From my perspective, if you have a team of more than five people and you don’t have a governed Ai alternative, this incident will happen to your firm at some point. The question is whether your response is practised or improvised. This playbook condenses what I’ve seen work across UK SME practices.
First hour: identify and preserve
Talk to the staff member calmly and privately. What tool, what data, when, how much, any copies retained. Screen-capture any chat history still available. Apart from this, preserve access to the tool account — don’t let the staff member delete their history yet. Evidence first, remediation second.
Assess data categories. Personal data? Special category? Client financial identifiers? Privileged communications? Medical information? Each category affects the severity.
First 24 hours: assess reportability
Under Article 33 UK GDPR, you have 72 hours to notify the ICO if the breach is likely to result in risk to individuals’ rights and freedoms. Specially for Ai incidents where data may have entered a US-hosted model that trains on user content, conservative position: treat as reportable unless you can confirm otherwise.
Draft an initial report. Notify the affected clients under Article 34 if the breach is likely to result in high risk. Your data protection lead owns this call.
First week: vendor engagement and containment
Submit a data-deletion request to the Ai vendor. OpenAI, Anthropic, Google and xAI all have processes — they just vary in response time and completeness. Document the request and the response. Apart from this, for any content that has entered training data, deletion is typically irreversible in principle but the vendor can remove it from your account.
Roll out the written Ai policy immediately. We’ve published a free Ai policy template for UK SMEs. Every team member signs. Specially, pair with a governed Ai alternative so the policy is easy to follow.
First month: prevent recurrence
The incident usually triggers three durable changes. Written policy, team training, governed Ai tool. The third is the hardest and the most important — if your approved Ai tool is slower than ChatGPT, staff will drift back. The approved tool must be faster, otherwise you’re betting against convenience.
Apart from this, update your breach register with what happened, what you did, what you changed. The register is what the ICO asks to see, and its quality reflects the firm’s Ai-governance maturity.
Other Me
Other Me is the governed alternative UK SMEs adopt to make policy enforcement easy rather than hard. Per-client vaults, SCRS data firewall, tamper-evident audit chain, kill switch on leavers. Built for SMEs page and free 7-day trial, no credit card. Related reading: what happens when an employee pastes client data in ChatGPT.