Choosing data collection vendors for AI projects safely

Two people comparing printed proposals at a desk in a small office
TL;DR

Use an external data collection vendor when your AI project needs scale, specialist labelling labour, or multi-market field collection. Keep collection in-house when the data is sensitive, already in your systems, or strategically valuable. Either way, under UK GDPR you remain the data controller, so run a DPIA first, contract for named storage locations, a ban on training-data reuse, and 24-hour breach notification, and pilot on a small, low-risk dataset before committing.

Key takeaways

- Under UK GDPR you remain the data controller when you appoint an external data collection vendor; legal responsibility for the people in the data never transfers to the vendor - External vendors earn their place on scale, specialist labelling labour, and multi-market field collection; in-house wins for sensitive data, data you already hold, and datasets that carry strategic value - ICO fines run up to £17.5 million or 4% of global turnover, and the British Airways (£20m) and Ticketmaster (£1.25m) penalties both traced back to compromised third-party components - Before signing, demand a UK GDPR Article 28 data processing agreement, named storage locations, an explicit ban on training-data reuse, ISO 27001 or SOC 2 evidence, and 24-hour incident notification - Run a concise DPIA before collection starts and pilot the vendor on a small, non-sensitive or synthetic dataset before any real customer data moves

The quote from the data firm looks reasonable. They’ll label five years of your call recordings, or collect the images your AI model needs, at a per-unit price and on a timescale your own team couldn’t touch. What the proposal doesn’t say is that under UK GDPR the legal responsibility for every person in that data stays with you, whoever does the work. That one fact should shape the whole decision, and it rarely comes up on the first call.

What choice are you actually facing?

The decision is whether to hand data collection and labelling to an external specialist or keep it inside your own business. Under UK GDPR you remain the data controller either way. The vendor acts as your processor, on your instructions, and the ICO holds you responsible for lawful basis, transparency, and the rights of the people in the data.

That framing matters because the ICO treats a good deal of AI data collection as high-risk processing. Recording calls, labelling images of identifiable people, profiling, and large-scale monitoring all sit on the list of triggers that require a Data Protection Impact Assessment before the work begins. The assessment doesn’t need to be a thesis. The ICO’s own guidance says a concise, structured DPIA covering purpose, lawful basis, minimisation, risks, and safeguards is sufficient for many projects, provided it’s documented and revisited when the vendor relationship changes.

When does an external data vendor make sense?

An external vendor earns its place when the job outgrows your team. Labelling thousands of images, transcripts, or contracts is rarely feasible in-house, and specialist firms such as Appen, TELUS Digital, and Scale AI bring managed workforces, quality-assurance layers, and tooling built for exactly this work. Scale and specialist labour are the honest reasons to go outside.

The case strengthens when collection needs field operations you don’t have. Gathering speech in multiple accents, photographs of real-world environments, or customer interactions across several languages takes recruitment panels, consent procedures, and infrastructure that established vendors already run. Building that yourself for a single project makes little commercial sense.

Quality is the third argument. If your system will fall under the EU AI Act’s high-risk category, and it will if you sell into the EU and the model touches credit, employment, or access to essential services, the Act requires documented governance over training data, including its relevance and representativeness. Established vendors offer multi-layer annotation review, inter-annotator agreement metrics, and bias checks as standard, which is exactly the evidence that documentation needs.

There’s a less comfortable argument too. If your own security practices are thin, a well-run vendor with mature controls can lower your overall risk by concentrating sensitive processing with the more capable party. That only holds if the contract is watertight, but weigh it honestly rather than assuming in-house always means safer.

When should you keep collection in-house?

Keep the work inside the business when the data is sensitive, already in your systems, or strategically valuable. ICO guidance and legal commentators advise against sharing special-category data, health, ethnicity, and the like, with external AI vendors unless strictly necessary. And if the dataset you need already sits in your support tickets and emails, curating it internally is often cheaper and faster.

Regulation sharpens the point in some sectors. Firms regulated by the FCA must evidence control over outsourcing arrangements and operational resilience, including data integrity when using third-party technology providers. If you would struggle to demonstrate that oversight, the appointment adds a compliance burden on top of the project itself.

Intellectual property is the reason founders tend to underweight. The UK Intellectual Property Office acknowledges ongoing uncertainty about who owns what in AI training data and outputs, and keeping strategic datasets inside the business removes the risk of vendor reuse while keeping provenance simple to evidence. If the dataset is part of what makes your business worth buying one day, think hard before it leaves your systems.

Scale cuts the other way as well. For a small experiment on non-personal or low-sensitivity data, internal templates, generic FAQs, the overhead of full vendor vetting outweighs the benefit. And where you can work with synthetic or genuinely anonymised data, which the ICO no longer treats as personal data, much of the regulatory weight falls away entirely.

What does getting this wrong actually cost?

The ICO can fine up to £17.5 million or 4% of global turnover for the most serious data-protection failures, and its enforcement record shows third-party weaknesses drive real penalties. British Airways paid £20 million after a compromised third-party script exposed around 400,000 customers’ payment details. Ticketmaster paid £1.25 million after a vendor-hosted chatbot on its payment page was breached.

Both cases share the same shape. A peripheral third-party component, a script on a payment page, an embedded chatbot, opened the door while attention sat on the core systems. A data collection vendor holding copies of your customer records is a far bigger surface than either.

