The Document Nobody Told You About — And Why That's a Problem
Let me tell you something that keeps me up at night.
Right now, thousands of small business owners, sole traders, therapists, coaches, beauty professionals, and service providers across the UK are using AI tools every single day — tools that are processing their clients' personal data — and they have absolutely no legal agreement in place to govern any of it.
Not because they're careless. Not because they don't care about their clients. But because nobody told them this was a thing they needed.
That's what I want to talk about today. Because I genuinely worry about the people who are going to find this out the hard way.
So — what actually is a DPA?
A Data Processing Agreement. Three words that sound like something you'd only encounter if you had a legal team and a compliance department. In reality, it's something that applies to a sole trader working from their kitchen table just as much as it applies to a corporation.
Here's the plain version. Under UK GDPR — specifically Article 28 — whenever you use a third-party platform or tool to process someone else's personal data on your behalf, you are required by law to have a written agreement with that provider. An agreement that sets out what they can do with the data, how they'll protect it, where it'll be stored, and what happens if something goes wrong.
That's a DPA. And if you are using any AI tool — any CRM, any booking platform, any chatbot, any transcription software — with your clients' data, and you don't have one in place, you are already in breach of Article 28. Before any other issue even arises.
I'm not saying that to frighten you. I'm saying it because it's true, and because the people most at risk of this are the people nobody is having this conversation with.
Why does it actually matter?
Let me put it another way. When you use an AI tool with a client's data — their name, their health information, their financial details, their session notes, whatever it might be — that data leaves your hands. It goes to a server. Probably in the United States. It passes through systems owned and operated by a company you have no direct relationship with, governed by terms and conditions you almost certainly haven't read.
Without a DPA, you have no documented basis for that transfer. You have no record of what you instructed the processor to do. You have no written commitment from them about how that data will be protected, whether it will be used to train their AI models, what happens if there's a breach, or when it will be deleted.
And if a client's data is exposed, misused, or ends up somewhere it shouldn't be — you are the data controller. You are the accountable party. Not the platform. You.
That is what a DPA protects against. It is the written record that you acted with due diligence. It is the evidence that you understood your obligations and took steps to meet them. Without it, you have nothing to point to.
Here's the part that really troubles me
The platforms know this. The big ones absolutely know this.
And here's what many of them do. They offer a DPA — but only on a paid business account. Use the free version, the personal version, the consumer version? No DPA. No data processing protections. No legal agreement. Just a consumer terms of service that was written to protect the platform, not you or your clients.
ChatGPT free and Plus accounts — no DPA. You need a Team or Enterprise account. Claude's consumer product — no DPA. You need a business account. Google's personal Gemini — no DPA. Google Workspace for business — yes, with one in place.
This is not a grey area or a technical footnote buried in the small print. It's a structural feature of how these platforms are built and sold. The compliance protections that you are legally required to have are gated behind a paywall. And because most people don't know they need them, most people don't know to ask.
I've seen practitioners who have been inputting detailed client session notes into free AI accounts for months. I've seen beauty professionals using AI skin analysis tools without any idea that the images they're uploading may constitute biometric data under Article 9 of UK GDPR — which carries a significantly higher legal bar than ordinary personal data. I've seen coaches using transcription tools on client calls without the clients' knowledge, which isn't just a data protection issue — under the Regulation of Investigatory Powers Act 2000, that can be a criminal matter.
None of these people are acting with bad intent. They're doing what felt natural, what seemed efficient, what the technology made easy. Nobody handed them a checklist. Nobody walked them through what happens to the data after they press send.
What about the platforms that just... don't have one?
This is where it gets even more uncomfortable. Because it's not just about free versus paid accounts. Some platforms — even ones specifically marketed to professionals — don't have a publicly available DPA at all.
I've reviewed booking platforms used by thousands of practitioners in the UK where no DPA can be found in the published legal documentation. Where the privacy policy appears to have been written for the end consumer, not for the practitioner who is the actual data controller. Where contacting support and asking directly for a DPA under Article 28 UK GDPR produces either silence, confusion, or a generic privacy policy link that doesn't come close to meeting the legal requirement.
If you are using a platform that cannot provide a Data Processing Agreement, you have a problem. Not a theoretical one. A real one that sits directly in your compliance position, and one you would need to answer for if a client ever made a subject access request, if a complaint were made to the ICO, or if something went wrong.
The correct response is not to hope it never comes up. The correct response is to either get the DPA in place or stop using the platform for client data until you can.
What you can actually do about this
I'm not going to leave you with the problem and no direction, because that's not useful.
The first thing is simply to make a list of every platform and tool you use that touches client data in any way. Booking systems. CRMs. AI writing or note-taking tools. Video platforms. Email marketing tools. All of it.
For each one: log in to a business account (not a personal or free account), go to their legal documentation, and look for a Data Processing Agreement or Data Processing Addendum. If you can't find it, email their support and ask directly: "Can you provide your Data Processing Agreement under Article 28 UK GDPR? I am a data controller using your platform to process personal data of my clients."
Document what they say. If they provide a DPA, save it and note the date. If they can't or won't — you need to think carefully about whether you continue using that platform for client data, and what your contingency is.
This doesn't need to be a legal project that takes weeks. It needs to be an honest audit of the tools you rely on and the agreements — or absence of agreements — that govern them.
A final thought
I write about these things because I believe that most people, if they understood the actual position they were in, would want to do something about it. The issue is never really knowledge avoidance. It's knowledge absence. Nobody told them.
The AI tools most people are using were designed to be easy to adopt, fast to set up, and seamless to use. The compliance obligations they generate are none of those things. And the gap between the two is where the risk lives — quietly, invisibly, until it isn't.
A DPA is not a bureaucratic exercise. It is a record that you took your clients' data seriously enough to understand where it was going and to put something in writing about it. In a world where data is the thing that gets exposed, misused, and mishandled, that record matters more than most people realise.
Until it's the only thing that matters.
Nothing in this piece constitutes legal advice. If you need to review your data processing agreements or compliance position, please consult a qualified data protection specialist.