Digital Scientists®

AI Data Sovereignty

When you share business data with AI,
where does it actually go?

Most businesses using AI tools haven't asked this question carefully enough. Which country does the AI platform operate from? Who has access to the data you send it? What do their terms of service say about using your data to train future models? And does any of this put you in breach of UK GDPR?

The core issue

ChatGPT, Claude and Gemini are US companies. That matters for UK data.

OpenAI (ChatGPT), Anthropic (Claude) and Google DeepMind (Gemini) are all US-headquartered companies. When you send data to their AI platforms — even via API — that data is processed on servers subject to US jurisdiction and US law.

This creates several categories of risk for UK businesses:

01

UK GDPR third country transfers

UK GDPR restricts transfers of personal data to countries outside the UK/EEA unless adequate safeguards are in place. The US no longer has automatic adequacy status following the Schrems II ruling. Sending customer data to a US AI platform without appropriate transfer mechanisms (SCCs, BCRs, ICO guidance) may constitute an unlawful transfer.

02

US CLOUD Act

The Clarifying Lawful Overseas Use of Data Act allows US law enforcement and intelligence agencies to compel US companies to hand over data stored on their servers — even if that data belongs to foreign nationals or is stored outside the US. Data you send to US AI platforms can be subject to this.

03

Training data usage

Many AI platforms' standard terms of service include rights to use submitted data to train or improve their models. This may mean your proprietary business data, client information or confidential communications become part of a training dataset — potentially accessible to the AI's outputs for other users.

04

Sector-specific compliance

For businesses in financial services, healthcare, legal or other regulated sectors, the requirements are even stricter. Sending client data to an external AI platform without specific contractual protections can breach FCA, CQC, SRA and other regulatory obligations.

⚠️

This isn't just theoretical

The ICO has published guidance on using generative AI tools under UK GDPR and is actively monitoring compliance. Fines for unlawful data transfers can reach £17.5 million or 4% of annual global turnover.

More practically: the business risk of confidential data leaking into AI training datasets — and potentially resurfacing in a competitor's AI output — is real and growing.

£17.5mMaximum ICO fine for UK GDPR breach
4%Of global turnover, if higher than £17.5m
3rdCountry status — US AI platforms after Schrems II

What sovereignty actually means

The spectrum from "total exposure" to "full data sovereignty".

Not all AI tools carry the same level of risk. Where your chosen AI sits on this spectrum determines your exposure.

AI platform typeData locationJurisdictionTraining riskUK GDPR risk
Consumer ChatGPT / Claude / GeminiUS serversUS lawHigh — default terms allow training useHigh
Enterprise ChatGPT / Claude API (with DPA)US servers (some EU regions available)US law + SCCsLower — enterprise agreements typically exclude trainingMedium
EU/UK-hosted open-source LLM (e.g. Mistral via EU host)EU/UK serversEU/UK lawLow — self-hosted or EU hostLow
Zoho ZIA (within Zoho ecosystem)Zoho's own infrastructure (EU data centre options)Zoho's data policies — privately owned, not subject to US Big TechMinimal — ZIA operates within your Zoho account data onlyLow
Self-hosted LLM (on-premise or private cloud)Your own infrastructureYour jurisdictionNone — you control the modelMinimal

The Zoho difference

Why Zoho's approach to AI is fundamentally different to OpenAI's.

Most major software platforms have bolted AI onto their products by integrating OpenAI or another US AI provider via API. When you use "AI features" in these tools, your data is being sent out of the platform to a US AI service — even if you didn't know that was happening.

Zoho took a different approach. They built their own AI — Zia (Zoho Intelligent Assistant) — from the ground up, running entirely within the Zoho technology stack. Zoho owns and operates all its own infrastructure: its own data centres, its own security stack, its own AI models.

Critically, Zoho is a privately held company. It's not publicly traded, not backed by US venture capital in ways that create data monetisation pressure, and has publicly committed to never selling customer data. The company's founder, Sridhar Vembu, has been vocal about building technology that respects user privacy over advertising or data revenue models.

What Zia does inside Zoho

🔍

CRM Intelligence

Analyses your sales pipeline, suggests next actions, scores leads and flags anomalies — all from within your Zoho CRM data without sending it elsewhere.

✍️

Email & Communication AI

Drafts emails, suggests responses and summarises email threads — using the context of the conversation in Zoho Mail and CRM, not an external AI.

📊

Analytics & Forecasting

Interprets your Zoho Analytics dashboards, surfaces trends and generates narrative summaries from your own data.

💬

Support AI

Powers intelligent responses in Zoho Desk using your knowledge base and customer history — your data stays in Zoho.

🤖

Workflow AI

Automates complex multi-step processes within Zoho Creator and CRM — again, no data leaves the ecosystem.

OpenAI / ChatGPT

  • US company (Delaware incorporated)
  • Subject to US CLOUD Act
  • Consumer plan terms allow training data use
  • Data processed on US infrastructure by default
  • Backed by Microsoft — significant commercial pressure on data
  • No UK/EU data residency guarantee on standard plans

OpenAI Enterprise

  • US company — jurisdiction unchanged
  • Data processing agreement available
  • Training use excluded by contract
  • EU data residency available on some plans
  • Still subject to US CLOUD Act
  • Significant per-seat cost

Zoho + Zia

  • Privately held — no external investor data pressure
  • AI runs within your own Zoho account data
  • EU data centre option available
  • GDPR-compliant processing by design
  • No third-party AI API exposure by default
  • Built into tools you're probably already using

Choosing the right AI

A practical framework for AI tool selection under UK GDPR.

