There is now a working assumption inside most UK and UAE accounting firms that ChatGPT - or one of its consumer-grade peers - is already being used somewhere in the practice. The question for partners is not whether to allow it but whether to govern it. Quietly tolerating shadow use is no longer a defensible position.
This piece is a senior practitioner audit of ChatGPT in the context of a regulated professional services firm. It looks at the data handling reality, the UK GDPR exposure, the accuracy concerns from a working paper perspective, and the alternatives that have emerged for firms that want the productivity benefits without the regulatory tail risk.
It is intentionally not anti-AI. The productivity gains from well-deployed AI in accounting practice are real. The point is to deploy it in a way that holds up to professional scrutiny.
The data handling reality
OpenAI's consumer ChatGPT product and its business products are not the same thing. Under the consumer terms, conversations may be retained and used to improve the model unless the user has opted out. Under the business and enterprise terms, OpenAI has stated that customer prompts and outputs are not used for training. These are different commercial offerings with different contractual terms, and conflating them is the single most common mistake in firm AI policies we review.
For a firm, the working position should be that no employee may paste client-identifying data into a consumer chatbot account. If the firm wants the productivity benefit, it should buy the business tier of the product or use a purpose-built professional tool with appropriate contractual commitments - not rely on individual employees ticking the right boxes in their personal accounts.
UK GDPR and the controller question
Under UK GDPR, the firm is the data controller for client personal data. If an employee pastes that personal data into an external AI service, the firm has - depending on the contractual position with the AI supplier - either appointed that supplier as a processor or made an unlawful disclosure. The ICO's published guidance on generative AI makes clear that processors must be appointed under appropriate written terms covering the matters in Article 28.
For consumer ChatGPT accounts, no such Article 28 contract exists between the firm and the supplier in the normal course. That is the immediate regulatory exposure. It is not a question of whether the data is "stolen" - it is a question of whether the processing has a lawful basis and a compliant processor agreement, and in most consumer-tier deployments the answer is no.
The UAE data protection angle
For UAE firms, Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, together with the rules of ADGM and DIFC for entities licensed there, creates a comparable picture. Cross-border transfers of personal data to a processor outside the UAE require lawful basis and contractual safeguards. The principles are not identical to UK GDPR, but the practical conclusion is similar - pasting client data into a consumer chatbot without a compliant processor relationship is regulatory exposure.
Confidentiality and professional duty
Separately from data protection law, accountants are bound by professional confidentiality obligations under their regulator's ethics standards. The ICAEW Code of Ethics, the ACCA Rulebook, and the UAE auditor regime all impose confidentiality duties on members. Disclosing client information to a third party - including an AI supplier - without an appropriate authority and basis is a potential breach even where the data protection position is technically defensible.
In practice, this means an AI deployment in a firm needs an ethics-grade answer to the question "what authority do we rely on to share client information with this supplier?" - not just a data protection answer. The cleanest position is a clear clause in the client engagement letter and a vendor relationship with appropriate commitments.
The accuracy question
Even setting privacy aside, the accuracy profile of consumer ChatGPT is not suited to professional services use without significant procedural guardrails. The model is trained on a general corpus and is not connected by default to your firm's documents, your client's actual data, or current UK tax law. It will produce plausible but sometimes incorrect statements about HMRC rules, FRS 102 treatment, or UAE Corporate Tax positions.
When we have stress-tested consumer chatbots on accounting questions, the failure mode is rarely a hopeless answer. It is usually a 90% correct answer with one or two specific points that are subtly wrong - often the very points that would matter on a regulator review. That failure mode is harder to catch than an obviously wrong answer.
Where consumer ChatGPT can be used safely
There are uses of ChatGPT that are essentially risk-free if no client-identifying data is involved. These include:
- Drafting generic content - blog posts, marketing copy, internal training notes
- Rephrasing the firm's standard templates to suit a new audience, with no client data in the prompt
- Brainstorming a checklist or framework for a service line
- Translating a generic English text into another language, with no client material
- Producing first-pass code for an internal automation script
Where consumer ChatGPT should not be used
Equally clearly, there are uses that should not be permitted on a consumer account in a regulated firm:
- Any prompt that includes client names, registration numbers, or financial figures
- Drafting a response to a specific client email by pasting the email in
- Asking for an opinion on a specific client tax return or accounts
- Summarising a contract or engagement letter that has identifying details
- Generating any content that will go into a working paper file
The alternatives worth considering
For firms that want the productivity benefit without the regulatory tail risk, the credible alternatives in 2026 are:
- A business or enterprise tier of a general AI vendor (OpenAI, Anthropic, Google) under a written processor agreement
- A Microsoft 365 Copilot deployment governed by the existing Microsoft data processing terms in your tenancy
- A purpose-built AI for professional services that operates docs-only over your documents with source citation
- An in-house deployment of a smaller open-weight model on infrastructure the firm controls - only realistic for larger firms with technical resource
A working firm policy
At a minimum, every firm should have a written AI use policy covering: which tools are approved, what categories of data may and may not be processed, the role of human review before AI output enters a client file, how AI output is documented in the working papers, and the consequences for breach. The policy should be acknowledged by every employee in writing on joining and at annual renewal.
This is no longer optional. A regulator inspection that finds undocumented AI use will treat the absence of a policy as a control failure, not a neutral fact.
How Accupe helps
Accupe gives firms a route to use AI in client work without the consumer chatbot exposure. The AI document analysis runs over the documents you upload, operates in a docs-only mode with source citation on every statement, refuses cleanly when the answer is not in the documents, and sits within a platform that already handles AML/KYC via OpenSanctions, encrypted client messaging, and built-in e-signatures. Data stays inside the firm's processing boundary and is not used to train external models. Per-firm pricing from £20/month.