AI Data
Privacy Review
Your team's pasting things into ChatGPT. Copilot's been switched on tenant-wide. Someone built a RAG bot that reads SharePoint. We map what's actually going where, what the ICO would think, and what to fix first.
Days
FROM KICKOFF TO BOARD REPORT
UK GDPR
ICO GUIDANCE + EU AI ACT
DPIA-ready
EVIDENCE PACK YOU CAN FILE
Your AI tools quietly moved your data.
In 2022, "the data" lived in a handful of systems your IT team knew about. Now it's also inside ChatGPT chat histories, Copilot indexes, browser extensions nobody approved, a custom GPT a marketer spun up, and a vector database powering an internal chatbot.
None of that's on a network diagram. Most of it isn't in your data map, your ROPA, or your last DPIA. A fair amount of it is opted into model training by default, and one bad email away from being exfiltrated.
The ICO already expects you to know where your data goes. The EU AI Act and ISO/IEC 42001 are turning that into paperwork too.
WHAT YOU THINK YOU HAVE
- An AI policy in the staff handbook
- "We're on the enterprise tier, so it's fine"
- A DPIA from 2021 that doesn't mention LLMs
- Copilot rolled out by IT, scoped by nobody
- A vague sense that "training is off"
WHAT YOU ACTUALLY HAVE
- Staff using free ChatGPT on personal accounts
- Browser extensions that POST page contents to who-knows-where
- Copilot answering questions from HR letters and M&A docs
- A RAG bot whose index includes old API keys
- Logs that prove none of the above
Five ways AI leaks your data.
We see these in pretty much every review. Nothing exotic; it's how the tools your team uses behave out of the box.
Paste-it-in shadow AI
Staff using personal ChatGPT, Claude or Gemini to summarise client emails, contracts, customer lists. Same pattern that bit Samsung in 2023 when engineers pasted source code into ChatGPT.
Copilot oversharing
Microsoft 365 Copilot inherits SharePoint permissions. Legacy "Everyone except external" links make payroll, severance and board minutes queryable in plain English. Microsoft acknowledged this at Ignite 2024.
Training-on by default
Consumer LLM tiers retain prompts for training unless toggled off. Slack quietly opted customer messages into ML training and had to rewrite its privacy principles in May 2024 after the backlash. The default is rarely the one you want.
RAG indexes with secrets
The internal chatbot that "just reads the wiki" also ingested expired API keys, old HR letters, the legal advice folder and a CSV of customers. The vector store doesn't care; the chatbot doesn't either.
Prompt injection
A single rigged email can tell Copilot what to send back out. Aim Labs disclosed exactly that (EchoLeak, CVE-2025-32711, CVSS 9.3) in June 2025: zero-click exfiltration from M365 Copilot. Patched, but the class isn't going away.
What the review covers.
You get a document you can hand to your board, your DPO and the customers asking the AI question on their procurement form. Not a pen test, not a 90-page policy doc.
An AI data map
Every AI tool in use, sanctioned or not. Who's using it, on what data, under whose account, against which vendor terms. The thing your ROPA was supposed to have.
Vendor configuration audit
OpenAI, Anthropic, Google, Microsoft, Mistral. Training opt-outs, retention windows, regional processing, sub-processors, data processing addenda. Pulled from your actual tenants, not the marketing page.
Copilot oversharing scan
If you're running M365 Copilot, we check what it can actually see. Open links, inherited permissions, sensitivity labels, the documents that shouldn't be in scope but are.
Custom AI workflow review
The internal chatbot, the agent that emails customers, the RAG over your wiki. We trace the data flow end-to-end, look at the prompts, the tools the model can call, the logs, the guardrails.
Shadow AI sweep
Browser extensions, transcription tools, custom GPTs, personal accounts logged in on work machines. We surface what your team is using that you didn't approve. No naming and shaming.
Regulatory mapping
Each finding tied to UK GDPR articles, the ICO's Guidance on AI and data protection, EU AI Act obligations and ISO/IEC 42001 controls. So the fix list isn't opinion, it's evidence.
Article 22 triage
Anywhere AI is making decisions about people (hiring, credit, pricing, flagging) we flag against UK GDPR Article 22 and the Data (Use and Access) Act safeguards. Most clients don't realise they've crossed the line.
A prioritised fix list
Ranked by risk, with effort estimates and who's best placed to do it. Half of it is usually settings changes. The rest is policy, training and a few engineering tickets.
Days. One report.
We've done enough of these to know what's worth looking at. The format's the same every time, so the days go on findings, not on reinventing the process.
You give us read-only access. You get a board-ready report, a ranked fix list, and a DPIA-ready evidence pack you can file.
BOOK A REVIEW CALLKickoff and access
One 60-minute call with whoever runs IT, the DPO (if you have one) and a couple of heavy AI users. Read-only access to your M365 or Google admin, your AI vendor tenants, your hosting and your repo if there's a custom build.
Discovery
We pull vendor configs, run a Copilot oversharing scan if applicable, look at your custom AI workflows, and run a short anonymous staff survey to surface the shadow AI that won't show up in logs. We don't interrupt your team.
Mapping and findings
Each exposure gets tied to a specific UK GDPR article, ICO guidance section, EU AI Act obligation or ISO/IEC 42001 control. Each fix gets an owner, an effort estimate and a priority. We share a draft so nothing in the final report is a surprise.
