← Blog · 2026-05-19 · 8 min read

GDPR-compliant AI tools for UK SMBs — what that actually means

Almost every AI vendor claims to be "GDPR-compliant". Almost none of them explain what that means for you, the customer, who is the data controller for any personal data you put into the tool. This post unpacks what UK GDPR actually requires of an SMB using AI, and gives you a checklist for evaluating vendor claims.

It is written for the IT manager / office manager / MD at a UK SMB. Not for lawyers; not for DPOs at FTSE 100 companies. If you handle client data and you're evaluating an AI tool, this is the floor.

What UK GDPR actually requires

You, as the data controller, must have a lawful basis (Article 6) for processing personal data through any AI tool. For client data, that's usually consent or legitimate interest. The AI tool itself doesn't establish your lawful basis — you do.

You must know who the data processors are in your chain. If you use an AI vendor, they're a processor. If they sub-process to AWS, Microsoft, or another AI provider, those are sub-processors. You should have a Data Processing Agreement (DPA) with the vendor, and they should publish their sub-processor list.

You must apply data minimisation — don't put more personal data into the AI than you need. "Summarise this client matter" probably doesn't need the client's home address pasted in.

For Article 9 special-category data (health, criminal, race, religion, etc.), you need an additional Article 9 basis and usually a DPIA before deployment.

The vendor evaluation checklist

Does the vendor publish a DPA? Walk away if they don't.

Does the vendor publish a sub-processor list? You need to know who else has your data.

Where is the data stored geographically? UK or EU is straightforward; US data transfer needs an adequacy mechanism (currently the UK-US Data Bridge for the US, Standard Contractual Clauses for elsewhere).

Does the vendor train its AI models on your data? Most enterprise tiers say no — get this in writing.

How long is the data retained? Short retention is good; "forever" is a red flag.

What is the audit / log / DLP story? Can you see what your team has put into the tool?

How AI In Your Pocket maps to this

Data location: on your own machine. The AI tool itself runs in your office; conversations are stored locally on a disk you control.

Sub-processors: VantagePoint Networks is not a processor for your conversational data — we never see it. The AI provider you choose (Anthropic in v1.0; OpenAI / OpenRouter / local Ollama in v1.1) is the sub-processor for the AI inference. With local Ollama, there is no sub-processor at all.

DPA: available on the Enterprise tier on request (5 working day lead time). For Self-Install and Managed Install buyers we provide a shorter Data Processing Schedule.

Training: Anthropic contractually does not train on API traffic. OpenAI commercial tiers don't either. Local Ollama doesn't leave your machine.

Retention: you control it. The conversation memory lives on your office machine. Wipe it whenever you want.

When you still need a DPIA

Doing a Data Protection Impact Assessment is required when processing is "likely to result in a high risk to individuals" (UK GDPR Article 35). The ICO's list includes systematic profiling, large-scale Article 9 data processing, and innovative technology — AI is explicitly mentioned.

In plain English: if you're deploying AI to handle medical records, criminal case files, immigration cases, or anything involving large volumes of identifiable personal data about clients, do a DPIA. The ICO has a free template at ico.org.uk.

For drafting client letters from your own bullet-point notes, summarising public documents, or internal research, a DPIA is not normally required.

The honest bottom line

"GDPR-compliant" is not a vendor property — it's an outcome you achieve by combining a sensibly-built tool with sensibly-built processes inside your firm. The tool helps by keeping data on your machine, publishing a DPA, and not training on your conversations. The firm helps by minimising what gets pasted in, reviewing AI output before issue, and not using AI for things a DPIA would have flagged.

For a sector-specific compliance view, see /for/[your-sector] from the homepage.

Ready to look at the product?

Self-Install from £1,997 or Managed Install at £3,497. One-off, not per-seat.

See pricing →

Other posts.

The honest ChatGPT alternative for UK law firms
UK solicitors keep being told to "just use ChatGPT Team". Then someone reads the SRA confidentiality rules. Here is the honest comparison.
A cheaper Microsoft Copilot alternative for UK SMBs
Copilot is £24.70/user/month forever. For a 25-person firm that's £7,400/year forever. Here's when an alternative actually pays off.
AI that actually remembers — and why ChatGPT memory isn't the same thing
ChatGPT memory is opaque, capped, and account-wide. Real per-user persistent memory for a team is a different shape. Here is the honest take.