Guides

How to Use AI Without Violating GDPR: A Practical UK Guide

A practical, step-by-step guide for UK teams on using AI tools without breaching UK GDPR — lawful basis, DPAs, data residency, DPIAs and a usable checklist.


Most “is this AI tool GDPR compliant?” questions are asking the wrong thing. Compliance isn’t a property a tool has or lacks — it’s a property of how you use it. The same model can be perfectly lawful in one workflow and a reportable breach in another. ChatGPT drafting a generic blog post is fine; ChatGPT summarising a spreadsheet of named customers on a free consumer plan is not.

This guide is the practical version: not the legal theory, but the actual rules and the workflow a UK team can follow to use AI tools every day without breaching UK GDPR. It’s written for the person who has to make the call — a founder, a marketer, an ops lead — not a data-protection lawyer. (And it isn’t legal advice; for high-risk processing, get some.)

The One Idea That Makes the Rest Make Sense

Under UK GDPR, when your business decides to put data into an AI tool, you are the data controller. The AI vendor is usually a data processor acting on your instructions. That single fact drives everything else:

  • You are responsible for having a lawful reason to process the data.
  • You are responsible for ensuring the processor (the AI vendor) handles it properly — which is what a contract called a Data Processing Agreement (DPA) is for.
  • You are accountable if it goes wrong, even though the vendor ran the model.

So the question is never just “is this tool compliant?” It’s “is my use of this tool, with this data, lawful — and can I demonstrate it?” Here’s how to make sure the answer is yes.

Step 1: Work Out If There’s Personal Data Involved

GDPR only applies to personal data — information relating to an identifiable living person. This is the first and most useful filter, because a huge amount of AI use involves no personal data at all.

  • No personal data → GDPR isn’t engaged. Drafting marketing copy, brainstorming names, summarising a public report, generating a stock image, writing code that handles no real user data. Use the tool freely.
  • Personal data → GDPR applies. A customer’s name and email, an employee’s review, a client’s confidential brief, a support ticket, a CV, meeting notes naming attendees, a photo of an identifiable person.

The trap is special category data — health, ethnicity, religion, sexuality, biometrics — which carries far stricter rules. Never feed special category data into a general AI tool without specific advice. And remember that voice and face are biometric: cloning someone’s voice in ElevenLabs or their face in HeyGen is processing biometric data and needs explicit consent.

Practical rule: before you paste, ask “could a real person be identified from this?” If yes, the rest of this guide applies.

Step 2: Have a Lawful Basis (and Know What It Is)

If personal data is involved, you need one of UK GDPR’s lawful bases — most commonly legitimate interests (you have a genuine business need that doesn’t override the person’s rights) or consent. For most internal AI use, legitimate interests works, but you should be able to articulate it: why are you processing this data with this tool, and is it proportionate?

The honest test: if a customer asked “why did you put my data through an AI tool?”, could you give a straight, reasonable answer? If not, don’t do it.

Step 3: Use a Tool With a DPA — and Read the Data Terms

This is the step people skip, and it’s the one that matters most. To use a processor lawfully, you need a Data Processing Agreement in place. The practical implications:

  1. Free consumer tiers usually have no DPA — and often train on your inputs. This is the single biggest GDPR risk in everyday AI use. A free consumer chatbot may use what you type to improve its models, with no contract governing your data. That’s fine for non-personal data; it’s unlawful for personal data.
  2. Paid business/enterprise tiers include a DPA. That contract is what makes the processing lawful and typically commits the vendor not to train on your data. Some vendors now publish their DPA openly — Canva AI, ElevenLabs and Figma AI among them — which makes due diligence easier.
  3. Check the training setting. Even on paid tiers, some tools train by default unless you opt out (consumer Gemini is one to watch). Turn it off for any account that touches personal data.

The rule that never changes: personal data goes only into a paid business tier with a DPA and training switched off. We walk through this with the most common example in Is ChatGPT GDPR Compliant?.

Step 4: Mind Where the Data Goes (Data Residency and Transfers)

UK GDPR restricts sending personal data outside the UK. Most AI vendors are US-based, so a transfer is usually happening — that’s not automatically unlawful, but it needs a safeguard (an adequacy decision, the UK’s “data bridge” to the US, or Standard Contractual Clauses), which a proper DPA provides.

