Your firm has rules on how long it keeps client records and when it deletes them. The moment an AI tool stores copies of that data, those rules have to reach the tool too, or you have data living somewhere your retention policy never reaches.
Know what the tool keeps
Many tools retain prompts, uploads and outputs, sometimes indefinitely. Before you adopt one, find out what it stores, for how long, and whether you can delete it. A tool that holds client data forever sits awkwardly with the duty to keep personal data no longer than necessary.
Match it to your schedule
Your document retention schedule should account for data held in AI tools, with a way to delete it when a matter closes or a retention period ends. If the tool cannot delete on request, that is a reason to think again.
Be ready for a request
If a client makes a subject access request or asks you to erase their data, you need to find and act on copies held in AI tools as well as in your main systems. Keeping a list of which tools hold what makes that possible.
Bringing AI tools inside your retention rules keeps the firm in control of where client data lives and when it goes.
Storage limitation is set out in full in the ICO's UK GDPR guidance.
If your retention schedule has never met your AI tools, the two need introducing before a deletion request tests them: ask us how.
