Guides / AI and your data

Guide · Trust & Data

Is AI Safe to Use With My Business Data?

01Why this worry is the right one to have

When we talk to small business owners about AI, data safety is the most common reason for holding back — and honestly, that instinct is healthy. Your customer list, your pricing, your staff records and your financials are some of the most valuable things you own. Being careful about where they go isn't technophobia; it's good business.

The good news is that "is AI safe?" has a clear, practical answer once you understand one thing: not all versions of these tools handle your data the same way.

02Where your data actually goes

When you type something into an AI tool, your text travels to the provider's servers, the AI produces a response, and the response comes back. The question that matters is: what happens to your text afterwards? There are broadly three answers:

• Free consumer tools may keep your conversations and — depending on the provider and your settings — use them to improve (train) future versions of the AI. Once your text has gone into training, you can't pull it back out. This is the version most people are using, and it's the one to be careful with.
• Business and enterprise versions of the same tools work differently: the providers commit contractually that your data is not used for training, conversations can be retained briefly or not at all, and you get a proper data processing agreement — the paperwork GDPR expects when someone handles data on your behalf.
• Tools built into software you already pay for (Microsoft Copilot in 365 is the obvious example) generally inherit the data protections of your existing business subscription.

So the same brand name can be perfectly fine or genuinely risky, depending on which door you walked in through.

03What UK GDPR actually expects of you

GDPR doesn't say anything about AI specifically — it's about personal data: anything that can identify a living person. Names, email addresses, phone numbers, addresses, staff details. If you put personal data into an AI tool, GDPR applies, exactly as it would if you put it into any other software.

In practice that means:

• You stay responsible. You're the data controller; the AI provider is a processor working on your behalf. "The AI did it" is not a defence.
• You need a lawful basis — usually the same legitimate-interest reasoning that covers your existing use of email and office software, provided the tool is contractually sound.
• You need a data processing agreement with the provider. Business tiers include one; free consumer tiers generally don't.
• Be transparent. If AI becomes part of how you process customer data, your privacy policy should say so in plain terms.

None of this is harder than what you already do for email, accounting software or cloud storage. It's the same discipline applied to a new tool.

04The house rules we recommend

For most small businesses, safe AI use comes down to four rules you can write on a single page and share with your team:

1. No personal data in free tools. Customer names, contact details, staff records, anything identifying — these only go into business-tier tools with a data processing agreement, or they don't go in at all.
2. Anonymise when you can. "Draft a polite payment reminder for an overdue invoice" works just as well without the customer's name in it. Strip identifying details, add them back yourself afterwards.
3. Treat commercially sensitive material the same way. Pricing models, contracts, anything covered by an NDA — business tiers or nothing.
4. A human checks anything that leaves the building. This is as much about accuracy as privacy — AI output is a draft, not a verdict.

If your team uses AI at all, write these down and make them policy. Most data incidents aren't caused by hackers; they're caused by nobody ever saying what the rules were.

05For the especially cautious

Some businesses — legal, medical, financial — handle data sensitive enough that even contractual reassurance feels thin. There are options: AI models can now run entirely on your own hardware, so data never leaves your premises, and UK/EU-hosted services exist for those who want their data kept closer to home. These setups take more effort, but "we can't use AI because of our data" is rarely true any more — it's a question of choosing the right architecture.

06The bottom line

AI tools are no more inherently dangerous than email or cloud storage — and like both of those, the safety comes from using the right version with the right habits. The businesses that get this wrong are almost never the careful ones; they're the ones who never thought about it at all. Reading this guide already puts you ahead.