What your staff must never paste into ChatGPT — a UAE reality check
Right now, without asking anyone, someone on your team is probably pasting a customer's name, phone number, or medical detail into ChatGPT to "just draft a quick reply." They're not being reckless. They're being helpful. And in the UAE, that helpful habit is a real exposure.
The habit is already everywhere
This isn't hypothetical. Microsoft found 78% of AI users bring their own AI tools to work — higher, 80%, at small and mid-sized companies (Microsoft, 2024). Salesforce found more than half of employees using generative AI at work are using unapproved tools. It has a name — shadow AI — and it's not free: IBM's 2025 breach research found one in five organisations reported a breach tied to shadow AI, and that heavy shadow-AI use added an average of $670,000 to breach costs (IBM, 2025).
Why the UAE makes this sharper
The UAE's Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) sets the rules for handling personal data. Two things make AI tools a specific concern:
- Consent is usually the basis. You generally need clear, specific consent — or another lawful basis under the PDPL — to process someone's personal data. A customer who gave you their number to book a table almost certainly didn't agree to it being fed into a third-party AI system.
- Sending data abroad is a regulated transfer. Most AI tools process your prompts on servers outside the UAE. Under the PDPL, moving personal data to a country without a recognised adequate-protection standard needs a proper legal basis or safeguards. Pasting a customer's details into a consumer AI tool is, quietly, a cross-border transfer — usually with none of those safeguards in place. (Summarised from public legal guidance; Al Tamimi, DLA Piper — not legal advice.)
Add the practical obligations — data-subject rights, a breach-notification duty, and a Data Protection Officer requirement for higher-risk processing — and "just paste it into ChatGPT" stops being harmless.
The simple rule: green, yellow, red
You don't need a legal department. You need one page your staff can actually follow.
Print it. Put it by the till, in the clinic back office, in the staff group. That single page is most of your risk gone.
Not all AI tools are equal
Here's the part that's genuinely reassuring: the business versions of the major AI tools are generally much safer than the free consumer apps — if you use them correctly.
Under Anthropic's commercial terms, for example, the customer "retains all rights to its Inputs" and "owns its Outputs," and "Anthropic may not train models on Customer Content" (Anthropic Commercial Terms). Other major providers publish comparable no-training defaults on their business and API tiers (confirm each vendor's current terms). The exposure isn't "AI" — it's the free consumer app with no agreement behind it, fed red-category data by a well-meaning employee.
What to actually do
- Find out what's already in use. You can't govern what you can't see — a 20-minute audit usually surprises the owner.
- Write the one-page green/yellow/red rule and brief the team once.
- Move sanctioned work onto business-tier tools with proper terms, and redact red data before it ever hits a prompt.
That's the whole fix. It's cheap, it's fast, and it turns your biggest AI risk into a competitive advantage — because your competitors haven't done it.
Our AI Reality Check includes exactly this data-risk flag — one week, fixed price, money-back. We find what your team is already doing and hand you the one rule that closes the gap.