Think about the professionals you share your most personal information with. Your accountant sees your income, expenses, property portfolio, and pension contributions. Your solicitor holds your property transactions, disputes, and family matters. Your family doctor has decades of notes about your health, prescriptions, and mental wellbeing.

You handed all of that over without a second thought. Not because you read their privacy policy. You handed it over because you trust them. Now consider this: one of those professionals opens a free AI tool, pastes in the details, and gets a polished output in thirty seconds. The work is done. The client is happy. Nobody knows. Except the client’s data just left the building.

The Gap Between Big Corporates and Small Practices

In a large bank or multinational insurer, there is a Chief Information Security Officer, data loss prevention software, and technical controls that can detect when someone pastes sensitive data into an AI tool. In a two-partner law firm? In a small accountancy practice? In a family doctor’s surgery running on skeleton staff? There is none of that.

What Actually Happens When Client Data Enters a Public AI Tool

The data is transmitted to an external server operated by a third party. Depending on the platform, the version, and the settings, that data may be retained. It may be used to improve the model. At minimum, it has left the professional’s control entirely.

In February 2026, a landmark ruling in the United States made this explicit. In US v. Heppner, a federal judge ruled that submitting information to a public AI platform constitutes disclosure to a third party. In the legal context, attorney-client privilege is destroyed the moment the data is entered.

The trust contract between a client and their professional adviser predates AI by decades. The regulatory frameworks are only now beginning to understand what AI does to that contract.

Where the Regulatory Gaps Are Widest

Legal Services

The SRA’s December 2025 thematic review found that the majority of compliance officers visited could not describe more than half of their existing regulatory obligations. The SRA is preparing a GenAI FAQ document and a Good Practice Note on AI use and client data. Neither has been published yet.

Accountancy and Tax Advisory

The majority of small practices, sole practitioners, and bookkeepers are using consumer AI tools with no formal data protection assessment in place. Under UK GDPR, the practitioner is the data controller. If a breach occurs, the liability sits entirely with the practice.

Healthcare

In June 2025, NHS England’s national chief clinical information officer sent a warning to doctors to stop using AI tools not compliant with NHS governance standards. NHS England paused its own AI project, Foresight, after GP professional bodies discovered that patient data collected for Covid-19 research had been repurposed to train an AI model without their knowledge.

What Needs to Change

For Regulators and Professional Bodies

Principles-based regulation only works with practical, accessible guidance that small practices can actually implement. Regulators need to move faster — with clear, actionable standards defining what tools are acceptable, what data can and cannot be entered, and what disclosures must be made to clients.

For Professionals

If you are using AI in your practice, tell your clients directly. If you are using consumer-grade AI tools for client work, consider switching to enterprise versions with proper data isolation, or strip all identifying details before using AI to assist with a task.

For Clients

Ask the question. The next time you sit with any professional who holds your personal data, ask: are you using AI tools in my case? If so, which ones? Where does my data go? The professionals who welcome the question are the ones who have already thought about the answer.