CleanTender

GUIDE

Are AI Bid Writing Tools GDPR Compliant? UK Tender Data Security in 2026

What UK GDPR, Data Protection Act 2018, and PPN 017 actually require when you use AI to draft tender responses.

compliance · 30 April 2026 · 11 min read · by CleanTender Editorial

Yes, AI bid writing tools can be UK GDPR compliant. The deciding factors are narrow: where your data is processed, whether your input is used to train the model, and whether the tool has a written Data Processing Agreement (DPA) under UK GDPR and the Data Protection Act 2018. Most purpose-built UK tender tools meet all three. Generic consumer LLMs (the free tier of ChatGPT, the unpaid Claude tier) usually fail at least one.

Procurement Policy Note 017 (live 24 February 2025) adds a fourth layer when the tender is from a UK contracting authority. The buyer is required to put proportionate controls in place to make sure suppliers do not use confidential government tender documents as AI training data. That is a hard line, regardless of which tool you pick.

  • AI bid tools can be UK GDPR compliant. The check is the contract, not the technology.
  • Three questions decide it: where is data processed, is your input used to train the model, and is there a written UK GDPR Data Processing Agreement (DPA).
  • PPN 017 explicitly forbids using confidential contracting authority documents as training data. The rule sits on the buyer's side but applies to your tool choice.
  • ISO 27001 certification is increasingly listed as a tender requirement on contracts above £100k. Either the supplier holds it or the AI vendor does.
  • Personal data inside a tender response (CVs, staff contact info, named referees) is processed under UK GDPR. Lawful basis is usually 'legitimate interests' for the bid, then erased after award.
  • Generic consumer LLMs (free ChatGPT, free Claude) usually retain inputs for training by default. Use the paid Enterprise tier or a purpose-built tender tool with a DPA, or write that section by hand.
  • If a buyer is concerned, expect a clarification question on data residency, encryption at rest and in transit, sub-processors, and incident response timelines.

Putting in place proportionate controls to ensure suppliers do not use confidential contracting authority information, or information not already in the public domain as training data for AI systems e.g. using confidential Government tender documents to train AI or Large Language Models (LLMs) to create future tender responses.

PPN 017 (live 24 February 2025)

What's in this guide

  • The three GDPR checks that decide whether a tool is compliant for tender drafting
  • PPN 017 confidentiality rule (verbatim) and what it means for tool choice
  • ISO 27001 in tender packs and when it becomes mandatory
  • Personal data in tender responses, lawful basis and retention
  • ChatGPT free tier vs Enterprise vs purpose-built tender tools, on data handling
  • What CleanTender does (in plain buyer-facing language)
  • A 7-point procurement checklist before you sign up to any AI bid tool

The three checks that decide GDPR compliance

CheckWhat good looks likeWhat fails
Data residencyData is processed in UK or EEA data centres (or under an Article 46 transfer mechanism with an adequacy decision)Default US-only processing with no Standard Contractual Clauses or UK adequacy adoption
Training-data useCustomer input is not used to train the model. Stated in writing in the DPA.Inputs feed back into the foundation model unless the user manually opts out (the consumer-tier default for most public LLMs)
UK GDPR Data Processing AgreementSigned DPA covering Article 28 obligations: subject matter, duration, sub-processors, technical and organisational measures, audit rightsNo DPA, just generic Terms of Service. The supplier has not legally accepted processor obligations.

The three questions to answer before using any AI tool to draft UK tender responses.

All three need to clear. Two out of three is not GDPR compliance, it is a partial defence. If the AI vendor cannot send you a DPA on request, walk.

The PPN 017 confidentiality rule

PPN 017 sits on top of UK GDPR. It is procurement guidance, not data protection law, but it sets a hard line on AI training data when the buyer is a UK central government department, executive agency, or non-departmental public body. The verbatim wording is in the quote box above. The practical translation:

  1. If a buyer marks any annex of the tender pack as confidential, you must not paste that document into a public LLM where the input is used to train the foundation model. This is the rule most ChatGPT free-tier users fall foul of.
  2. If you use a paid Enterprise LLM (ChatGPT Enterprise, Claude for Enterprise) or a purpose-built tender tool that contractually does not retain inputs for training, the rule is met.
  3. The buyer can ask you in clarification to evidence which tool you used and how training data is handled. Be ready to send a one-page response with the tool name, vendor name, DPA reference, and a Yes/No on training-data retention.
  4. PPN 017's illustrative example uses video conferencing transcription. The principle generalises: any AI processing of buyer-confidential data needs an explicit written agreement that the data is not used for training purposes.

