. Prompts are processed on US infrastructure, and the service is not suitable for business data without an enterprise agreement and clear data processing terms.
Enterprise Tier Protections
Data is not used for training, with stricter data handling commitments and clearer contractual controls. Enterprise agreements offer a better GDPR posture with stronger guarantees on retention, access, and data location.
For business use, always ensure you have a contract that restricts use of your data for training and specifies data location. UK GDPR requires a lawful basis, data minimisation, and clarity on sub-processor arrangements.
What Is Shadow AI : Why It Matters
Shadow AI is the use of AI tools (e.g. consumer ChatGPT, other cloud AI) by employees without formal approval, policy, or visibility. It is accelerating because tools are free or cheap and easy to use, and because many businesses have not yet defined what is allowed.
Data Leakage
Company or customer data sent to third-party AI services without consent or control. Your confidential information may be retained by providers.
IP Exposure
Proprietary processes, strategies, or confidential material used in prompts and retained by providers, outside your legal control.
Compliance Breach
UK GDPR and data minimisation principles violated when personal data is processed outside approved systems. ICO enforcement is increasing.
Reputational Damage
Leaked information or inappropriate AI outputs attributed to your organisation can cause lasting reputational harm.
Copilot and GDPR: What UK Businesses Need to Understand
Copilot can be compatible with UK GDPR if you configure it correctly and understand where data goes. Treat it as part of your core Microsoft 365 boundary, not a consumer AI add-on.
With the right licence and tenant configuration, Copilot can keep data within your Microsoft 365 boundary.
Check your tenant for data residency settings and which Copilot SKUs you are using.
Ensure consumer AI services are disabled or governed by Conditional Access policy.
Can Employees Use AI at Work?
Define acceptable use
What data can be put into which tools. Personal and confidential data must never enter unapproved AI systems.
Publish an approved tools list
Staff need to know which tools are sanctioned and which are not. Ambiguity creates risk.
Train and reinforce
Policy alone is not enough. Regular training and clear consequences reduce shadow AI exposure.
This is guidance, not legal advice. For your specific obligations, consult your legal or compliance team.
The ICO's Position on AI and Data Protection
The Information Commissioner's Office has published detailed guidance on the use of AI and personal data. Organisations using AI to process personal data must be able to demonstrate compliance with UK GDPR principles, including lawfulness, fairness, transparency, data minimisation, and accountability.
AI systems that process personal data require a lawful basis under UK GDPR, which is the same rules that apply to any data processing activity.
The ICO expects organisations to complete a Data Protection Impact Assessment (DPIA) before deploying high-risk AI systems.
Accountability is key: you must be able to demonstrate that your AI use is compliant, not just assert it.
Source: Information Commissioner's Office, UK GDPR Guidance and Resources: Artificial Intelligence
Governance Before Rollout.
Structure your AI adoption before it structures you.
CLEAR is our structured five-day AI readiness framework. It assesses your data foundations, shadow AI exposure, governance gaps, and adoption readiness, so you can put structure in place before scaling AI use across your business.
Written and maintained by Martin Prosser, Microsoft Dynamics 365 specialist with over a decade of hands-on experience. Last reviewed: February 2026.