How to Use ChatGPT in a Regulated Industry Without Breaching Data Policies

The fundamental problem with using chat.openai.com for regulated business data is that the consumer terms of service are designed for general use, not for regulated industries. Key issues:

Data training: OpenAI's consumer terms previously permitted use of submitted data for model training; even where this has been modified, the terms remain less protective than enterprise data processing agreements.

Data residency: consumer ChatGPT does not provide contractual data residency commitments. For UK regulated entities, data residency in the UK or EEA with appropriate transfer protections is often a compliance requirement.

Audit trails: consumer ChatGPT does not provide the audit logging and data access records that regulated entities are required to maintain.

Regulator expectations: the FCA and PRA have both signalled that regulated firms using AI tools must be able to demonstrate appropriate governance and data protection. Using consumer tools with client or regulatory data cannot be adequately governed.

OpenAI provides enterprise-tier access to its models through two channels that are materially better for regulated industries:

ChatGPT Enterprise: OpenAI's direct enterprise product provides a data processing agreement (DPA) confirming that customer data is not used for model training, admin controls, audit logging, and higher security standards than the consumer product. It does not yet provide contractual data residency in the UK or EEA.

Azure OpenAI Service: Microsoft makes OpenAI models (GPT-4, GPT-4o, o1) available through Azure with full Microsoft enterprise data protection commitments: contractual GDPR compliance, UK and EEA data residency options, enterprise audit logging, and the full Microsoft data processing framework. For most regulated UK enterprises, Azure OpenAI is the appropriate path to GPT-class AI capability.

For executives in regulated industries, the practical recommendation is to access ChatGPT-class AI through Azure OpenAI rather than through OpenAI's consumer or standard enterprise products.

Even with enterprise tools and appropriate data protection terms, regulated industry executives need specific usage guidelines.

Client personal data: under UK GDPR, using client personal data with an AI tool requires a legal basis and, where the AI provider is acting as a data processor, a data processing agreement. Confirm the DPA is in place before using client personal data with any AI tool.

Professional privilege: in legal contexts, sending privileged communications to an AI tool, even an enterprise-tier one, may affect privilege. Legal teams should take advice on this before developing workflows involving privileged materials.

FCA and PRA model risk guidance: the FCA has published guidance that AI systems used in material financial services decisions are subject to model risk management obligations, including validation, documentation, and ongoing monitoring. AI tools used for investment analysis, credit decisions, or other regulated activities are within scope.

Record-keeping obligations: communications with clients and regulatory submissions must be recorded. If AI assists in drafting these, the governance of that assistance must be documented.

For regulated industry executives, the practical path to compliant AI use:

Step 1: identify which AI tools are approved under your firm's AI governance policy. If no policy exists, this is the first priority.

Step 2: use only approved enterprise-tier tools (Microsoft 365 Copilot, Azure OpenAI-based applications, ChatGPT Enterprise with DPA) for business data.

Step 3: categorise your AI use cases by data sensitivity: non-client work with no personal data (lowest risk); internal analysis without client data (moderate risk, manageable with enterprise tools); client-facing or client data use (higher risk, requires explicit governance).

Step 4: ensure audit logging is configured for AI tool use in regulated workflows, to demonstrate appropriate oversight to regulators if required.

Step 5: brief your compliance and legal teams on the AI use cases your team is developing, so that regulatory implications can be assessed proactively rather than reactively.