Skip to main content
Success
[PRO SERVICES / SECURITY & GOVERNANCE]

AI Data
Privacy Review

Company data can reach AI through approved platforms, personal accounts, meeting tools and custom integrations. We map the real flows, provider terms, retention and access so the privacy and technology teams can agree what changes.

AI data privacy review by Vu Agency
Board-ready report

Board report

FINDINGS, OWNERS AND PRIORITIES

UK GDPR

ICO GUIDANCE + EU AI ACT

DPIA-ready

EVIDENCE PACK YOU CAN FILE

[THE PROBLEM]

Your AI tools can move data outside the systems you approved

In 2022, "the data" lived in a handful of systems your IT team knew about. Now it's also inside ChatGPT chat histories, Copilot indexes, browser extensions nobody approved, a custom GPT a marketer spun up, and a vector database powering an internal chatbot.

None of that's on a network diagram. Most of it isn't in your data map, your ROPA, or your last DPIA. A fair amount of it is opted into model training by default, and one bad email away from being exfiltrated.

The ICO already expects you to know where your data goes. The EU AI Act and ISO/IEC 42001 are turning that into paperwork too.

WHAT YOU THINK YOU HAVE

  • An AI policy in the staff handbook
  • "We're on the enterprise tier, so it's fine"
  • A DPIA from 2021 that doesn't mention LLMs
  • Copilot rolled out by IT, scoped by nobody
  • A vague sense that "training is off"

WHAT YOU HAVE

  • Staff using free ChatGPT on personal accounts
  • Browser extensions that POST page contents to who-knows-where
  • Copilot answering questions from HR letters and M&A docs
  • A RAG bot whose index includes old API keys
  • Logs that prove none of the above
[THE FIVE EXPOSURES]

How company data reaches AI tools

We see these in pretty much every review. Nothing exotic; it's how the tools your team uses behave out of the box.

01

Paste-it-in shadow AI

Staff using personal ChatGPT, Claude or Gemini to summarise client emails, contracts, customer lists. Same pattern that bit Samsung in 2023 when engineers pasted source code into ChatGPT.

02

Copilot oversharing

Microsoft 365 Copilot inherits SharePoint permissions. Legacy "Everyone except external" links make payroll, severance and board minutes queryable in plain English. Microsoft acknowledged this at Ignite 2024.

03

Training-on by default

Consumer LLM tiers can retain prompts for training unless the relevant setting is off. Slack changed its privacy wording in May 2024 after customers questioned how messages could be used for machine learning. Vendor defaults need checking.

04

RAG indexes with secrets

The internal chatbot that "just reads the wiki" also ingested expired API keys, old HR letters, the legal advice folder and a CSV of customers. The vector store doesn't care; the chatbot doesn't either.

05

Prompt injection

A single rigged email can tell Copilot what to send back out. Aim Labs disclosed exactly that (EchoLeak, CVE-2025-32711, CVSS 9.3) in June 2025: zero-click exfiltration from M365 Copilot. Patched, but the class isn't going away.

[THE OFFER]

What the review covers

The report is written for the board, DPO, security team and customers asking about AI on procurement forms. It covers data flows, findings, owners and the evidence required for remediation.

An AI data map

Every AI tool in use, sanctioned or not. Who's using it, on what data, under whose account, against which vendor terms. The thing your ROPA was supposed to have.

Vendor configuration audit

OpenAI, Anthropic, Google, Microsoft, Mistral. Training opt-outs, retention windows, regional processing, sub-processors, data processing addenda. Pulled from your actual tenants, not the marketing page.

Copilot oversharing scan

If you're running M365 Copilot, we check what it can see. Open links, inherited permissions, sensitivity labels, the documents that shouldn't be in scope but are.

Custom AI workflow review

The internal chatbot, the agent that emails customers, the RAG over your wiki. We trace the data flow end-to-end, look at the prompts, the tools the model can call, the logs, the guardrails.

Shadow AI sweep

Browser extensions, transcription tools, custom GPTs, personal accounts logged in on work machines. We surface what your team is using that you didn't approve. No naming and shaming.

