5 confidentiality & data protection risks that businesses face when using public AI tools
We explain why uncontrolled use of public AI tools creates real confidentiality and data protection risks and outline how you can manage them safely.
5 confidentiality & data protection risks that businesses face when using public AI tools
AuthorsPaddy FearnonMatt BrownEleanore Beard
7 min read
Most businesses would never allow a competitor — or a complete stranger — to walk into their office, sit at a spare desk and start reading confidential contracts, pricing models or client files.
Every day, however, well‑meaning employees are doing something surprisingly similar by uploading contracts, internal emails, commercial terms and other sensitive documents into publicly available artificial intelligence (AI) tools like ChatGPT, Claude, Perplexity and Gemini. This is often done without fully appreciating what happens to that information next.
Here Paddy Fearnon, Matt Brown and Eleanore Beard explain why uncontrolled use of public AI tools creates real confidentiality and data protection risks and outline how businesses can apply familiar governance principles to manage them safely.
What do we mean by ‘public AI tools’ & ‘enterprise AI tools’?
Not all AI tools operate in the same way — and this distinction matters.
- Public AI tools are consumer facing platforms that operate outside your organisation’s IT and security environment. Information uploaded into these tools is processed on external systems, subject to the provider’s terms of use and outside your direct control.
- Enterprise AI tools, by contrast, are designed to operate within an organisation’s secure environment, applying existing access controls, confidentiality protections and data handling rules.
Many AI related risks arise when businesses fail to distinguish between the two and treat all AI tools as interchangeable.
Why uncontrolled use of public AI tools creates risk
1. They remove your ability to control where confidential data goes
Public AI tools don’t recognise confidentiality labels, NDAs or contractual restrictions. They treat anything provided by a user as input data.
Many providers make clear that content may be stored, reviewed or used to improve their systems. Once confidential material leaves your environment and is uploaded into a public AI platform, you lose meaningful control over how long it’s retained, where it’s stored or how it may be reused.
For businesses that rely on confidentiality as a competitive advantage, this creates an obvious risk.
If you wouldn’t show a document to a competitor, you shouldn’t upload it into a public AI tool.
2. They can unintentionally undermine patentability & novelty
Confidentiality isn’t just a contractual or data protection issue — it also underpins how businesses protect and monetise their intellectual property (IP), particularly where businesses are developing new products, processes or technical solutions.
For an invention to be patentable, it must be novel. In broad terms, that means it must not have been made available to the public before a patent application is filed. Uploading technical concepts, design details or development discussions into a public AI tool can amount to an uncontrolled disclosure, even where there’s no intention to publish or share that information more widely.
Once information has been shared outside the organisation’s secure environment, it may be difficult to evidence that it remained confidential. This can create a real risk that novelty is lost, potentially preventing patent protection altogether or weakening a business’s position in later patent disputes.
This risk is easy to overlook where AI tools are used informally to sense‑check ideas, refine technical descriptions or brainstorm improvements during early‑stage development. However, those early discussions are often the most sensitive from a patentability standpoint.
3. They expose sensitive information even when AI use is passive
Importantly, these risks aren’t limited to deliberate uploads of documents or typed prompts.
AI is increasingly embedded into day‑to‑day tools and devices in ways that can capture, process or transmit information automatically, sometimes without users giving much thought to where that information is going.
Examples include:
- Free AI transcription or note‑taking tools used to record or summarise meetings outside approved systems.
- Wearable technology or smart devices using always‑on AI that may capture confidential conversations.
If confidential discussions, legal advice or strategic conversations are processed using public AI services in this way, organisations may inadvertently waive legal professional privilege, breach confidentiality obligations or lose control over commercially sensitive information — even where no one intended to share anything externally.
From a governance perspective, this highlights that AI risk isn’t just about which tools employees actively choose to use but also about understanding where AI is operating in the background, what data it’s exposed to and whether that processing takes place inside or outside the organisation’s controlled environment.
4. They bypass existing governance, training & security safeguards
Most organisations already have policies covering:
- Confidential information
- Acceptable use of systems.
- Information security.
What’s changed is how easy it is for individuals to bypass those controls unintentionally. AI systems such as ChatGPT feel informal, helpful and low‑risk. That lowers the level of caution people would normally apply to emails or file sharing.
As a result, AI risk is less about malicious behaviour and more about:
- Staff awareness.
- Training.
- Clear internal guidance.
- Governance around approved tools and permitted use cases.
5. They create legal & regulatory exposure under confidentiality & data protection laws
Uploading confidential material into public AI tools can have legal consequences.
From a UK perspective, this can cut across:
- Confidentiality obligations owed to clients, partners or counterparties.
- Contractual restrictions on use and disclosure of information.
- UK GDPR obligations, which require organisations to process personal data securely and using appropriate technical and organisational measures.
If sensitive personal data or client information is uploaded into a public AI tool without proper safeguards, it may be difficult to demonstrate compliance with these obligations if challenged by regulators or counterparties.
How confidentiality can be lost
In practice, businesses have faced situations where employees — seeking help to summarise or ‘sanity check’ documents — uploaded draft commercial agreements into public AI tools.
Those agreements included:
- Pricing structures.
- Negotiation positions.
- Commercially sensitive clauses.
No cyber-attack occurred and no system was breached. However, control over that information was lost the moment it left the organisation’s secure environment.
This type of risk is difficult to detect, almost impossible to reverse and easy to overlook until it becomes a serious problem.
How to decide what’s safe to share with AI tools
A simple sense‑check can help to guide AI use:
- Would you be comfortable emailing this information to a competitor?
