Most large UK firms unclear how AI handles their data abroad

TL;DR:

  • 61% of senior technology leaders at UK companies above £100m revenue lack a full understanding of how their data is handled abroad by AI systems, per Harbr Data research.
  • Nearly three-quarters of respondents say their data is transferred outside the UK through AI systems at least weekly; one in three report daily flows.
  • For UK boards, the survey turns abstract “AI governance” into a specific compliance gap that already maps to GDPR, fines and geopolitical exposure.

A clear majority of senior technology leaders at large UK companies do not have a full picture of how their data is processed by AI systems overseas, according to research from Harbr Data reported by the Financial Times. The survey covered firms with revenues above £100 million and found 61% lacked complete understanding of foreign data handling — a problem the research framed primarily as a corporate board issue.

The data movement underlying that gap is substantial. Almost three-quarters of respondents said data leaves the UK through AI systems at least weekly, with a third reporting daily transfers. Half of respondents flagged limited oversight as a route to international regulatory breaches; 36% cited the risk of fines or investigations and 35% pointed to geopolitical exposure.

What the gap looks like in practice

Confidence in how AI systems handle data falls sharply outside Europe: 70% of respondents said they were confident about the UK and 62% about the EU, but only 31% expressed confidence in North America and 12% in the Asia-Pacific region. The FT cited two recent precedents that illustrate the risk surface: a 2024 vulnerability in Slack AI where instructions hidden in public channels manipulated the assistant into surfacing private-channel data, and a Microsoft 365 Copilot Chat bug confirmed in February that allowed processing of confidential-labelled emails.

The pattern aligns with our earlier coverage of the UK’s wider AI policy posture. UK ministers are pushing back on EU-style AI rules in part to keep the country attractive to US labs. But the more those labs host UK enterprise data on US infrastructure, the more compliance friction shifts onto individual UK boards rather than the regulator. The Harbr survey is the data point that makes that trade-off concrete.

Looking forward

Analysts surveyed expect more UK firms to adopt region-specific AI systems by 2027 as compliance pressure mounts. For now, the practical implication is narrower: any UK board signing off on enterprise AI deployment in the next 12 months should expect data-flow visibility — not just supplier name and headline cloud region — to be the question that shows up in audit and litigation. The technology decisions follow the governance one, not the other way round.