New Data Order Highlights GDPR Risks with ChatGPT

                        legal updates
                    
                        A US court order now compels OpenAI to indefinitely retain all ChatGPT chats, including those users try to delete. This creates new GDPR compliance challenges for UK dealers using AI tools in their businesses.

Author: Kiril Moskovchuk
Published: July 8, 2025
Reading time: 2 minutes

This article is 1 hour old.

Read our disclaimer

This website content is intended as a general guide to law as it applies to the motor trade. Lawgistics has taken every effort to ensure that the contents are as accurate and up to date as at the date of first publication.

The laws and opinions expressed within this website may be varied as the law develops. As such we cannot accept liability for or the consequence of, any change of law, or official guidelines since publication or any misuse of the information provided.

The opinions in this website are based upon the experience of the authors and it must be recognised that only the courts and recognised tribunals can interpret the law with authority.

Examples given within the website are based on the experience of the authors and centre upon issues that commonly give rise to disputes. Each situation in practice will be different and may comprise several points commented upon.

If you have any doubt about the correct legal position you should seek further legal advice from Lawgistics or a suitably qualified solicitor. We cannot accept liability for your failure to take professional advice where it should reasonably be sought by a prudent person.

All characters are fictitious and should not be taken as referring to any person living or dead.

Use of this website shall be considered acceptance of the terms of the disclaimer presented above.

Using ChatGPT can be convenient for drafting emails or handling customer issues, but dealers should be aware of significant GDPR risks, now heightened by a recent US court order.

This order requires OpenAI to store all ChatGPT conversations indefinitely, even those users attempt to delete, so they can be preserved as potential evidence in a copyright lawsuit. Deleted chats, which would normally be wiped after 30 days, are now kept under legal hold with access restricted to a small legal and security team, but with no clear end date. OpenAI is currently challenging this order in court, arguing that it undermines long standing privacy norms and user expectations.

For UK GDPR purposes, this creates several compliance concerns. It directly conflicts with key principles such as data minimisation (only collecting data necessary for the purpose) and storage limitation (not keeping data longer than needed). It also makes it harder to fulfil data subject rights, particularly the right to erasure, since dealers may no longer be able to ensure that customer data entered into ChatGPT is truly deleted. This means that by feeding personal data into ChatGPT, a dealer could unintentionally cause a GDPR breach simply because OpenAI is now forced to retain that data beyond what GDPR would permit.

Under the UK GDPR, dealers using large language models like ChatGPT also remain responsible for several obligations. They must have a lawful basis for processing personal data, such as legitimate interests balanced against the rights of customers. They must ensure appropriate security measures are in place, including assessing risks posed by sending data to external AI systems. They must also be prepared to report personal data breaches to the ICO within 72 hours, and to demonstrate accountability through measures like documented data protection policies and, where appropriate, conducting a Data Protection Impact Assessment (DPIA).

Given these heightened risks, this development should make dealers carefully consider how ChatGPT or other large language models are used in their business.

Remember, our members have GDPR modules and expert advice available to help manage these risks. If you are unsure how this affects your compliance, contact our legal team at Lawgistics.

HaswentWebsites for dealers small and large

Composer is a next-gen automotive platform that has been designed from the ground up to give you an intuitive way to promote your stock. You have extensive stock management options, and you'll gain a brilliantly responsive new website to advertise your stock, starting at just £39.99/month.

Related Legal Updates

Time to review your privacy policy?

Our members should be aware of whom they are sharing their data with, and ensure any third-party companies are registered with the ICO.

It’s good to talk, so let’s ChatGPT

Goldman Sachs reported in March that AI could replace the equivalent of 300 million jobs worldwide.

Data Protection is real and mistakes can cost your business

Most fines from the ICO are against large companies that send out unsolicited marketing messages.

Do you know what a personal data breach is?

If a security incident has taken place, you should quickly establish whether a personal data breach has occurred. If yes, promptly take steps to address it, including telling the ICO if required. You need to keep a log of any breaches, record the details, and actions taken.

Are you ready for the UK’s data landscape change?

The ramifications for not having the correct policy and procedures in place could be costly, not only by a fine from the ICO for not paying your fee, but also by being reported for data breach

Goodbye 2021, hello 2022!

Despite an excess of 100 different commission claims hitting the Lawgistics’ desks, not one single dealer has had to part with their money.

Used cars – a treasure trove of personal data and a data breach in the making

Modern cars pair with smart phones and other electronic devices via Bluetooth or USB and absorb huge amounts of our personal data.

Get in touch

Complete the form to get in touch or via our details below:

Phone

01480 455500

Address

Vinpenta House
High Causeway
Whittlesey
Peterborough
PE7 1AE

Connect With Us

By submitting this quote you agree to our Terms & Conditions and Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.