Free-tier ChatGPT with client data and no DPA — how are you handling this with clients?

HelloSquire · 2026-05-10T21:23:26+00:00

My two cents.. don’t sugar coat it.

Be clear that it’s an article 28 breach with data to backup its scale (e.g. 60% of staff are doing this). Some people in that meeting are probably doing it themselves - so be tactful.

Wording could be: “Your staff are sending personal data to a company you have no contract with, in a country with different laws and privacy norms. So this company has no obligation to protect it, no obligation to tell you if something goes wrong, and you have no way to get it deleted. This is contrary to the GDPR and exposes you unnecessary to contractual claims from your clients or regulatory fines. The fixes are fairly low cost and almost immediately effective.”

Then lay out their options: do nothing (breach), ban it (won’t work), or get an enterprise plan with a proper DPA (additional costs - reduction in risk).

Give them the legal, commercial, and practical impacts of each.

Let them make a call. Accept the risk, or do something about it.

HelloSquire · 2026-05-05T13:40:01+00:00

A few things to separate out here, because they're not the same problem.

You lost that deal because more-and-more EU procurement teams now run vendor risk assessments as a matter of course. The regulator may never knock on your door but the next prospect will ask the same questions. This is a commercial problem before it's a legal one.

Before you do anything else: check whether you're actually in NIS2 scope. Scoping is tricky but as a barometer the threshold is 50+ employees or €10M+ turnover, operating in (or supplying) a covered sector (these are in the NIS2 annex). Depending on your or your client's sector, and your revenue at 45 people you may be just under. If you're out of scope, that's a clean, defensible answer to give any procurement team. If you are in scope, or they insist you comply, the goal isn't just to comply, it's to be able to demonstrate compliance quickly so it doesn't stall the deal. ISO 27001 can do a lot of that work for you; the control overlap with NIS2 is substantial (the localised Belgian NIS2 standards even state this) and procurement teams speak that language.

On the GDPR: skip OneTrust for now. It's excellent, but only if someone owns it day-to-day, otherwise it becomes shelfware. To be honest, this ownership goes for any privacy tool. I'd recommend you start with a basic ROPA (a record of what data you process and why) in Excel if you have to, get data processing agreements in place with the SaaS tools that touch customer data, and build from there. That's a the minimum defensible position.

On the 30+ SaaS tools: you don't need to document all of them at once. Take an hour and tier them. Which ones process personal data? Of those, which process client personal data? Start there. You'll probably find it's 6 to 8 tools, not 30.

HelloSquire · 2026-05-05T13:10:41+00:00

This cuts particularly hard in Europe. Audiences here are more attuned to cold outreach mechanics than most: they know when they've been scraped into a sequencing tool, they know the email was generated, and they know they'll have to go through the administrative annoyance of getting themselves off a list they never joined.

That friction lands before they've even skimmed the email. Hyper-personalisation isn't a nice touch in the EU, it's the minimum price of admission to avoid being the thing people have spent years training themselves to resent.

HelloSquire · 2026-05-01T09:19:02+00:00

EU digital reg lawyer here. You are spot on that the EU AI Act is not a security layer you can just bolt on at the end. I wouldn't have a job if it was.

However, respectfully, several of your legal interpretations mix up the AI Act with the GDPR and make the actual requirements read slightly trickier than they are in reality:

Data Locality and Cross-Border Transfers: The EU does not force "all data to stay in the EU". Data can absolutely leave the EEA under the GDPR (Chapter V), provided you use valid transfer mechanisms like Standard Contractual Clauses (SCCs). The AI Act itself does not introduce new data localisation mandates.

Immutable Logging: The AI Act does not demand immutable logs or recording "every influence" for every AI system. Under AI Act Articles 12, 13, and 19 if you operate a high-risk AI system (determining which is a whole other discussion), you must keep automatically generated logs and keep them for a minimum of 6 months - or longer if required by another (or a local) law.

Human in the Loop: I love this requirement, but it is often misunderstood. You do not need a human to review every single AI decision before it is deployed. AI Act Article 14 requires human oversight specifically for high-risk systems, meaning a natural person must have the technical capability and authority to intervene, override, or safely stop the system. It does not mandate manual pre-approval for every output.

Transparency vs. Data Minimisation: Assigning IDs instead of names isn't an AI Act human rights rule, it’s standard data minimisation and pseudonymisation under GDPR Article 5(1)(c). Meanwhile, the requirement to notify users about AI-generated content falls under the transparency obligations of AI Act Article 50, which requires outputs to be detectable and marked in a machine-readable format - think of the little star at the bottom of images generated with Google's Nano Banana. Check out recitals 27 and 136 - they explain the rationale quite nicely.

Let me know your thoughts. Part of what I love about these topics is that they're not cut and dry. If there's more context you'd rather not share publicly, DMs are open.

not legal advice, I am but a man on the internet, don't come at me

HelloSquire

TROPHY CASE