You Don’t Have a Compliance Team. Here’s What That Means When Your Staff Use AI.

In enterprise technology there was a challenge with what was called “skunk works”. There’s the software companies use and buy, and then there’s the stuff people make and create to do their work Bits of orphan code that glue workflows together. Workaround installed years ago. Some with a corporate memory. Most without documentation . My First customer services team at Microsoft used a CRM the team built on Access and Crystal Reports. Ran the whole department for a couple of years. I came across a consultant once in a large teaching hospital, who proudly showed me the macro-ridden spreadsheet that ran his small department and the server he ran it on under his desk. Oblivious to IT. He was the designer, developer, primary user and support agent.

The pattern is the same here . Staff using AI tools ChatGPT, Claude, Gemini, whatever had arrived in their feed that week to get work done faster. Drafting client emails. Summarising documents. Writing reports.. Nothing unusual about any of it. Entirely reasonable use of tools that genuinely save time.

What actually happens when someone pastes client data into ChatGPT

The moment your employee submits a prompt containing a client name, a financial figure, a medical detail, or any other personal information to a public AI service, that AI provider becomes a data processor under UK GDPR. Your business remains the data controller. The legal obligations that follow from that apply whether you knew it happened or not. You’ll be needing an audit record of the interaction and a lawful basis for the transfer onfile as well as that Data processing agreement for when , inevitably someone challenges you.

The AI providers certainly don’t flag it on the way in, or if they do its in the really small print we never read. The ICO has been clear that UK GDPR applies to AI tool usage. It does not make an exception for consumer-facing tools, for accidental usage, or for businesses below a certain size. If personal data was processed, the rules applied.

You can as I’ve seen, see people roll their eyes and mutter darkly about red tape or stifling innovation, and perhaps they’ve got a point. However until someone changes the playing field, lets focus on what we can actually do about it today.

Three things you almost certainly aren’t doing

Firstly – what aren’t you doing?

One. You probably don’t have a data processing agreement with OpenAI, Google, or Anthropic. Not a properly executed one that covers the specific use case of your employees submitting client data. The terms of service are not that agreement.

Two. You almost certainly have no audit trail. You cannot say, with evidence, which employees used which AI tools, when, and what data was submitted. If the ICO or a client ever asked, you would be answering from memory.

Three, and in my mind the most important: You have no policy that employees have read, understood, and acknowledged. An AI acceptable use policy that lives in a shared drive nobody opens is not a policy. It is a document.

None of these things require a compliance team to fix,they just require a decision to take them seriously.

What’s the risk for me, Brian ?

UK GDPR penalties can reach £17.5 million or 4% of annual global turnover, whichever is higher. For a small business, the more realistic exposure is an ICO investigation, a requirement to demonstrate what happened, and a finding that you had inadequate technical and organisational measures in place.

That finding has consequences beyond the fine. Clients in regulated sectors will ask about it. That has a knock on effect. Liability profiles change, and premiums go up

The less visible risk is the client whose data ended up in a prompt. You may never know. They almost certainly won’t either. “They’ll never know” is a terrible look . That’s not how we would want to treat our valued customers. It’s certainly not how we would want to be treated.

What good looks like for a business your size

You do not need a compliance exercise. No Consultancies need be engaged. No fees for advice here.

You need three things.

A written policy that employees are required to read and acknowledge. One page is fine. It should say which AI tools are permitted, what categories of data must not be submitted, and what the consequences of non-compliance are. You can pull that together right now.

A processor agreement with the AI providers your staff use. OpenAI and Google both offer these. They take twenty minutes to execute. Most businesses haven’t done it.

A technical control that gives you visibility. This is where CattleGrid comes in

We built a gateway that sits between your staff and the AI provider, inspects prompts in real time against your configured rules, and generates an audit record of every interaction. Nothing is stored. Nothing leaves the UK and EU infrastructure. Nobody stops you using your AI provider, You don’t get to feel you’re playing catch up, and it does not require a compliance team to operate.

The point is not that you must use CattleGrid. The point is that a technical measure of some kind is what turns a policy document into a defensible position.

The question worth asking this week

Do you know which AI tools your staff are using right now? Not which ones you’ve sanctioned. Which ones they’re actually using.

If the answer is no, that is where to start.

CattleGrid is an AI API security gateway built for UK and EU organisations. The Early Access Programme is open now at cattlegrid.uk.