Last week, OpenAI CEO Sam Altman made a startling admission that should concern every business owner using AI tools. Speaking on the Theo Von podcast, Altman revealed that ChatGPT conversations have no legal privilege protection and could be subpoenaed in lawsuits. “So if you go talk to ChatGPT about your most sensitive stuff and then there’s like a lawsuit or whatever, we could be required to produce that,” he said.
This comes as The New York Times lawsuit has forced a court order requiring OpenAI to retain all ChatGPT user logs indefinitely – including conversations users thought they’d deleted.
For UK businesses using AI tools for customer analysis, content creation, or strategic planning, this raises a critical question: are you exposing sensitive business information to legal discovery and data breaches?
Check out our AI for Business series. Read about AI-powered customer service tools for more on implementing AI thoughtfully.
ChatGPT Data Retention: The Business Risk You Didn’t Know About
Companies regularly use ChatGPT to draft emails, analyse customer feedback, create marketing content, develop business strategies, and discuss confidential projects. The problem isn’t using AI tools – it’s using them without understanding ChatGPT’s data retention policies and where your business information goes.
Unlike conversations with solicitors, which have legal privilege protection, your business discussions with ChatGPT currently have no such safeguards. Consider what businesses typically share with AI tools: customer lists, financial projections, strategic plans, employee data, supplier information, and competitive analysis. All potentially subject to legal discovery and data breaches.
For UK businesses, there’s also GDPR compliance implications. Inputting customer data or personal information into ChatGPT without proper data processing agreements could constitute a compliance breach. The ICO has been clear that businesses remain responsible for data protection when using third-party AI tools for business operations.
AI Privacy Laws and Data Security: What’s at Stake for UK Businesses
The New York Times lawsuit demonstrates that courts can override AI companies’ data retention policies, potentially exposing years of business conversations to legal discovery. For UK businesses, confidential information shared with ChatGPT could become evidence in unrelated legal proceedings.
The business data security risks include commercial confidentiality being compromised in competitor disputes, client information exposed in regulatory investigations, and strategic discussions becoming public through court filings. Even data you thought was deleted might not be – OpenAI’s policy of deleting conversations after 30 days can be overridden for “legal or security reasons,” and the current court order requires indefinite retention.
This creates significant AI privacy concerns for businesses operating under GDPR, where data retention must be justified and limited. The indefinite storage of business conversations potentially conflicts with data minimisation principles and could expose UK companies to regulatory penalties.
Secure AI Alternatives for Business Data Protection
The solution isn’t avoiding AI tools for business – it’s choosing solutions with proper privacy protections and understanding their data handling limitations.
Zero Data Retention Agreements Both OpenAI and Anthropic offer Zero Data Retention (ZDR) agreements, but these are typically only available to enterprise API customers and must be specifically requested and approved. For standard ChatGPT business users, even with Enterprise plans, conversations are retained unless using temporary chat modes or manual deletion.
Current AI Data Retention Reality
- ChatGPT Free/Plus/Pro: As of April 2024, OpenAI removed the ability to disable chat history, and due to the New York Times lawsuit, even “deleted” conversations are now retained indefinitely
- ChatGPT Enterprise: Currently exempt from the court order requiring indefinite data retention, but still retains business data by default unless administrators configure shorter periods
- OpenAI API with ZDR: Only option that truly avoids data retention for business use, but requires enterprise agreement and approval
- Claude (Consumer): Retains conversations until manually deleted, then removes them within 30 days (unless subject to similar legal orders)
- Claude Enterprise: Offers custom data retention controls and ZDR agreements for API usage
Enterprise AI Solutions Microsoft Copilot for Business and Google Workspace AI include enterprise-level data protection, with business data staying within your organisation’s tenant rather than being used for AI training or retained indefinitely.
AI Security Best Practices for UK Businesses
Classify Your Business Information Before using any AI tool, categorise your information by sensitivity. Public information and general business queries might be suitable for any platform, but confidential data, customer information, and strategic planning should only go to privacy-focused or enterprise solutions with proper data protection.
AI Training and Guidelines Develop clear AI usage policies about what business information can be shared with different AI tools. Many data security breaches happen because employees don’t understand the data retention implications of their AI tool usage.
Data Anonymisation for AI Remove client names, financial figures, and identifying details when possible. This allows AI analysis of business processes while protecting confidential information from data retention and potential legal discovery.
Implementing Secure AI Tools for Your Business
These cutting-edge tools offer tremendous opportunities for business efficiency and innovation when implemented with proper data security considerations. Businesses big and small are harnessing AI’s power, but those that thrive will embrace artificial intelligence while protecting sensitive information and maintaining customer trust through smart governance.
This isn’t about avoiding AI – it’s about using these tools intelligently. Understanding data retention risks, choosing appropriate AI solutions, and implementing proper safeguards allows businesses to harness it’s power while protecting what matters most.
At 37 Digital, we help UK businesses integrate AI tools safely into their operations, from content creation to customer service, while ensuring client confidentiality and compliance with UK data protection requirements. We understand both the opportunities and risks of AI for business.
Ready to implement secure AI tools in your business? Contact us today to discuss how we can help you leverage AI capabilities while protecting your sensitive business information and maintaining GDPR compliance.
