Staff are using ChatGPT, Copilot and Gemini every day — often with no policy, no Data Processing Agreement, and no idea their data is being processed in the United States. Find out your UK GDPR exposure in 2 minutes.
73%
of employees use AI tools at work
68%
without IT knowledge or approval
£17.5M
maximum UK GDPR fine
AI Usage & Data Exposure
Answer based on what actually happens — not what should happen. Results are only as useful as the honesty of your answers.
🇬🇧 Scored against UK GDPR. Most consumer AI tools process data in the United States. Under UK GDPR Chapter V, sending personal data outside the UK requires a valid transfer mechanism — many businesses aren't aware this applies to AI tools.
Which AI tools do your staff primarily use?
Select the option that best describes your primary tool. We'll assess its data location, DPA availability, and GDPR transfer mechanism.
What types of data do staff share with AI tools?
Think about the most sensitive thing a staff member has sent to an AI tool in the last month — not the most common, the most sensitive.
Do you know where your AI tools process and store your data?
UK GDPR Chapter V restricts transfers of personal data outside the UK. For US transfers, the UK-US Data Bridge (adequacy decision, Oct 2023) provides a mechanism — but only for certified providers, and only if you've documented it.
Do you know where your AI tools process and store your data?
UK GDPR Chapter V restricts transfers of personal data outside the UK. For US transfers, the UK-US Data Bridge (adequacy decision, Oct 2023) provides a mechanism — but only for certified providers, and only if you've documented it.
Have you signed a Data Processing Agreement (DPA) with your AI providers?
UK GDPR Article 28 requires a DPA whenever a third party processes personal data on your behalf. Consumer AI accounts (free ChatGPT, personal Gemini) don't offer one — making any personal data processing on those platforms unlawful.
Governance & Controls
How well is AI use managed in your organisation?
Do you have an AI acceptable use policy?
A policy defines what staff may and may not do with AI tools — including what data they can share. Without one, each employee makes independent decisions about your data.
Are staff aware that AI tools may retain or train on their inputs?
Free ChatGPT accounts (by default) allow OpenAI to use conversations to improve their models. Your client data could become AI training data. Enterprise plans opt out — but most businesses don't realise this distinction exists.
Does your business regularly handle special category personal data?
Special category data (health, HR, financial history, biometrics, criminal records, religious or political beliefs) carries the highest GDPR obligations and the highest ICO fine potential. Even one incident involving this data is serious.
Is AI tool usage monitored or approved by IT or management?
Shadow AI — staff using unapproved tools without IT's knowledge — is one of the biggest risks for UK businesses right now. If you can't see it, you can't manage it.