Is It Safe for Freelancers to Use AI With Client Data?
Not without care: a freelancer who pastes client data into AI becomes the data controller under the GDPR, with no size exemption. The risks and the fix.
Not without care. As a freelancer, you can use AI every day. But the moment you paste client data into it, the risk becomes real. Under data protection law, you are the data controller. Not your client. Not the AI provider. You. The law grants no exemption for the self-employed. You owe a lawful basis, transparency and security. And pasting a client's contract can breach its confidentiality clause. The fix is one word: anonymize before you send.
Solo or not, you're the data controller
Data protection law sets no size threshold. A freelancer or sole trader who handles personal data usually acts as a “data controller.” A client's name, an email, an invoice, an order form — those are personal data. The UK regulator, the Information Commissioner's Office (ICO), is clear. There's no exemption for sole traders or micro-businesses. You carry the same core duties as a large company.
Being a data controller means one simple thing. You must comply with the law, and be able to prove it. That's the accountability principle in Article 5 of the GDPR. You must also put appropriate technical and organisational measures in place to keep the data secure. In the UK, the UK GDPR (the British version of the GDPR after Brexit) and the Data Protection Act 2018 set these rules. In the EU, the EU General Data Protection Regulation (GDPR) does the same.
What the law expects of you
First, a lawful basis. Before you process personal data, you must pick a valid one. The GDPR sets out six: consent, performance of a contract, a legal obligation, vital interests, a public-interest task, and legitimate interests. The European Data Protection Board (EDPB) spells this out in its guide for small businesses. You must identify your basis before you start, not after.
Next, transparency. People must know how you use their data. That's the point of Articles 13 and 14 of the GDPR (the information you must provide). You have to state the purposes, your identity, the categories of data, the recipients and people's rights. If you rely on consent, it must be freely given, specific, informed and unambiguous. A clear affirmative action, in other words. No pre-ticked boxes. And the person can withdraw it at any time.
Now a practical point people often miss. As a self-employed controller, you generally must register with the ICO and pay the annual data protection fee, unless a valid exemption applies. And penalties don't scale with your size. The ICO can impose fines up to £17 million (€20 million), or 4% of global annual turnover — whichever is higher. That ceiling applies even to a very small business.
The confidentiality clause you might breach
There's a quieter risk than a fine. Many client engagements include a confidentiality clause, or a non-disclosure agreement (an NDA). That clause bars you from sharing confidential information with third parties. But pasting a client's confidential document into a public AI tool sends that information to an outside provider. A provider the clause does not cover. And the unauthorised disclosure alone can be the breach. It doesn't matter whether the tool later stores or shares the content.
Free or consumer versions of AI tools don't carry the guarantees of an enterprise offering. Those guarantees are negotiated in a contract. In consumer versions, your inputs may be retained or reviewed. And, unless a setting is off, used to improve the model. A solo freelancer lacks the contractual coverage of an enterprise agreement. Here's another key rule. When a third-party service processes data on your behalf — cloud storage, a mailing tool, an online platform — you must have a written contract. That's the requirement in Article 28 of the UK GDPR (controller–processor contracts).
| You assume | The reality |
|---|---|
| “I'm too small for the GDPR” | No size threshold: a freelancer is a data controller |
| “The AI is responsible for the data” | The controller is you, from the moment you enter it |
| “Pasting a document is harmless” | It can breach the client's confidentiality clause |
| “My consumer account covers me” | No Article 28 contract, no enterprise guarantee |
- Never paste a document under NDA without anonymizing it first.
- Send only what's strictly needed, not the whole file.
- Check your lawful basis and inform your clients.
- Register with the ICO and pay the fee if it applies to you.
The fix: anonymize before you send
Good news: you don't have to choose between speed and safety. The fix is one step. Anonymize client data before you send it to the AI. Replace each name, email or number with a reversible token. The AI works on the anonymized text. You restore the real values on your side afterward. You keep the speed. You protect the client. And you shrink your GDPR exposure.
- 1Spot the client data in your text.
- 2Replace it with reversible tokens, in the browser.
- 3Send only the anonymized text to the AI.
- 4Restore the real values in the reply, locally.
That's what ONYRI Sanitize is for. The engine detects sensitive data and replaces it with reversible tokens before sending. Detection and the mapping stay in your browser. Only anonymized text reaches the model. The AI sees only tokens — not your clients' identities. You work fast, and the confidentiality agreement stays intact.
Frequently asked questions
- Is it safe for freelancers to use AI with client data?
- Only if you don't paste that data in the clear. As a freelancer you are a data controller under the GDPR, with no exemption for your size. You owe a lawful basis, transparency and security. And a document under a confidentiality clause can breach the contract. The fix: anonymize client data before you send it.
- Does a freelancer need to register with the ICO?
- In the UK, usually yes. A self-employed person who processes personal data as a controller generally must register with the ICO and pay the annual fee, unless a valid exemption applies. Penalties don't scale with size: they reach up to £17 million, or 4% of global annual turnover.
- Does pasting a client contract into ChatGPT breach confidentiality?
- It can be enough. If the contract holds a confidentiality clause or an NDA, pasting it into a public AI tool sends the information to an uncovered third party. The unauthorised disclosure alone can be the breach, even if the tool stores nothing afterward. Anonymizing the document before you send it avoids that risk.
Sources & references
- New data protection self-assessment checklist for sole traders (no size threshold; controller obligations and penalties) — Information Commissioner's Office (ICO)
- Process personal data lawfully — data protection guide for small business (the six lawful bases, transparency and consent) — European Data Protection Board (EDPB)
- What are “controllers” and “processors”? (the data-controller role and the Article 28 written contract) — Information Commissioner's Office (ICO)
Keep your sensitive data in your browser
ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.
Anonymize my prompt