- Would you be comfortable publishing it publicly?
- Would you be comfortable losing control over where it's stored or reused?
If the answer is no, it shouldn’t be uploaded into a public AI tool.
Three practical steps to reduce AI confidentiality risk
Most businesses don’t need to ban AI outright.
Sensible mitigation steps include:
- Developing a clear AI use policy: set out what types of information must never be uploaded into public AI tools.
- Training staff on safe AI use: help teams to understand the difference between public and enterprise AI tools and the risks involved.
- Using approved enterprise AI solutions where appropriate: where AI is used for business purposes, ensure that it operates within your organisation’s security and data protection framework.
These steps mirror existing approaches to data security and confidentiality. AI doesn’t require an entirely new rulebook, just careful application of existing principles.
What this means for your business
AI can be a powerful productivity tool. Used properly, it can save time and support better decision making across a business.
However, treating public AI systems as a safe place for confidential information is the digital equivalent of leaving your filing cabinets unlocked in reception.
The organisations that manage AI risk successfully won’t be those that ban AI altogether but those that apply the same confidentiality and governance standards to AI that they already apply everywhere else.
Talk to us
If your business is using — or considering using — AI tools and you’re unsure whether your current policies, training and controls are fit for purpose, our cybersecurity and data protection team can help.
We advise organisations on AI governance, confidentiality risk and information security, helping you to adopt new technology without undermining existing safeguards.
To discuss how this applies to your organisation, talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.
Paddy Fearnon
Paddy is a Trainee Solicitor in our commercial and intellectual property team.
Read more
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
DUA: data protection complaints process explained & how to prepare
We delve into the key changes coming into force on 19 June 2026 and explain how businesses should prepare.
Data centres under attack — what Iran’s strikes mean for UK businesses & how to respond
We explore the implications of the attacks for UK businesses and outline the practical measures that can help to mitigate similar disruption.
Deepfakes & AI fraud — what retailers need to know about the new digital battlefield
We explore why retailers are particularly affected by deepfakes and the implications around data protection, IP, advertising compliance and more.
Implementing AI at work — your legal obligations
We explore how AI is transforming data protection, the risks that organisations now face and what effective compliance looks like today.
Reddit’s £14.47m ICO fine — what UK businesses need to do as child protection enforcement ramps up
We break down what the ICO found and outline three key steps that UK businesses should take now.
Am I a data controller? GDPR for social media users explained
We look at the UK GDPR and the Data Protection Act 2018 and outline how the GDPR can apply to both organisations and individuals as data controllers.
The Digital Omnibus — proposed key changes to EU data protection obligations
We break down the key proposed reforms in the Digital Omnibus Package and outline what businesses should do to prepare.
Data Protection FAQs
Find answers to our most frequently asked questions about data protection and privacy from our lawyers.
2026 horizon scan — key legal & regulatory changes ahead
We explore the key developments that in-house lawyers should have on their radar and what they mean for your organisation in the year ahead.
Jaguar Land Rover cyber‑attack — protecting your workforce during digital disruption
We explain the impact of the cyber-attack on JLR's workforce and outline what to do to protect your business and minimise the impact if an incident occurs.
Cyber-attacks — 8 essential steps to strengthen your response before it’s too late
We outline eight key steps to put your organisation in the strongest position for a prompt and effective response to any cyber-attack.
Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
We explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
Capita’s £14m data breach fine — a wake-up call for UK organisations
We explore how weak cybersecurity and slow responses can trigger major data breaches and resulting ICO fines.
The EU Data Act — a new era for data governance in Europe
The EU Data Act is a regulation designed to reshape the European data economy by establishing harmonised rules for data access, sharing and portability.
DUA — how to prepare for the UK’s new data privacy regime
Designed to amend the UK’s existing data privacy regime, the DUA Act will affect the UK GDPR, PECR and the Data Protection Act 2018.
M&S, Co-op & Harrods cyber-attacks — key cybersecurity lessons for retailers
We delve further into cyber attacks on three major retailers and outline five key steps to take in any cyber-attack preparedness and response plan.
Apple & Meta handed first EU Commission non-compliance decisions under the Digital Marketing Act
The EU Commission handed out fines of €500m and €200m to Apple and Meta respectively. We outline each fine and the legality of 'consent or pay' models.
Data Protection Day — DUA and other legal developments coming in 2025
Prevention is always better than cure. Assess your compliance with data protection law and the changes that could lie ahead in the year to come.
Transgender athlete participation — navigating data protection laws when collecting sensitive personal data
Athletes might be asked to provide highly sensitive forms of personal data when competing. Here's eight steps to comply with data protection legislation.
Spotify Wrapped — 5 top tips for companies to ensure data privacy in viral marketing campaigns
We explore the evolution of Spotify Wrapped and present five top tips for companies looking to use personal data for viral marketing campaigns.
AI and GDPR — key compliance considerations when buying and using AI tools
The EU Artificial Intelligence Act is here and brings a number of considerations as to how businesses manage personal data, GDPR compliance and privacy policies.
AI at Paris 2024 — how the Olympic Games set the gold standard for sports technology
The use of AI and technology in sporting events is ever-growing — and the Paris 2024 Olympic Games were no exception.
Biometrics — TEN key steps for businesses to comply with data protection rules
Data protection specialist outlines the ten key steps that any organisation should follow when using biometrics.
Data Protection Day 2024 — How your business can keep up with evolving regulations
Organisations must regularly assess and prioritise their data protection practices to remain compliant with legislation.