Regulatory mapping

Each finding tied to UK GDPR articles, the ICO's Guidance on AI and data protection, EU AI Act obligations and ISO/IEC 42001 controls. So the fix list isn't opinion, it's evidence.

Article 22 triage

Where AI supports decisions about people, such as hiring, credit, pricing or flagging, we record whether the decision is solely automated and whether it has legal or similarly serious effects. That determines which current UK safeguards need review.

A prioritised fix list

Findings are ranked by risk, with an owner and effort estimate. The response may involve account settings, contracts, policy, training or engineering, depending on where the exposure sits.

[HOW IT WORKS]

A fixed-scope review

The review follows a defined evidence set across accounts, contracts, data flows, permissions and live workflows. The scope still changes with the systems, territories and data involved.

You give us read-only access. You get a board-ready report, a ranked fix list, and a DPIA-ready evidence pack you can file.

BOOK A REVIEW CALL
01

Kickoff and access

One 60-minute call with whoever runs IT, the DPO (if you have one) and a couple of heavy AI users. Read-only access to your M365 or Google admin, your AI vendor tenants, your hosting and your repo if there's a custom build.

02

Discovery

We pull vendor configs, run a Copilot oversharing scan if applicable, look at your custom AI workflows, and run a short anonymous staff survey to surface the shadow AI that won't show up in logs. We don't interrupt your team.

03

Mapping and findings

Each exposure gets tied to a specific UK GDPR article, ICO guidance section, EU AI Act obligation or ISO/IEC 42001 control. Each fix gets an owner, an effort estimate and a priority. We share a draft so nothing in the final report is a surprise.

04

Readout

90-minute walkthrough with you and your board, or your DPO, or your insurer. One page for the board. Ten to twenty pages for the people doing the work. An evidence pack a DPIA can be built on.

05

Optional: we do the fixing

Remediation is optional and scoped separately. Your own teams can take the policy and account changes, while Vu can handle engineering work where an AI workflow or integration needs changing.

[PUBLISHED INCIDENTS]

Six public AI data incidents

Each case involved tools that are now common in UK businesses. They show the questions a privacy review needs to ask.

MAY 2023

Samsung bans ChatGPT internally.

Three separate incidents at Samsung Semiconductor where engineers pasted confidential source code and meeting transcripts into ChatGPT. Samsung banned generative AI on company devices in May 2023.

MAR 2023

ChatGPT leaks chat titles and billing.

A bug in OpenAI's redis-py client exposed other users' conversation titles and billing details (name, email, address, last-4 card digits, expiry) for around 1.2% of ChatGPT Plus subscribers active in a nine-hour window.

DEC 2024

Italian Garante fines OpenAI €15m.

Italy's data protection authority fined OpenAI for processing personal data without a lawful basis, transparency failings and inadequate age verification. OpenAI was also ordered to run a six-month public awareness campaign.

FEB 2024

Air Canada loses to its own chatbot.

In Moffatt v Air Canada (BC Civil Resolution Tribunal), the airline was held liable for negligent misrepresentation after its chatbot invented a bereavement-fare refund. "It's just the bot" stopped being a defence.

JAN 2025

DeepSeek leaves a database open.

Wiz Research found a publicly exposed ClickHouse database belonging to DeepSeek leaking more than a million log lines, including chat history, API keys and backend metadata. The Italian Garante blocked the service the next day.

JUN 2025

EchoLeak in Microsoft 365 Copilot.

Aim Labs disclosed CVE-2025-32711 (CVSS 9.3): the first reported zero-click prompt-injection in a production LLM. A single email could cause Copilot to exfiltrate sensitive context. Microsoft patched it. The class of attack hasn't gone away.

Sources: Bloomberg, OpenAI, Garante per la Protezione dei Dati Personali, CanLII, Wiz Research, Microsoft MSRC, Aim Labs.

[WHAT'S COMING]

Current AI privacy requirements

The applicable date depends on the system, territory and whether your organisation is a provider or deployer. These are the main dates to check:

2 Feb 2025

EU AI Act: prohibitions live

Unacceptable-risk AI banned. AI literacy duties apply to providers and deployers.

2 Aug 2025

EU AI Act: GPAI rules apply

General-purpose AI model obligations and governance rules in force.

