It’s the question every UK business eventually asks once ChatGPT becomes part of daily work: are we allowed to use this under GDPR? It’s a fair concern. Staff are pasting meeting notes, draft contracts, customer emails, and spreadsheets into a US-hosted AI tool — and under the UK GDPR, that’s exactly the kind of personal-data processing that carries real obligations.
The short answer is: ChatGPT can be used in a GDPR-compliant way, but it is not automatically compliant out of the box. Whether your usage is lawful depends on which plan you’re on, how you’ve configured it, and — most importantly — what you put into it. This guide explains the key issues in plain English and gives you a practical checklist.
Note: This is general information to help you ask the right questions, not legal advice. For a formal compliance decision, consult your Data Protection Officer or a qualified data-protection solicitor.
What GDPR Actually Requires
Before looking at ChatGPT specifically, it helps to remember what the UK GDPR is concerned with when you use any third-party tool to process personal data:
- A lawful basis for processing the data in the first place.
- Data minimisation — only processing what you actually need.
- A processor agreement (a “DPA”) with any third party that processes personal data on your behalf.
- A safeguard for international transfers when personal data leaves the UK — for example, to servers in the United States.
- Transparency — telling the people whose data it is what’s happening to it.
ChatGPT touches every one of these. Let’s go through the ones that trip businesses up most.
Where Does ChatGPT Process Your Data?
By default, ChatGPT processes data in the United States. For a UK business, sending personal data to the US is an international transfer, and it needs a safeguard to be lawful.
Since Brexit, the UK has its own UK GDPR and its own rules for international transfers. Transfers to the US are typically covered either by the UK Extension to the EU–US Data Privacy Framework (where the receiving company is certified under it) or by contractual safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. The practical point: you need OpenAI’s data processing agreement to confirm which mechanism applies — you can’t simply assume it’s covered.
OpenAI’s Enterprise tier offers EU data residency, which removes much of the transfer headache for organisations that need data to stay in Europe. The consumer Free and Plus plans do not.
The Training Question
This is the issue that causes the most anxiety, and rightly so. On the standard consumer plans (Free and Plus), OpenAI may use your conversations to train and improve its models — unless you turn that off. You can disable it in Settings → Data Controls, and we strongly recommend every business user does so immediately.
The picture is better on business products:
- ChatGPT Team, Enterprise, and the API do not train on your business data by default. This is the single biggest reason to move staff off personal accounts and onto a business plan.
If your team is using free personal ChatGPT accounts with training left on, and they’re pasting in anything containing personal data, that’s the highest-risk configuration — and the one to fix first.
The Three Scenarios, Compared
How compliant ChatGPT is depends almost entirely on which version your team uses:
| Plan | Data residency | Trains on your data? | DPA available? | Suitable for personal data? |
|---|---|---|---|---|
| Free / Plus (consumer) | US | Yes, unless disabled | Limited | Not recommended |
| Team | US | No | Yes | With care |
| Enterprise | US or EU residency | No | Yes | Yes, properly configured |
| API | US (configurable) | No | Yes | Yes, properly configured |
The takeaway is stark: the version most employees reach for by default — a free personal account — is the least suitable for anything involving personal data. The business tiers are where compliant use actually becomes practical.
Do You Need a DPA?
Yes. If ChatGPT is processing personal data on your behalf, the UK GDPR requires a data processing agreement between your organisation and OpenAI. OpenAI makes a DPA available for its business products. A personal Plus subscription used for work sits in an awkward grey area here — another reason to formalise on Team or Enterprise.
What the ICO Expects
The UK’s data-protection regulator, the Information Commissioner’s Office (ICO), has been clear that existing data-protection law applies fully to generative AI — there’s no special exemption simply because a tool is “AI.” Its guidance for organisations stresses a few themes worth internalising.
First, accountability sits with you, not the vendor. If your staff put personal data into ChatGPT, your organisation is the data controller and is responsible for that processing, regardless of what OpenAI does at its end. You can’t outsource the obligation along with the task.
Second, the ICO expects a lawful basis identified before processing begins, not retrofitted afterwards. For most business use that will be legitimate interests or, occasionally, consent — but you must document which and why.
Third, it emphasises transparency and DPIAs for novel or high-risk processing. Feeding customer data into a new US-hosted AI system is exactly the kind of activity the ICO would expect to see assessed in a Data Protection Impact Assessment.
