Claude GDPR UK: the data protection checklist for SMEs

Claude GDPR UK questions land on every IT manager’s desk the moment a team wants to paste real customer data into Anthropic’s chatbot, and the honest answer is that adoption is allowable but conditional. Anthropic is a US company, Claude’s first-party storage still sits in the United States, and UK data protection law treats any personal data you feed an American processor as a restricted international transfer. None of that blocks a British SME from using Claude. It does mean you have paperwork, plan choices and a couple of settings to get right before the first prompt, and this guide walks through exactly what to check.

Why Claude GDPR UK compliance starts with the plan you pick

The single biggest determinant of your data protection position is not a setting buried in a menu, it is which tier you buy. Anthropic draws a hard line between consumer and commercial products, and that line decides whether your prompts can ever touch a training run. Anthropic’s Commercial Terms of Service say it in one sentence: “Anthropic may not train models on Customer Content from Services.” That covers the Claude API, Claude Team and Claude Enterprise. If you are pasting client records, financial data or anything identifying real people, a commercial plan is the only sensible starting point, and our view is that an SME should treat the free consumer app as off-limits for genuine business data from day one.

Consumer plans behave differently. Anthropic’s privacy centre explains that data from Free, Pro and Max accounts is only used to improve Claude if you opt in through Privacy Settings, if a conversation is flagged for safety review, or if you join a programme such as Trusted Tester. Incognito chats are excluded from model improvement entirely. That is a reasonable default for a curious individual, but it is the wrong footing for a company, because a single employee toggling the wrong switch could expose customer data to a training pipeline. The cleaner path is a commercial contract where that risk is removed by the terms themselves rather than by trusting every user to leave a setting alone. If you want the wider cost picture before committing, our breakdown of Claude UK pricing lays out each tier in pounds.

How UK GDPR treats Claude as a data processor

Under UK GDPR your business is the data controller and Anthropic is a processor acting on your instructions. That relationship has to be papered with a written data processing agreement under Article 28, setting out the purpose of processing, the categories of data, security measures and the rules on sub-processors. Anthropic provides commercial terms and a data processing addendum for business customers, and you should have that signed before any personal data goes near a prompt. Skipping the DPA is the most common mistake we see, and it is the one an ICO investigator will spot first. For regulated firms the bar is higher still, and our guidance for UK solicitors and UK accountants goes through the profession-specific duties.

The processor relationship also means you carry the accountability. You decide what data is fair to send, you set the retention, and you answer to data subjects if something goes wrong. Anthropic gives you the controls, but the ICO holds you responsible for using them. That is why a clear internal policy on what staff may and may not paste into Claude matters as much as the contract. Name the data categories that are banned outright, such as health records or anything special category, and the ones allowed only in redacted form.

Where Anthropic actually processes your data

Data residency is where most UK adoption plans hit friction. Anthropic’s own documentation is candid: the first-party Claude API offers an inference geography setting of “us” or “global”, but workspace storage at rest is US-only today. In plain terms, if you go straight to Anthropic, your data is processed and stored in the United States. That is a restricted transfer under UK GDPR, and it is allowed, but only with a lawful transfer mechanism in place. The 1.1x pricing premium for US-only inference on newer models is a separate cost consideration, not a compliance fix.

If you need data to stay inside Europe, the route is to run Claude through a cloud partner rather than Anthropic directly. AWS Bedrock offers Claude in EU regions including Frankfurt, Ireland and Stockholm; Google’s Vertex AI offers a europe-west1 endpoint; and Microsoft Foundry is bringing EU hosting through 2026. On those platforms the cloud provider operates the infrastructure under its own data processing agreement, which is how a privacy-conscious UK firm keeps inference and storage on European soil. For many SMEs already on AWS or Google Cloud, this is the path of least resistance, and the wider partner picture is covered in our piece on the Anthropic, AWS and Accenture enterprise deal. The trade-off is added setup and a second vendor relationship to govern, so weigh it against how sensitive your data really is.

International transfers and the paperwork the ICO expects

Because there is no current UK adequacy decision that simply waves Claude’s US processing through, you need a recognised safeguard. For most SMEs that means the UK International Data Transfer Agreement, the IDTA, or the UK Addendum bolted onto the EU standard contractual clauses. The ICO updated its international transfer guidance on 15 January 2026, and the new rules under the Data (Use and Access) Act 2025 took effect from 5 February 2026. A central change is that you must complete a transfer risk assessment, a TRA, demonstrating the safeguard gives data the protection UK law requires before you rely on it. According to the ICO’s guidance, that assessment is now a documented step, not an optional extra.