The clock makes vendor failures worse. If your vendor suffers a breach involving personal data, you as controller may have to notify the ICO within 72 hours and affected individuals without undue delay. A vendor who takes a week to tell you has already put you in breach. The UK government’s Cyber Security Breaches Survey flags supply-chain compromise as a growing concern, and the NCSC warns that cloud-based AI services add new routes for data to leave your control.

Then there’s everything the fine doesn’t capture. Incident response, forensics, customer letters, and system rebuilds can absorb leadership time for months in an owner-managed business, and breach notifications commonly lead to lost contracts, higher cyber-insurance premiums, and heavier due-diligence demands from larger customers.

What should you ask before you decide?

Six questions separate a safe appointment from an expensive one. Where will the data be stored and processed? Will the vendor use your data to train its own models? What security certifications does it hold? How fast will it notify you of an incident? Can you export everything in open formats when you leave? And will it start with a small, low-risk pilot?

Get the answers in writing, beginning with a data processing agreement aligned with UK GDPR Article 28 that covers processing instructions, sub-processor approval, and deletion or return of your data at the end. Ask for specific countries and cloud regions, and if any sit outside the UK or an adequacy country, insist on an international data transfer agreement and a transfer risk assessment.

The training question deserves particular attention because many AI services reuse customer inputs to improve their models by default. An explicit contractual prohibition on reusing your data, or the labels derived from it, without your written agreement closes that door. Pair it with clarity on who owns the collected data and annotations, and confirm you can export both in open formats such as CSV or JSON if you leave.

On security, ask for ISO 27001 certification or a SOC 2 Type II report and check the scope actually covers the systems that will hold your data. Vague answers here are a decision in themselves. Write incident notification into the contract at 24 hours from detection, which leaves you room to meet your own 72-hour ICO deadline.

And before any of it, pilot. A limited trial on a small, non-sensitive or synthetic dataset tests the vendor’s quality, processes, and security posture while the stakes are still low. A vendor who resists a bounded pilot is telling you something useful.

Whichever way you go, the responsibility stays with you. Either route is safe if you can evidence control, a documented DPIA, a tight contract, and a small first step before real customer data moves anywhere. If you’re weighing this decision now and want a second pair of eyes on it, book a conversation.

Sources

- Information Commissioner's Office (2023). Guidance on AI and data protection, security and data minimisation. Sets out DPIA triggers for AI projects, security expectations, and controller responsibilities when appointing data collection vendors. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/how-should-we-assess-security-and-data-minimisation-in-ai/ - European Union (2024). Regulation (EU) 2024/1689, the EU AI Act. Requires providers of high-risk AI systems to apply documented data governance, including relevant and representative training data, and bans indiscriminate scraping of facial images. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 - Information Commissioner's Office (2020). ICO fines British Airways £20m for data breach. Penalty followed the compromise of a third-party script that exposed payment details of around 400,000 customers. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach/ - Information Commissioner's Office (2020). Ticketmaster UK fined £1.25 million. Penalty followed the compromise of a third-party chatbot hosted on its payment page, affecting 9.4 million customers across Europe. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2020/11/ticketmaster-fined-1-25million-for-failing-to-protect-customers-payment-details/ - UK Government, Department for Science, Innovation and Technology (2024). Cyber Security Breaches Survey 2024. Flags supply-chain compromise as a growing concern for UK businesses of all sizes. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024 - National Cyber Security Centre. Supply chain security guidance. Recommends vetting third-party providers for secure development, access controls, and clear data-handling terms before integration. https://www.ncsc.gov.uk/guidance/supply-chain-security-guidance - Information Commissioner's Office. International data transfers guidance. Covers international data transfer agreements, adequacy, and transfer risk assessments where a vendor processes data outside the UK. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-data-transfers/ - Financial Conduct Authority (2021). PS21/3, Building operational resilience. Requires regulated firms to evidence control over outsourcing and third-party technology arrangements. https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience - Pinsent Masons Out-Law (2023). Take data protection into account when working with AI vendors. Legal analysis covering Article 28 processing agreements, reuse prohibitions, exit assistance, and deletion terms. https://www.pinsentmasons.com/out-law/analysis/take-data-protection-into-account-when-working-with-ai-vendors - UK Intellectual Property Office (2022). Artificial intelligence and intellectual property. Government position on the unsettled IP questions around AI training data and outputs. https://www.gov.uk/government/publications/artificial-intelligence-and-intellectual-property

Frequently asked questions

Do I need a DPIA before appointing a data collection vendor?

If the project involves personal data and hits any of the ICO's triggers, profiling, large-scale processing, sensitive data, systematic monitoring, or automated decisions with significant effects, then yes, and it needs to be done before collection starts. The ICO indicates a concise, structured DPIA is sufficient for many projects. Cover the purpose, lawful basis, data minimisation, risks including bias, and safeguards, then revisit it whenever the project or the vendor relationship changes.

Who is responsible if my AI data vendor suffers a breach?

You are, as the data controller under UK GDPR. You may need to notify the ICO within 72 hours of becoming aware and tell affected individuals without undue delay, whoever caused the breach. That is why the contract matters so much. Specify that the vendor must alert you within 24 hours of detecting a relevant incident, otherwise their delay can put you in breach of your own reporting duty.

Can a data vendor use my data to train its own models?

Only if your contract allows it, and many AI services reuse customer inputs by default unless you switch it off or prohibit it. Ask directly whether your raw data or the derived labels will be used for other customers or the vendor's own models, and get an explicit written prohibition. Confirm at the same time who owns the collected data and annotations, and that you can export both in open formats if you leave.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation