GDPR and AI Tools: What Businesses Need to Know
AI tools like ChatGPT, Microsoft Copilot, and Claude have become standard in modern workplaces. Drafting emails, summarising documents, generating reports — staff are using them every day. Most organisations haven't thought clearly about what that means under GDPR.
The short answer: if personal data is going into an AI tool, GDPR applies. That includes names, email addresses, employee records, client information, financial data, and anything else that can identify a living person.
Why AI Tools Create GDPR Risk
When an employee pastes a document into ChatGPT, several things happen: the text is transmitted to OpenAI's servers, it may be used to train future models (unless the user opts out), and it is processed under OpenAI's privacy policy rather than your organisation's. If that document contains personal data about employees, clients, or customers, you have just shared that data with a third party without a legal basis to do so.
Under UK GDPR and EU GDPR, this is a data breach unless:
- You have a Data Processing Agreement (DPA) with the AI provider
- There is a lawful basis for the processing
- The data subjects have been informed
ChatGPT's free and Plus tiers do not include a DPA. ChatGPT Enterprise does. Microsoft Copilot for Microsoft 365 includes a DPA via the Microsoft Product Terms. Claude Enterprise includes a DPA via Anthropic's commercial terms.
The practical risk: Most staff using AI tools at work are on free or personal accounts that have no DPA, no data residency guarantees, and no compliance protections. The organisation — not the employee — is liable for any breach.
The Lawful Bases Problem
Even with a DPA in place, you still need a lawful basis for processing personal data through an AI tool. Legitimate interest is the most commonly claimed basis, but it requires a balancing test that most organisations haven't conducted for AI use. Consent is rarely appropriate for employee or client data processed for business purposes.
The safest approach is to avoid putting personal data into AI tools at all — and where it's unavoidable, to have a clear policy and DPA in place.
What a Compliant AI Policy Looks Like
1. Classify what data can and cannot go into AI tools
Special category data (health, ethnicity, religion, biometrics) should never enter a consumer AI tool. Personal data (names, emails, addresses) should only enter AI tools covered by a DPA. Anonymised or aggregated data can generally be used freely.
2. Use a pre-send screening tool
Before any document enters an AI tool, it should be checked for personal data. A local PII scanner like Mutant Data Safety Layer runs entirely in the browser — nothing is uploaded anywhere — and identifies emails, NI numbers, bank details, postcodes, and named individuals before they get pasted into AI prompts.
3. Maintain a record of processing activities
Your ROPA (Record of Processing Activities) should include AI tools as data processors, the data categories processed, the DPA reference, and the lawful basis.
4. Train staff
GDPR liability follows the organisation, not the individual. Staff training on which AI tools are approved, what data can be shared, and how to check documents before sending is a compliance requirement, not optional.
→ Try Mutant Data Safety Layer — FreeFrequently Asked Questions
Is using ChatGPT at work a GDPR breach?
It can be. If personal data is shared with ChatGPT without a Data Processing Agreement and a lawful basis, it is likely a breach of UK GDPR or EU GDPR. ChatGPT Enterprise includes a DPA; free and Plus accounts do not.
Does Microsoft Copilot comply with GDPR?
Microsoft Copilot for Microsoft 365 is covered by Microsoft's Data Processing Addendum, which includes GDPR compliance commitments and data residency options. Consumer Copilot (free, web-based) does not have the same protections.
What personal data should never go into an AI tool?
Special category data under GDPR — health data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data — should never be shared with consumer AI tools. Employee payroll data, client financial records, and NI numbers are also high-risk.
How can I check a document for personal data before using AI?
Mutant Data Safety Layer is a free browser-based tool that scans pasted text for personal data and redacts it before you send it to any AI tool. No data is uploaded anywhere — the scan runs entirely on your device.