Readout
90-minute walkthrough with you and your board, or your DPO, or your insurer. One page for the board. Ten to twenty pages for the people doing the work. An evidence pack a DPIA can be built on.
Optional: we do the fixing
If you want us to actually close the gaps (turn the toggles, write the policy, rebuild the leaky chatbot, train the team), we scope that separately. Most clients self-serve the easy half and bring us in for the engineering.
Six stories we keep coming back to.
Public, recent, all involving tools your team is using today. Worth reading before the next vendor white paper.
Samsung bans ChatGPT internally.
Three separate incidents at Samsung Semiconductor where engineers pasted confidential source code and meeting transcripts into ChatGPT. Samsung banned generative AI on company devices in May 2023.
ChatGPT leaks chat titles and billing.
A bug in OpenAI's redis-py client exposed other users' conversation titles and billing details (name, email, address, last-4 card digits, expiry) for around 1.2% of ChatGPT Plus subscribers active in a nine-hour window.
Italian Garante fines OpenAI €15m.
Italy's data protection authority fined OpenAI for processing personal data without a lawful basis, transparency failings and inadequate age verification. OpenAI was also ordered to run a six-month public awareness campaign.
Air Canada loses to its own chatbot.
In Moffatt v Air Canada (BC Civil Resolution Tribunal), the airline was held liable for negligent misrepresentation after its chatbot invented a bereavement-fare refund. "It's just the bot" stopped being a defence.
DeepSeek leaves a database open.
Wiz Research found a publicly exposed ClickHouse database belonging to DeepSeek leaking more than a million log lines, including chat history, API keys and backend metadata. The Italian Garante blocked the service the next day.
EchoLeak in Microsoft 365 Copilot.
Aim Labs disclosed CVE-2025-32711 (CVSS 9.3): the first reported zero-click prompt-injection in a production LLM. A single email could cause Copilot to exfiltrate sensitive context. Microsoft patched it. The class of attack hasn't gone away.
Sources: Bloomberg, OpenAI, Garante per la Protezione dei Dati Personali, CanLII, Wiz Research, Microsoft MSRC, Aim Labs.
The paperwork's getting heavier.
"We'll deal with AI governance later" worked as a stance in 2024 and won't in 2027. The dates worth circling:
EU AI Act: prohibitions live
Unacceptable-risk AI banned. AI literacy duties apply to providers and deployers.
EU AI Act: GPAI rules apply
General-purpose AI model obligations and governance rules in force.
EU AI Act: high-risk + transparency
Annex III high-risk system obligations and Article 50 transparency duties (the "you must tell people they're talking to AI" bit) apply. About ten weeks from now.
UK GDPR + ICO expectations
The ICO's "Guidance on AI and data protection" already applies. The Data (Use and Access) Act 2025 has rewritten Article 22 into Articles 22A-D, with explicit safeguards around automated decisions.
The ones we get asked first.
We're on the enterprise tier. Doesn't that cover it?
It covers the training opt-out and the data processing addendum. It does not cover staff using the free version on their phone, the marketing intern's custom GPT, the browser extension that POSTs page contents to a third party, or your Copilot reading documents it shouldn't. Most of what we find on a review is outside the enterprise tenant.
We're a UK SME. Does the EU AI Act apply to us?
Often yes. The Act has extraterritorial reach: if your AI output is used in the EU, or you place an AI system on the EU market, you're in scope regardless of where you're based. The high-risk and Article 50 transparency obligations land on 2 August 2026. The UK is also moving, more slowly, through its own AI bill and updated ICO guidance.
Is this a security audit?
No. We're not testing your firewall or scanning for CVEs. We're looking specifically at how AI tools and AI workflows handle data, and whether your use of them holds up under UK GDPR, ICO guidance, the EU AI Act and ISO/IEC 42001. If you also need a general security review, we'll tell you and recommend who's good.
We don't have a DPO. Is that a problem?
No. Most of our SME clients don't. The report is written so a founder, operations lead or external DPO-as-a-service can act on it. If you want, we can introduce you to a fractional DPO we trust.
What do you need from us?
Read-only admin access to M365 or Google Workspace, your AI vendor tenants (OpenAI, Anthropic, Google AI, Microsoft Copilot, anything custom), and read access to any internal AI workflow you've built. One kickoff call, one ten-minute survey for staff, one readout. We try to take less than a day of your team's combined time.
How much does it cost?
Fixed fee, scoped on a 30-minute call. We tell you the number before you commit. Any follow-on engineering work is priced separately per phase.
What if we already know we've leaked something?
Tell us on the first call. The review takes a back seat to incident response: scope what's gone, rotate keys, work out whether it's notifiable under UK GDPR (72-hour clock), draft the customer notice. Then we go back and fix the cause.
Will the report help with a customer or insurer questionnaire?
Yes. That's a big reason clients commission it. The evidence pack maps to the questions enterprise procurement, cyber insurers and Cyber Essentials assessors are now asking about AI use. You can hand it over instead of writing the same paragraph eight times.
Find out what your AI is doing with your data.
Thirty-minute call. You'll come away with a clear answer on whether you need the full review, what we'd look at first, and what it would cost. If you don't need us, we'll say so.