Skip to content
GOVAI
Compliance & Data

AI Data Sovereignty for UK Councils: What Your DPO Needs to Know

GovAI Team · Compliance | 3 March 2026 · 5 min read

When a resident uses your council's AI chatbot or service navigator, they share personal information. Names, circumstances, sometimes sensitive details. Where does that data go? For many AI platforms used in the public sector, the answer is: outside the UK, often to US-based cloud and AI providers. That creates real risks under UK GDPR and the Data Protection Act 2018 — and it's something your Data Protection Officer needs to be across.

This article sets out why AI data sovereignty matters for UK councils and what to ask vendors before you sign.

The Cloud AI Risk

Most generative AI services today run on US-owned infrastructure. Prompts and responses are processed by models hosted in US data centres; sub-processors may be in other jurisdictions. Even when a vendor offers a "EU" or "UK" option, the small print often allows data to be sent to the US for training, support, or fallback. For personal data relating to residents, that creates:

  • Transfer restrictions — UK GDPR restricts transfers to countries without adequacy. The UK has no adequacy decision for the US; standard contractual clauses and supplementary measures are required, and the legal landscape is uncertain.
  • Subject access and erasure — If data is processed abroad, responding to SARs or deletion requests becomes harder. You depend on the vendor's ability to locate and delete data in multiple systems.
  • Audit and assurance — You need to be able to tell the ICO and residents where data is. Opaque supply chains make that difficult.

DPO checklist

Ask every AI vendor: Where is resident data processed and stored? Which sub-processors handle it? Do you use any US-based APIs or infrastructure for our data?

What UK GDPR Requires

Under UK GDPR and the DPA 2018, you must ensure that personal data is processed lawfully, fairly, and transparently. You need a lawful basis, a clear purpose, and appropriate technical and organisational measures. When you use an AI system that processes resident data, you are responsible for that processing. If the vendor sends data overseas, you need a valid transfer mechanism and, where necessary, a DPIA that addresses the risks.

Your DPO will want to see:

  • A Data Processing Agreement that specifies processing location and sub-processors.
  • Evidence that data does not leave the UK (or the UK/EEA) if that is your policy.
  • DPIAs that consider the nature of the data, the AI processing, and any transfers.

What "Self-Hosted" and "UK-Hosted" Mean

Terms like "self-hosted" or "UK-hosted" are only as good as the contract and architecture behind them. True UK data sovereignty means:

  • Infrastructure in the UK — Servers and GPUs in UK data centres, not just a "UK region" of a global cloud.
  • No US (or other non-adequate) sub-processors for resident data — No sending prompts or PII to OpenAI, Anthropic, or similar via API unless you have explicitly accepted the transfer and safeguards.
  • Transparency — You can audit where data is stored and processed, and the vendor can demonstrate it.

If a vendor cannot clearly answer "where does our residents' data go?" and back it with contract and architecture, treat that as a red flag.

Questions to Ask Vendors

  1. Where is our data processed and stored? (Country and, if possible, data centre.)
  2. Do you use any US or other non-UK/non-adequate processors for our data? (Including APIs for AI.)
  3. Can we have a Data Processing Agreement that contractually restricts processing to the UK (or UK/EEA)?
  4. How do you handle subject access and erasure across all systems that touch our data?
  5. Can we conduct an audit or receive assurance (e.g. SOC 2, ISO 27001) that covers our data?

GovAI's Approach

GovAI is built for UK councils who need to say, with confidence, that resident data does not leave the UK. Our AI runs on TWDA-owned GPU hardware in UK data centres. We do not send resident data to US tech companies or third-party LLM APIs for processing. We use UK-hosted models (including Qwen3) and keep all processing and storage in the UK. Our DPIA and DPA are designed for council DPOs and procurement teams.

Sovereignty by design

Choosing a platform that is UK-hosted and sovereign by design reduces transfer risk, simplifies your DPIA, and gives you a clear story for residents and members.

Data sovereignty is not just a compliance tick. It's the foundation for trust and for sustainable use of AI in the public sector. Your DPO should be at the table when you evaluate AI vendors — and "where does our data go?" should be the first question on the list.

Was this useful? We'd love your feedback.

Related articles