The full PPN 017 disclosure rules (the three Annex B questions you will be asked, and what disqualifies vs what scores) are in the plain-English PPN 017 guide for cleaning SMEs.

ISO 27001 in tender packs

ISO 27001 is the international standard for information security management. UK public buyers list it as a hard requirement on contracts above £100,000 with increasing frequency. NHS Trust and central government tenders almost always ask for it on contracts handling patient data, staff data, or other sensitive categories.

There are two ways to satisfy this on a tender that uses AI bid drafting:

  1. You hold ISO 27001 yourself (UKAS-accredited). Most cleaning and FM SMEs do not, and getting certified is a £6k-£15k first-year cost plus surveillance audits.
  2. Your AI vendor holds ISO 27001 and you reference their certificate in your bid. Most purpose-built B2B tender tools have ISO 27001 (or SOC 2 Type II as a US-equivalent that UK buyers usually accept). Generic consumer LLMs in their free tier usually do not.

If the buyer asks for ISO 27001 and you do not hold it, ask them whether the certification of the underlying AI vendor satisfies the requirement. Most do, in our experience, especially for cleaning and FM contracts where the bidder's own systems are not the primary data store.

Personal data inside tender responses

A typical UK soft FM tender response contains personal data. Named directors with their CVs. Site supervisor qualifications. Two named referees with phone numbers and email addresses. Sometimes payslip data for TUPE liability calculation. All of this is personal data under UK GDPR and the Data Protection Act 2018.

Data categoryWhere it appearsLawful basis
Director CVsSQ Part 1, key personnel sectionLegitimate interests (Article 6(1)(f)) for the bid; consent recommended for any post-bid use
Site supervisor qualifications + namesMethod statement, staffing modelLegitimate interests for the bid; check employment contract permits inclusion
Two named referees + contactsSQ Part 3, case studiesConsent (Article 6(1)(a)). Get written permission before submitting them as referees.
TUPE-in payslip data (for re-tendered contracts)Pricing model, only at preferred bidder stageLegitimate interests + ICO Employment Practices Code; minimise to what is needed

Personal data categories typically present in a UK soft FM tender response, with lawful basis under UK GDPR Article 6.

When you use an AI tool to draft any of these sections, you are processing personal data. The AI vendor becomes a Data Processor under Article 28. That is why the DPA is non-negotiable. Without one, you are passing personal data to a processor with no contractual safeguards, which is itself a UK GDPR breach.

Free LLM vs Enterprise vs purpose-built tender tool

OptionData residencyTraining-data retentionDPAPPN 017 ready
ChatGPT free / consumer Claude / Gemini consumerUS-default (varies by region, account)Yes, by default, unless user manually opts out per chatNo (Terms of Service only)No
ChatGPT Enterprise / Claude for Enterprise / Gemini WorkspaceEEA / UK options available on contractNo, contractuallyYes, on requestYes, with the right contract terms
Purpose-built UK tender tool (e.g. CleanTender)UK / EEANo, contractuallyYes, defaultYes
Bid writer (human, no AI)Wherever they keep their filesn/aDPA-equivalent depending on engagement termsYes, with appropriate engagement letter

Data handling across the three common ways to get AI assistance on a UK tender response in 2026.

The cheapest defensible path for a UK soft FM SME doing 6+ bids a year is a purpose-built tool. Enterprise consumer LLMs cost the same or more once you add per-seat licensing. Free consumer LLMs are out for any bid touching confidential buyer information.

A 7-point procurement checklist before you sign up

  1. Ask the AI vendor for their UK GDPR Data Processing Agreement. If they cannot send one in 24 hours, walk.
  2. Confirm in writing that customer input is not used to train the model. Get this in the DPA, not just on a marketing page.
  3. Confirm data residency. UK or EEA processing is the cleanest answer. If it is US, ask for the Standard Contractual Clauses or UK Extension to the EU-US Data Privacy Framework.
  4. Ask whether the vendor holds ISO 27001 (or SOC 2 Type II). Get the certificate number and verify on the UKAS register or the vendor's audit portal.
  5. Ask for the list of sub-processors. Cloud hosting, email delivery, analytics. Each one is a sub-processor and needs to be in the DPA.
  6. Ask about incident response. What is the notification timeline if there is a personal data breach? UK GDPR sets the buyer's clock at 72 hours; your vendor should be tighter than that.
  7. Test by uploading a non-confidential sample first. Confirm the output behaves the way the marketing page says. If a vendor refuses a free trial or sample interaction, that is a signal.

What to do this week

  1. Check whatever AI tool you currently use against the 7-point checklist. If you are using a free consumer LLM, that is the gap to close first.
  2. Request a UK GDPR DPA from your AI vendor. Read the training-data clause and the sub-processor list before signing.
  3. Audit your last three submitted tender responses for personal data exposure. Were referees consent-confirmed? Were CVs anonymised where possible?
  4. If a buyer has asked or might ask about ISO 27001, find your AI vendor's certificate (or note that you do not have one) and write a one-paragraph answer ready for the next clarification.
  5. Pre-write your three PPN 017 Annex B disclosure answers (covered separately) so you have them ready alongside your data handling answer.

Sources

  1. PPN 017: Improving Transparency of AI use in Procurement · Live 24 February 2025; section on confidential information as AI training data quoted in this guide
  2. Data Protection Act 2018 (legislation.gov.uk) · UK implementation of GDPR; defines lawful bases and data subject rights
  3. UK GDPR (legislation.gov.uk consolidated) · Article 6 (lawful basis), Article 28 (processor obligations), Article 33 (breach notification)
  4. ICO Guide to UK GDPR (Information Commissioner's Office) · Authoritative UK regulator guidance on Data Processing Agreements, sub-processors, and breach handling
  5. ISO/IEC 27001:2022 (BSI) · Information security management standard increasingly required on UK public-sector tenders above £100k
  6. Procurement Act 2023 (legislation.gov.uk) · Live for new procurements from 24 February 2025; underlying framework for PPN 017

FAQs

Frequently asked questions

Are AI bid writing tools UK GDPR compliant?
Some are, some are not. UK GDPR compliance for an AI bid tool depends on three things: where the data is processed (UK / EEA preferred, or US under approved transfer mechanisms), whether your input is used to train the underlying model (it should not be, and the answer should be in the contract), and whether the vendor has signed a UK GDPR Data Processing Agreement under Article 28. Purpose-built UK tender tools usually meet all three. Generic consumer LLMs (the free tier of ChatGPT, Claude, Gemini) typically retain inputs for training by default and do not offer DPAs, which means using them to draft any tender response containing personal data is a UK GDPR concern.
Can I use ChatGPT to draft a UK public-sector tender response?
Only with caveats. ChatGPT Enterprise and ChatGPT Team have contractual no-training-on-input commitments and offer Data Processing Agreements, which makes them defensible for UK GDPR. The free consumer tier of ChatGPT retains inputs for training by default, which is a problem for both UK GDPR (no DPA, processing for training without contractual safeguards) and PPN 017 (which forbids using confidential contracting authority information as AI training data). If you are bidding for any UK central government tender, only use the paid Enterprise tier or a purpose-built tender tool with a DPA. For private-sector RFPs the bar is lower, but the UK GDPR rules still apply once personal data is in scope.
What does PPN 017 say about AI training data?
PPN 017 (live 24 February 2025) tells UK contracting authorities to put proportionate controls in place to make sure suppliers do not use confidential contracting authority information, or information not already in the public domain, as training data for AI systems. The example given in the PPN is using confidential Government tender documents to train LLMs to create future tender responses. The rule sits on the buyer side but applies directly to the supplier's tool choice. If you use an AI tool that retains your inputs for training, and you upload a confidential tender annex, you are in breach of the spirit of the rule even if the buyer never finds out.
Do I need ISO 27001 to bid for UK public-sector contracts using AI?
Increasingly, yes, on contracts above £100,000 or those handling personal data. The most common pattern in 2026 is for the buyer to require either the bidder or their AI vendor to hold ISO 27001 (UKAS-accredited) or an equivalent like SOC 2 Type II. Most cleaning and FM SMEs do not hold ISO 27001 themselves (the cost is £6,000-£15,000 first year plus surveillance audits). Most purpose-built UK B2B tender tools do, and SMEs reference the vendor's certificate in their bid. If the buyer has asked for ISO 27001 and you do not hold it, your first move is to ask whether your AI vendor's certification satisfies the requirement.
What personal data ends up in a UK soft FM tender response?
More than most bidders realise. Director CVs and qualifications. Named site supervisor names with their accreditations. Two named referees with phone numbers and email addresses. Sometimes payslip data for TUPE liability modelling at preferred bidder stage. All of this is personal data under UK GDPR. Lawful basis is usually 'legitimate interests' (Article 6(1)(f)) for the bid itself, with consent (Article 6(1)(a)) preferred for referee details. Best practice: get written permission from referees before submitting their contact info, and minimise personal data in CVs to what the buyer actually needs to assess capability.
Browse contractsGet started