Most UK businesses using AI tools haven’t asked a question they should be asking: where is my data going, and is it legal for it to go there?
When an employee types a client’s name, a proposal summary or a support conversation into ChatGPT, Claude, or another US-hosted AI platform, that data leaves the UK. It’s processed on American servers, potentially subject to US surveillance laws, and stored in ways that may conflict with your obligations under UK GDPR.
This isn’t a theoretical risk. It’s the kind of compliance gap that creates ICO exposure — and it’s happening inside businesses across the UK every day.
What is AI Data Sovereignty?
AI data sovereignty is the principle that the data you feed into AI systems — customer records, employee information, internal communications, commercial contracts — should be processed and stored within legal boundaries that protect the people that data relates to.
For UK businesses, this primarily means:
- UK GDPR obligations around lawful processing and transfer of personal data
- Third-country transfer rules under UK GDPR Article 46 when data goes outside the UK
- Contractual and sector-specific requirements from clients, regulators and professional bodies
The problem with US AI platforms
The most widely used AI tools — OpenAI’s ChatGPT, Microsoft Copilot (powered by OpenAI), Google Gemini — are operated by US companies subject to US law. This creates several issues for UK data:
Third-country transfers
Under UK GDPR, transferring personal data to a country outside the UK requires either an adequacy decision, appropriate safeguards (such as Standard Contractual Clauses), or a specific derogation.
The US is not currently on the UK’s adequacy list for all purposes. The UK-US data bridge provides some coverage, but it applies only to US organisations that have self-certified under the bridge — and it has limitations for sensitive data and onward transfers.
When you use a US AI platform, you need to be confident that an appropriate transfer mechanism is in place and that you’ve documented it. Most businesses haven’t done this.
US surveillance laws
The Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 give US intelligence agencies broad access to data held by US companies — including data from foreign users. This is what drove the Schrems II ruling in the EU and continues to concern data protection regulators.
Data about your clients, employees or business operations could in principle be accessed by US government agencies under these provisions. For businesses in regulated sectors — legal, financial services, healthcare — this is particularly problematic.
AI training data
Several AI providers have faced questions about whether user inputs are used to train their models. Policies vary, and enterprise tiers typically provide stronger protections — but many businesses are using consumer or SME tiers where data handling is less certain.
What types of data are most at risk?
The highest-risk data inputs to watch for:
- Customer names, contact details, addresses — personal data under UK GDPR
- Health or medical information — special category data requiring explicit consent
- Financial data — subject to sector-specific regulations
- Employee records — personal data with additional employment law considerations
- Legal documents and contracts — may contain privileged or confidential information
- Business strategy and IP — confidentiality risk beyond data protection
The regulatory picture
The ICO has published guidance on AI and data protection. Key principles:
- Lawful basis — you need a clear lawful basis for processing personal data in AI systems, the same as any other processing
- Data minimisation — only use what you need; don’t feed entire databases into AI tools
- Transparency — your privacy notices should reflect how data is used in AI systems
- Transfer mechanisms — document the legal basis for any international transfers
Fines for serious UK GDPR breaches reach £17.5 million or 4% of global annual turnover, whichever is higher.
The sovereign AI alternative
Sovereign AI means using AI tools and infrastructure that keep your data within the UK (or EEA), operated by providers whose legal obligations align with UK data protection law.
Practical options include:
- UK/EEA-hosted AI platforms with GDPR-compliant data processing agreements
- Private or self-hosted LLMs deployed on infrastructure you control
- Zoho’s AI platform (Zia) — Zoho operates data centres in the UK and EU, with GDPR-compliant data processing agreements and no data training on customer inputs
- On-premise AI tools for the most sensitive use cases
The right approach depends on your use cases, data sensitivity and budget. A properly structured sovereign AI setup can deliver the same productivity benefits as US platforms — without the compliance exposure.
Practical steps for UK businesses
- Audit current AI tool usage — identify what tools employees are using and what data is going in
- Classify your data — understand which inputs constitute personal data under UK GDPR
- Check transfer mechanisms — for US platforms, confirm what legal basis covers the transfer
- Update privacy notices — ensure AI processing is documented and disclosed
- Consider sovereign alternatives — for high-risk use cases, evaluate UK/EU-hosted options
- Train your team — employees need to understand what data they can and can’t input into AI tools
What Digital Scientists® does
We help UK businesses adopt AI in a way that’s compliant, practical and commercially effective. This means:
- Auditing current AI usage and identifying compliance gaps
- Designing a sovereign AI stack for your specific use cases
- Implementing Zoho’s AI platform as a GDPR-compliant alternative to US tools
- Building custom AI workflows on UK/EU infrastructure
- Training teams on responsible AI use
If your business is using AI tools and hasn’t reviewed the data compliance picture, book a free consultation — we’ll assess your current exposure and recommend a practical path forward.