Finally, the ICO repeatedly highlights data minimisation and purpose limitation: don’t input more personal data than the task needs, and don’t let a tool adopted for one purpose quietly creep into others. None of this is unique to ChatGPT — it’s the same standard you’d apply to any processor — but the ease of pasting data into a chatbot makes it unusually easy to forget.
A Practical Compliance Checklist
If your UK organisation wants to use ChatGPT responsibly, work through this:
- Move staff off personal accounts onto ChatGPT Team or Enterprise, where your data isn’t used for training and a DPA is available.
- Disable model training on any consumer accounts still in use (Settings → Data Controls).
- Sign OpenAI’s DPA and check which international-transfer mechanism it relies on.
- Consider Enterprise for EU data residency if your data-protection policy requires data to stay in Europe.
- Write an acceptable-use policy telling staff what they may and may not paste in — and specifically forbidding special-category data (health, biometric, etc.) and customers’ personal data unless a DPIA says otherwise.
- Run a DPIA (Data Protection Impact Assessment) for any significant or high-risk use. The ICO expects this for novel or large-scale processing.
- Update your privacy notice so the people whose data you process know AI tools are involved.
- Minimise by default — anonymise or pseudonymise data before it goes anywhere near the tool wherever you can.
The golden rule that sits above all of this: if you wouldn’t email it to an external contractor without a contract in place, don’t paste it into a consumer AI account.
Common Mistakes UK Businesses Make
A few patterns come up again and again when we talk to UK teams:
- Shadow AI use — staff using personal accounts the business doesn’t know about, with no policy and training switched on by default.
- Pasting whole documents — uploading an entire contract or spreadsheet when only a small, redacted section was actually needed.
- Assuming “Plus” is a business plan — a paid Plus subscription is still a consumer product; it isn’t the same as Team or Enterprise for compliance purposes.
- No written staff policy — relying on common sense instead of a clear, communicated acceptable-use policy that names what may and may not be entered.
Fixing these is mostly about governance, not technology — and it’s far cheaper than a regulatory fine or a breach.
How Other AI Tools Compare on Data
ChatGPT isn’t uniquely risky — every US-hosted AI tool raises the same questions — but the answers differ, and that’s worth knowing when you build your stack:
- Claude (Anthropic) doesn’t train on your conversations by default, even on consumer plans, which is a meaningfully better privacy default than consumer ChatGPT. Data is still processed in the US, with no EU residency on standard plans.
- Notion AI offers EU data residency on Business and Enterprise plans — useful if you store personal data in Notion.
- Tabnine can run entirely on your own infrastructure, giving full data sovereignty — the strongest possible GDPR position for a coding assistant.
- Perplexity states it doesn’t use search queries to train models, though data is processed in the US.
For more on choosing tools with British English and UK-appropriate data handling, see our guide to the best AI writing tools for UK content teams.
Frequently Asked Questions
Is ChatGPT banned under GDPR? No. There’s no ban. The UK GDPR doesn’t prohibit US-hosted tools; it requires you to use them lawfully — with a transfer safeguard, a DPA where personal data is involved, and sensible internal controls.
Can I use the free version of ChatGPT for work? You can, but it’s the riskiest option for anything involving personal data. At minimum, disable training. For regular business use involving personal data, move to Team or Enterprise.
Does ChatGPT Enterprise solve the GDPR issue? It solves much of it — no training on your data, a DPA, and optional EU data residency — but you still need your own lawful basis, transparency, and (for high-risk use) a DPIA. The tool can be compliant; how you use it still matters.
What’s the single most important thing to do? Stop staff pasting personal or confidential data into free personal accounts with training enabled. Fixing that one behaviour removes most of the risk immediately.
Final Thoughts
ChatGPT is not “GDPR compliant” or “non-compliant” as a binary — compliance is a property of how you deploy it. Used thoughtfully, on the right plan, with training disabled, a DPA in place, and a clear staff policy, a UK business can use ChatGPT lawfully and productively. Used carelessly, on free accounts with sensitive data, it’s a genuine liability.
If you’d like help assessing AI tools against your organisation’s data-protection requirements, get in touch — we help UK teams build an AI stack they can actually defend.
Last updated: 29 May 2026. This article is general information, not legal advice. Always confirm your position with your DPO or a data-protection professional. See our editorial standards.