Is ChatGPT safe to use? What North Wales businesses need to know about AI and data
A plain-English answer to the question every business owner asks: "Is it actually safe to use ChatGPT for work?". Yes, with a few rules. Here are the rules.
Every week, a business owner in North Wales asks me some version of: "Is it actually safe to use ChatGPT for work?". The answer is "yes, with a few rules". This article is the rules.
The fear is reasonable. AI tools are new, the privacy notices are long, and the news cycle has stories about data leaks every few weeks. But the rules are not complicated and they have not changed much in the last two years. Once you know them, you can use AI confidently for most business work without taking any meaningful privacy risk.
The headline question: where does what you type go?
When you type into ChatGPT, Claude, Gemini or Copilot, your text is sent to the AI provider's servers. They process it, return an answer, and store the conversation in your account. Three things can then happen depending on which tier you are on.
On a paid business tier (ChatGPT Plus, Claude Pro, ChatGPT Team, Claude Team, Gemini Business, Copilot for Microsoft 365), the AI provider explicitly does not use your inputs to train its models. Your data is processed for the conversation and that is it.
On a free consumer tier, the default for most providers is that your inputs may be used to improve the model unless you explicitly opt out. ChatGPT and Claude both let you turn this off in account settings. Gemini's free tier has changed its training policy a few times - check the current setting.
On any tier, your conversations are stored in your account history unless you delete them or use a temporary chat. Treat the conversation history like an email inbox: it lives until you remove it.
The simple rule of thumb
Three categories of information should never go into a free consumer AI account, regardless of the privacy setting:
1. Personal data about clients or staff that you are responsible for under GDPR. Names, emails, addresses, health data, financial data. The ICO is clear that personal data should not be entered into systems where you cannot evidence the controls.
2. Confidential business information. Trade secrets, draft strategy documents, draft tenders, anything that would be damaging if it leaked.
3. Anything covered by an NDA or contractual confidentiality clause. Most professional services agreements have one.
For these three categories, use either the paid business tier (with the relevant data processing agreement signed), a self-hosted model, or do not use AI at all. There is no middle ground.
What is fine to put in
Almost everything else is fine. The work that AI is best at - drafting emails, summarising public documents, generating marketing content, responding to public reviews, brainstorming - rarely involves the three categories above.
Public information is fine. Anything you would put on your website, in a marketing email, or on social media. AI cannot leak something that is already public.
Anonymised work is usually fine. If you take a draft document and replace names and identifying details with placeholders before pasting it into AI, you have removed the personal data risk.
Your own writing in your own voice is fine. AI is excellent at "rewrite this email in a friendlier tone" or "make this paragraph clearer". These do not require you to share anything sensitive.
The free vs paid tier decision
For most small businesses in North Wales, the practical answer is: pay for it.
The paid tiers cost around £18 to £20 a month per user. They give you (a) a contract that says your data will not be used for training, (b) longer context windows for handling more complex work, and (c) better models. The combination is worth the spend if you are using AI more than a couple of times a week. The tool comparison post walks through which paid tier fits which kind of business.
For a sole trader who only uses AI occasionally, the free tier with training opted out is workable. Just keep the three categories of sensitive data out of it.
What the ICO actually requires
The Information Commissioner's Office has been publishing guidance on AI for several years. The key practical points for SMEs:
Be transparent. If you use AI to handle customer enquiries or write replies, you do not necessarily have to name the tool, but you should not pretend the work is human-only if asked. Honesty is the rule.
Do not use AI for fully automated decisions about people without human review. If you are using AI to filter job applications, score loan applications, decide insurance claims - any decision that "significantly affects" a person - GDPR Article 22 applies. Most small businesses are not doing this. The ones that are need a careful policy.
Document your data flows. If you are processing personal data through an AI tool, that should be in your processing record. The paid business tiers come with the documentation you need (data processing addendums, sub-processor lists). The free tiers do not.
A short policy you can copy
For most small businesses in North Wales, a one-page AI policy is enough. The shape:
- Which AI tools the business has approved (e.g. ChatGPT Plus, Claude Pro, Microsoft Copilot).
- The three categories of information that must never be entered into AI.
- A reminder to review AI output before sending or publishing it.
- A reminder that the human is responsible for the work, not the tool.
- A line about who to ask if a staff member is unsure.
That is enough to satisfy due diligence for most SMEs. If you have specific industry regulators (financial services, healthcare, legal) the bar is higher and you should take specific advice.
The honest summary
AI is safe to use for the bulk of small business work, on the right tier, with a short policy and a few clear rules. The risk is not the technology. The risk is using a free consumer tier for sensitive work without thinking about it.
If you would like a hand drafting an AI policy for your business, or you would like to walk through what is and is not OK to put into a tool, that is what a free discovery call is for. The third session of the AI Breakfast Club training also covers data and security in detail with practical exercises. For the broader picture of where to start, the 30-day plan has the structure most small businesses need.