In practice the chain looks like this: sign Anthropic’s data processing addendum, attach the IDTA or Addendum for the US transfer, complete and file your TRA, and keep all three where your DPO or a regulator can find them. If you route through AWS, Google or Microsoft in an EU region, the transfer question shrinks because the data stays in Europe, though you still need the underlying processor agreements. Either way, the documentation is the difference between a defensible position and a fine. We would not let a single real customer record touch Claude before this file exists.

When a DPIA is mandatory before you switch Claude on

A data protection impact assessment is not bureaucratic box-ticking for AI tools, it is a legal requirement in the cases that matter most. Article 35 of UK GDPR demands a DPIA before any processing likely to result in high risk to people’s rights, and the ICO’s AI guidance confirms that large-scale or novel AI processing usually falls inside that test. If Claude will touch special category data, profile individuals, or make decisions that affect them, assume a DPIA is mandatory and complete it before go-live, not after. The assessment forces you to write down what data flows where, why the processing is necessary and proportionate, and how you will mitigate the risks.

Even where a DPIA is not strictly required, doing a lightweight version is good discipline and good evidence of accountability. It is also the natural place to record your lawful basis, your retention period and your decision on residency. Our view is that any SME rolling Claude out across a team should treat the DPIA as the founding document of the project, because it answers the exact questions an ICO caseworker would ask. Firms in regulated sectors should go further, and our financial-services walkthrough for FCA firms shows how the FCA layer sits on top of the data protection one.

Retention, security and the settings to lock down

Retention is the lever UK businesses most often forget. Anthropic’s documentation states that the Claude API deletes inputs and outputs within 30 days by default, and that organisations with stricter needs can arrange Zero Data Retention, where data is not stored after the response is returned. On Enterprise, admins can set custom retention controls at organisation level. For a UK firm, shorter retention directly reduces your exposure and makes the storage-limitation principle of UK GDPR easier to honour, so it is worth configuring deliberately rather than accepting defaults. Anthropic’s ASL-3 safety protections, which we covered separately, add a further layer of model-level safeguards on top of these account controls.

On security, enforce single sign-on, role-based access and audit logging on Team and Enterprise, and disable consumer-grade account creation for staff who handle personal data. Decide centrally whether model improvement is ever permitted, then enforce it through admin policy rather than hoping individuals choose correctly. If you are still weighing Claude against rival assistants on these governance points, our comparison of Claude, Copilot and Gemini sets the three side by side, and our verdict on whether Claude is worth it for UK business weighs the overall value.

Pricing and where to subscribe or check in the UK

You buy Claude direct from Anthropic at claude.com, or through your existing AWS, Google Cloud or Microsoft account if you want EU residency. Anthropic’s pricing page lists Claude Pro at 17 US dollars a month on an annual plan or 20 US dollars billed monthly, Claude Max from 100 US dollars a month, and the Team plan at 20 US dollars per seat each month billed annually, rising to 25 US dollars if billed monthly, with a five-seat minimum (last checked: 2026-06-08). A premium Team seat that adds Claude Code is listed at 100 US dollars per seat annually. Enterprise is quoted as seat price plus usage at API rates, with custom terms on application. Anthropic prices in US dollars on its global page, so confirm the pound figure and VAT treatment at checkout for your account.

For a UK SME, the practical recommendation is Team for the governance controls and the no-training guarantee, stepping up to Enterprise if you specifically need data residency, custom retention or SSO at scale. Buying through a hyperscaler is the move when European processing is non-negotiable. Whichever route you take, the price of the seat is the small number; the compliance file around it is the part that actually protects you.

Our verdict: adopt Claude, but build the file first

Claude is a legitimate, compliant choice for UK businesses, and the no-training guarantee on commercial plans is genuinely stronger than the default settings on consumer apps. A UK SME should adopt it on Team or Enterprise, sign the data processing addendum, attach an IDTA or Addendum with a transfer risk assessment, and complete a DPIA before the first real record goes in. If European data residency is a hard requirement from your clients or regulator, route Claude through AWS, Google or Microsoft in an EU region instead of going direct. Anyone tempted to wave staff at the free consumer app with live customer data should wait until that governance is in place. Get the paperwork right once and Claude becomes one of the safer AI tools a British company can run; skip it and the model’s quality will not save you from the regulator.