2 Aug 2026

EU AI Act: Article 50 transparency

Transparency duties apply to covered interactive AI systems and certain generated or manipulated content. The Commission has published implementation guidance and a voluntary code.

2 Dec 2027 / 2 Aug 2028

EU AI Act: high-risk systems

The Commission's current timeline puts Annex III high-risk areas on the first date and high-risk systems embedded in regulated products on the second.

Ongoing

UK GDPR + ICO expectations

The ICO's "Guidance on AI and data protection" already applies. The Data (Use and Access) Act 2025 has rewritten Article 22 into Articles 22A-D, with explicit safeguards around automated decisions.

[RELEVANT VU WORK]

We deal with these data flows in our own AI products

Raq.com and 102.ai use several model providers and business data sources. Provider terms, retention, account access and the boundary between free tools and controlled workflows are operating decisions for us as well.

[A USEFUL FIRST CONVERSATION]

When this is worth discussing

We work best when there is a real operating problem, enough volume to measure and people from the affected teams who can make decisions.

Usually a good fit

  • An established UK business, usually with annual revenue above £10m
  • A repeated process with a known cost, delay, error rate or capacity problem
  • A senior sponsor and a day-to-day owner who understand the work
  • Access to the relevant staff, systems, sample records and security requirements

We may point you elsewhere

  • A standard product already covers the process well
  • The requirement is a one-off small build with no wider operating case
  • There is no owner or access to the people and data needed to test the result
  • The plan relies on AI making high-impact decisions with nobody responsible for review
[QUESTIONS]

Questions from IT, legal and compliance

Q.01

We're on the enterprise tier. Doesn't that cover it?

It covers the training opt-out and the data processing addendum. It does not cover staff using the free version on their phone, the marketing intern's custom GPT, the browser extension that POSTs page contents to a third party, or your Copilot reading documents it shouldn't. Most of what we find on a review is outside the enterprise tenant.

Q.02

Does the EU AI Act apply to us?

It can. A UK organisation may be in scope when it places an AI system on the EU market or its output is used in the EU. Article 50 transparency duties apply from 2 August 2026, while the Commission's current timeline puts Annex III high-risk areas on 2 December 2027. In the UK, the Data (Use and Access) Act 2025 has already changed the rules and safeguards for serious solely automated decisions.

Q.03

Is this a security audit?

No. We're not testing your firewall or scanning for CVEs. We're looking specifically at how AI tools and AI workflows handle data, and whether your use of them holds up under UK GDPR, ICO guidance, the EU AI Act and ISO/IEC 42001. If you also need a general security review, we'll tell you and recommend who's good.

Q.04

We don't have a DPO. Is that a problem?

No. The report is written for the operational owner, technology lead and data-protection adviser. We document the technical facts and recommended controls, while legal advice remains with your DPO or solicitor.

Q.05

What do you need from us?

Read-only admin access to M365 or Google Workspace, your AI vendor tenants (OpenAI, Anthropic, Google AI, Microsoft Copilot, anything custom), and read access to any internal AI workflow you've built. One kickoff call, one ten-minute survey for staff, one readout. We try to take less than a day of your team's combined time.

Q.06

How much does it cost?

We define the systems, providers, teams and data classes in scope before issuing a commercial proposal. Any engineering work arising from the review is scoped separately so the findings remain independent.

Q.07

What if we already know we've leaked something?

Tell us on the first call. The review takes a back seat to incident response: scope what's gone, rotate keys, work out whether it's notifiable under UK GDPR (72-hour clock), draft the customer notice. Then we go back and fix the cause.

Q.08

Will the report help with a customer or insurer questionnaire?

Yes. That's a big reason clients commission it. The evidence pack maps to the questions enterprise procurement, cyber insurers and Cyber Essentials assessors are now asking about AI use. You can hand it over instead of writing the same paragraph eight times.

Vu Agency review session

Book an AI data privacy review

Tell us which AI platforms are approved, which data is sensitive and what prompted the review. We will identify the systems, contracts and user practices that need evidence before scoping the work.

Instant AI Chat Message us on WhatsApp