Protecting Personal Data When Using AI 

AI is changing how organisations and individuals across the world operate – from drafting employee updates to streamlining customer service. But when AI tools handle personal data, it’s all our responsibility to understand the legal and ethical implications for using it.

If your business uses AI, even occasionally, it’s vital all employees understand their responsibilities under UK data protection law.

What Is Personal Data, Really? 

Under the UK Data Protection Act, personal data means any information that can identify a living person. That includes: 

• Names and addresses 

• National Insurance numbers 

• Email or phone details 

• Even an opinion about someone – whether that’s handwritten on paper or generated by AI 

If a piece of information can identify someone on its own, or when combined with other data, it’s protected by law. 

The Hidden Risks of Using AI 

AI tools don’t always show us what’s happening under the bonnet. They may access, store, or repurpose data without making that process visible. Key risks include: 

• Loss of control: You might not know where your data is processed or stored. 

• Data leakage: Inputs could be used to train future models, especially if settings aren’t configured correctly. 

• Regulatory exposure: Mishandling data can lead to breaches of GDPR or the Data Protection Act. 

Lessons from Recent AI Data Breaches

Samsung & ChatGPT (2023)
Engineers at Samsung inadvertently leaked sensitive source code and internal documentation into ChatGPT while using it to debug code. As a result, Samsung temporarily banned generative AI tools internally. This highlights the risk of entering proprietary or personal data into external AI models without proper governance.

ChatGPT Bug Incident (2023)
OpenAI confirmed a bug that exposed some users’ chat histories and payment data. Although quickly patched, this event demonstrated the real risk of data leakage from even the most prominent platforms.

UK Police Facial Recognition Concerns
Multiple watchdogs have raised concerns over the use of AI-powered facial recognition tools by UK law enforcement without sufficient legal basis, transparency, or oversight – posing risks to privacy and civil liberties.

Practical Steps for Safer AI Use 

To keep your business compliant and build trust with customers and staff, consider these essential actions: 

• Keep personal data out of prompts: Never enter identifiable information into an AI tool unless it’s absolutely necessary. 

• Check your AI settings: Many platforms let you disable data storage or reuse. Make sure these are set appropriately. 

• Choose providers wisely: Stick with platforms that meet UK GDPR standards and are transparent about data handling. 

• Run a DPIA: If your AI system processes personal or sensitive data, a Data Protection Impact Assessment is not optional – it’s required. 

• Have a legal basis: Every use of personal data must rest on a lawful foundation (e.g., consent, contract, legal obligation). 

• Update your policies: Your data protection and AI usage policies should reflect current practices—and be understood by your team. 

• Plan for subject access: People have a right to know what data you hold on them. Ensure AI outputs can be retrieved if someone makes a request under data laws. 

• Educate staff continuously: One-off training isn’t enough. Employees need ongoing updates on AI risks, ethics, and data protection obligations.

Final Thoughts 

AI is increasing becoming an established and powerful tool, but it’s essential to use it responsibly. If you haven’t already, now is the time to develop and implement a Generative AI Policy within your organisation. This will help develop consistency, transparency, and compliance as AI becomes more integrated into your operations. 

How InfoAware Can Help

At InfoAware, we specialise in helping businesses navigate complex regulatory changes through customisable e-learning solutions. Our training courses cover key areas such as data protection, compliance management, and secure data handling, ensuring your workforce is equipped with the knowledge needed to comply with the Data (Use and Access) Bill. Our services include:

• Customisable off-the-shelf eLearning, including on data protection, information security, cyber security, compliance, phishing awareness and many others
• Animation and video content to engage teams and explain complex changes
• A robust InfoAware Moodle LMS for deployment, tracking, and reporting across departments

We work across sectors – from IT & technology, construction, energy & utilities to charities, healthcare, pharma, public sector, and beyond.

You can contact us via our contact form, or email us at info@infoaware.com.