£0cost to opt out of ChatGPT training - it's a free toggle in Settings > Data Controls
£17.5mmaximum ICO fine under UK GDPR, or 4% of global annual turnover if higher
~£20per user per month for ChatGPT Team - the minimum plan that includes a Data Processing Agreement
30days OpenAI retains conversations even after you delete them, for safety and abuse monitoring
The short answer
It depends on which version of ChatGPT you're using
Not safe for client data
ChatGPT free tier
ChatGPT Plus
No Data Processing Agreement available. Conversations may be used to improve the model.
Safe with proper setup
ChatGPT Team (~£20/user/mo)
ChatGPT Enterprise
OpenAI API
Data Processing Agreement included. Conversations not used for training.
The version of ChatGPT that most people use - the free browser interface at chatgpt.com - does not come with a Data Processing Agreement (DPA). Under UK GDPR, if you're sharing client personal data with a third party who processes it on your behalf, you need a DPA. Without one, you're legally exposed regardless of whether anything goes wrong.
The practical answer for most service businesses is: upgrade to ChatGPT Team, or anonymise your inputs before using the free tier. Both are straightforward. The detail below covers exactly how to do each.
ChatGPT's actual data policies
What each plan actually does with your data
These distinctions matter. ChatGPT Plus costs £16/mo and provides no additional data protections over the free tier. The meaningful jump is from Plus to Team - that's where the DPA and no-training commitment appear.
Plan
Training
DPA
Safe for client data?
Free tier
Opt-out only
No
Not suitable for client personal data or confidential information
ChatGPT Plus (£16/mo)
Opt-out only
No
Same risks as free tier - not suitable for client data
ChatGPT Team (~£20/user/mo)
No
Yes
Suitable for most service business client data with proper setup
ChatGPT Enterprise
No
Yes
Suitable for regulated industries - legal, financial, healthcare
OpenAI API
No
Yes
Best option for technical teams building automated workflows
Source: OpenAI Privacy Policy and Terms of Use, verified May 2026. The 'opt-out' toggle for training is in Settings > Data Controls > Improve the model for everyone. Even with opt-out enabled, OpenAI retains conversations for up to 30 days for safety monitoring.
Safer setups
Four ways to use ChatGPT with client data safely
You don't need to stop using ChatGPT for client work - you need to use the right tier or technique. These four options cover the full range from free and immediate to enterprise-grade.
Option 1 - Opt out of training (free, immediate)
1Go to Settings in ChatGPT (bottom-left of the interface)
2Select Data Controls
3Toggle off 'Improve the model for everyone'
4This stops your conversations being used for training - it doesn't delete existing history
This is the minimum you should do before using ChatGPT with any work content. It takes 30 seconds. OpenAI still retains conversations for 30 days for safety monitoring regardless of this setting.
Option 2 - Upgrade to ChatGPT Team
1Go to chatgpt.com and select Upgrade to Team
2Team plans are billed per user per month - minimum 2 users
3OpenAI provides a Data Processing Agreement (DPA) for Team accounts
4Conversations are not used for training
5Workspace admin controls let you manage access and visibility
This is the right move for any service business regularly using ChatGPT with client content. The legal protection the DPA provides is worth the cost if you're working with client personal data.
Option 3 - Anonymise inputs before you type
1Replace client names, company names, and project names with placeholders before pasting
2Use '[CLIENT]', '[COMPANY]', '[PROJECT X]' etc.
3Strip email addresses, phone numbers, and financial account references
4Keep the substance of what you need help with - remove identifying detail only
This approach works on the free tier - if there's no personal data in the input, there's no personal data risk. It adds a step but is often faster than upgrading if your usage is occasional.
Option 4 - Use the API directly
1The OpenAI API does not train on your data by default
2You get a DPA as part of OpenAI's enterprise terms
3API access requires technical setup - not suitable for direct use by non-technical staff
4Useful when building internal tools or automations that process client data at scale
For small businesses without in-house developers, ChatGPT Team is a simpler path to the same data protection outcome.
Industry-specific notes
What this means for your specific sector
The minimum safe tier varies by sector. Legal, financial, and healthcare firms have obligations that go beyond what even ChatGPT Team provides in isolation. The notes below are a starting point - not a substitute for reviewing your sector's specific guidance.
LegalHigh risk
Client matters are subject to legal professional privilege - disclosure to a third party can break privilege
Solicitors have SRA obligations around confidentiality and data handling
Even on Team/Enterprise, review whether inputting privileged content to any third-party AI constitutes a waiver
The Law Society has issued guidance on AI use in legal practice - review it before deploying
Minimum: ChatGPT Enterprise minimum - and get explicit sign-off from your professional indemnity insurer
Accountancy and financeHigh risk
Client financial records and tax information are personal data under UK GDPR
FCA-regulated firms have additional vendor oversight obligations
HMRC and Companies House data mixed with client identifiers needs a DPA-covered tool
Anti-money laundering obligations create further sensitivity around client financial data
Minimum: ChatGPT Team with DPA - check your ICAEW or ACCA guidance on AI tool use
Healthcare and therapyHigh risk
Health data is special category personal data - highest protection standard under UK GDPR
Any processing requires an explicit lawful basis beyond consent
Patient or client session notes should not enter any consumer AI tool under any circumstances
ICO has specific guidance on health data in AI systems
Minimum: ChatGPT Enterprise - and likely a dedicated healthcare-approved tool; consult your data protection officer
Recruitment and HRMedium risk
CVs contain personal data - names, addresses, employment history - and cannot enter the consumer free tier
Using AI to screen or score candidates can create automated decision-making obligations under UK GDPR
Employee performance data and HR records are sensitive - need a DPA-covered tool
Ensure any AI-assisted shortlisting does not introduce unlawful discrimination
Minimum: ChatGPT Team with DPA for recruitment use - review automated decision-making obligations separately
Marketing agenciesMedium risk
Client briefs and brand strategy documents are typically covered by NDAs
Breaching an NDA by inputting content to a third-party AI is a contractual risk, not just a GDPR risk
Check your standard client contract - many now include AI tool restrictions
Consumer market research data containing personal details needs a DPA
Minimum: ChatGPT Team with DPA - and review your client contracts for AI tool clauses
Consulting and professional servicesMedium risk
Confidential client diagnostics, strategy documents, and internal research typically covered by NDA
Client financial projections and organisational data are often personal data in practice
Professional indemnity insurers are beginning to ask about AI tool policies
Lowest-risk approach: anonymise any client-identifiable content before AI input, even on Team plans
Minimum: ChatGPT Team with DPA - and anonymise identifying content as a standard workflow step
Need help with your AI policy?
We help service businesses set up AI safely - without slowing you down
From choosing the right tier of ChatGPT to drafting an internal AI use policy your team will actually follow, our consultancy sessions cover the practical and legal side together.