For sensitive processing, go further and prefer UK/EU data residency:

  • Synthesia is a standout — a UK-based company storing customer data in the EU — which is why it’s our pick for video featuring real staff.
  • NotebookLM Enterprise and ChatGPT Enterprise offer EU/UK residency on business tiers.
  • Many tools (Elicit, Perplexity, Descript) process in the US with a DPA but no EU-residency option — fine for general work, not ideal for confidential personal data.

We keep a maintained list in Best AI Tools with UK/EU Data Residency.

Step 5: Minimise — Don’t Paste More Than You Need

Data minimisation is a core GDPR principle and your best friend with AI, because it often removes the problem entirely. Before pasting:

  • Anonymise or pseudonymise. Replace “Jane Smith, [email protected], account #4471” with “the customer”. The AI rarely needs the identity to do the task.
  • Strip identifiers from documents before uploading. Redact names, emails, account numbers.
  • Aggregate where you can. “Summarise the themes in these 200 reviews” rarely needs the reviewers’ names.

If you can get the same output from de-identified data, you’ve sidestepped most of GDPR — there’s no personal data left to protect. This single habit prevents more breaches than any tool choice.

Step 6: Be Transparent and Keep Humans in the Loop

Two more obligations worth building in:

  • Transparency. Your privacy notice should tell people if you process their data using AI tools and why. A line covering “we use third-party AI tools, under data protection agreements, to help with [tasks]” usually does it.
  • No unchecked automated decisions. GDPR gives people rights around solely automated decisions with significant effects (e.g. rejecting a job applicant or declining credit). Keep a human meaningfully in the loop for anything consequential — don’t let the model decide alone.

Step 7: For High-Risk Uses, Do a DPIA

If you’re planning something large-scale or sensitive — processing special category data, monitoring people, or using AI to make decisions about them — UK GDPR may require a Data Protection Impact Assessment (DPIA): a short structured document describing the processing, the risks, and how you’ll mitigate them. It’s not bureaucracy for its own sake; it’s the artefact that proves you thought before you acted. For routine, low-risk drafting and summarising, you don’t need one.

The Practical Checklist

Pin this up. Before using an AI tool with any real data, run through it:

  1. Is there personal data in what I’m about to input? No → proceed freely. Yes → continue.
  2. Is it special category data (health, biometrics, etc.)? Yes → stop, get advice.
  3. Can I anonymise or redact it first? Almost always — do it, and the problem often disappears.
  4. Am I on a paid business tier with a DPA? Personal data requires yes.
  5. Is model training switched off for this account? It must be.
  6. Is the data residency acceptable for how sensitive this is? Prefer UK/EU for confidential data.
  7. Have I got a lawful basis I could explain? If a customer asked, would my answer hold up?
  8. Is a human reviewing anything consequential? Don’t let the model decide alone.

Eight questions, most answered in seconds. That’s the whole discipline.

A Sensible Default Policy for a Small Team

If you want a one-paragraph internal rule that keeps a small business safe: “Use AI freely for anything with no personal data in it. The moment real customer or staff data is involved, only use an approved paid tool with a DPA, switch off training, redact what you can, and never put health, biometric or other special-category data into a general AI tool. When in doubt, anonymise first or ask.” Write that down, share it, and you’ve covered the vast majority of day-to-day risk.

The Bottom Line

GDPR doesn’t ban AI — it asks you to be deliberate. The teams that get into trouble aren’t using AI; they’re using it thoughtlessly, pasting customer data into free consumer apps because it was convenient. The teams that stay safe do three simple things: they keep personal data out of free tiers, they anonymise before they paste, and they use paid tools with a DPA and training off when real data is unavoidable. Do that, prefer UK/EU residency for the sensitive stuff, and you can put AI to work across your business with confidence rather than risk.

Frequently Asked Questions

Can I use AI tools under UK GDPR at all? Yes. GDPR doesn’t prohibit AI; it governs how you handle personal data. For anything without personal data, use AI freely. For personal data, use a paid business tier with a Data Processing Agreement, switch off model training, minimise what you input, and prefer UK/EU data residency for sensitive material.

Is it a GDPR breach to paste customer data into ChatGPT? It can be, if you do it on a free consumer plan that trains on inputs and has no DPA. On a paid business or enterprise tier with a DPA and training disabled, and with a lawful basis, it can be compliant — though anonymising the data first is always safer. See Is ChatGPT GDPR Compliant?.

What’s the single most important rule? Never put personal data into a free consumer AI tier. Free tiers typically train on your inputs and lack a DPA, which makes processing personal data unlawful. Either anonymise the data first or move to a paid business tier with a DPA.