1

Classify your data first

Before choosing an AI tool, understand what data you'll be putting into it. Is it personal data under UK GDPR? Is it commercially sensitive? Is it subject to sector-specific regulation (FCA, SRA, CQC)? The classification determines the level of protection required.

Questions to ask:
  • Will you input customer names, emails or personal details?
  • Does the data include financial or health information?
  • Is any of it subject to professional confidentiality obligations?
  • Could any of it give competitors a meaningful advantage if leaked?
2

Audit the AI platform's legal basis

For any AI tool you're considering, find out: where is the company incorporated? Where is data processed? Do they have a Data Processing Agreement you can sign? What does their ToS say about training data use?

Questions to ask:
  • Is there a DPA available — and have you actually signed it?
  • Where are servers physically located?
  • What's their Sub-processor list?
  • What happens to your data if you close your account?
3

Assess transfer risk

If data is going to a third country (e.g. the US), you need an appropriate transfer mechanism. Standard Contractual Clauses (SCCs) are the most common, but they require a Transfer Impact Assessment for US transfers, and you must document this.

Questions to ask:
  • Have you completed a Transfer Impact Assessment?
  • Have UK SCCs been incorporated into your DPA?
  • Is your Data Protection Officer (or equivalent) aware?
  • Have you updated your privacy policy to disclose this processing?
4

Consider sovereign alternatives

For many business AI use cases, there are sovereign or near-sovereign alternatives that provide comparable capability without the transfer risk. Zoho ZIA for CRM, email and analytics AI; EU-hosted open-source models for specific tasks; UK AI providers for regulated sectors.

Questions to ask:
  • Can Zoho ZIA provide the AI capability you need?
  • Is there an EU/UK-based AI provider in your sector?
  • Could a self-hosted open-source model serve this use case?
  • What's the cost-benefit of enterprise licensing vs. a sovereign alternative?
5

Document your decisions

Whatever you choose, document it. Under UK GDPR's accountability principle, you must be able to demonstrate that you made informed decisions about data processing. A brief record of the assessment, the tool, the transfer mechanism and the business justification protects you if the ICO comes knocking.

Questions to ask:
  • Is this in your Record of Processing Activities (RoPA)?
  • Have you done a Data Protection Impact Assessment (DPIA) if required?
  • Are staff trained on what data they can and can't input into AI tools?
  • Is there an AI use policy in place?

Common questions

AI data sovereignty — the questions we get asked most.

Can I use ChatGPT for work if I don't put customer data into it?

Yes, with care. Using ChatGPT for drafting generic communications, brainstorming ideas or processing publicly available information carries much lower risk. The concern arises when personal data (customer names, emails, addresses), commercially confidential information or regulated data enters the prompt. Many businesses have a blanket 'no personal data in consumer AI tools' policy as the simplest way to manage this.

Does the Enterprise version of ChatGPT or Claude solve the problem?

It significantly reduces the training data risk — enterprise agreements typically include a DPA that excludes your data from training use. But it doesn't change the jurisdiction question: data is still processed by a US company subject to US law including the CLOUD Act. For most business use cases this is an acceptable risk with appropriate documentation. For highly regulated sectors or sensitive data, additional measures are needed.

Is Zoho GDPR compliant?

Yes. Zoho has GDPR compliance documentation, Data Processing Agreements, and EU/UK data centre options. As a privately held company, Zoho's business model is subscription revenue rather than data monetisation — which aligns their interests with protecting customer data. They're also not subject to US Big Tech legislation in the same way as OpenAI or Google.

What's a DPIA and do I need one for AI?

A Data Protection Impact Assessment is a UK GDPR requirement for processing that is 'likely to result in a high risk' to individuals. AI tools that process personal data at scale, use automated decision-making or introduce new technologies are often in scope for a DPIA. The ICO's guidance specifically addresses AI. We can help you determine whether a DPIA is required and complete it if so.

Can I build AI that uses my data without any of these risks?

Yes — self-hosted or sovereign AI deployments can eliminate third-country transfer risk entirely. This typically involves deploying an open-source language model on your own infrastructure (or a UK/EU cloud host), connecting it to your business data via a secure integration, and keeping all processing within your control. The cost has come down significantly as open-source models have improved. We build these solutions.

The cost of inaction

What using US AI platforms without oversight could cost you

Most businesses using AI tools have never audited what data is going in, where it's going, or whether they have a lawful basis for it. That's not a theoretical risk — it's the kind of gap the ICO investigates.

💷

Financial risk

UK GDPR fines reach £17.5 million or 4% of global annual turnover, whichever is higher. For a business turning over £2m, that's up to £80,000 for a serious breach. But the bigger cost is often operational — regulatory investigation, legal fees, customer notification requirements and reputational damage far exceed the fine itself.

Fines up to £17.5m or 4% of global turnover
📉

Procurement & competitive risk

Enterprise and public sector clients are increasingly requiring suppliers to demonstrate compliant AI use as a condition of contract. Businesses without a documented AI governance position are losing procurement opportunities to competitors that can evidence their data handling. AI compliance is becoming a commercial requirement, not just a legal one.

AI governance is now a procurement requirement

Want AI that works for your business without putting your data at risk?

Book a free discovery call. We'll assess your current AI tool usage, identify any compliance gaps, and show you what a sovereign AI strategy could look like for your business.