You’ve been on ChatGPT Plus for a while, possibly a year or more. The team has grown. A few colleagues have their own accounts. At least one person is almost certainly using a personal login for work tasks you would rather had happened under your watch. Now you’re looking at three upgrade paths: Pro, Business (the plan OpenAI used to call Team), and Enterprise. The differences matter more than the pricing does, and the right call depends on questions the comparison tables don’t include.
What’s the choice you’re actually facing?
OpenAI currently offers five ChatGPT plans. For an owner-managed business, three are relevant. Pro sits at around $200 per month (roughly £160), designed for a single power user who needs maximum model capability. Business, the self-serve workspace formerly known as Team, runs at $20 to $30 per user per month depending on contract length. Enterprise is custom-priced, requires a sales call, and comes with minimum seat commitments typically around 150 users.
The naming has become confusing. OpenAI rebranded Team as Business, and third-party guides still use both names interchangeably. For the purposes of this post, Business and Team refer to the same plan.
The real decision sits between Pro and Business. Enterprise only becomes relevant if you have more than 100 to 150 staff who will regularly use the tool, or if you operate in a regulated sector where the audit controls and contractual commitments of an enterprise agreement are non-negotiable. For a business of 5 to 50 people, you are almost certainly deciding between the other two.
When does Pro make sense for your business?
Pro is the right call when usage is concentrated in one or two people doing intensive work, and when team governance is not yet a priority. Think of a founder who uses it heavily for research, a technical lead producing large volumes of code, or a content lead generating first drafts at scale. At $200 per month for a single user, the maths works if fewer than two people are the real regular users.
Pro does not include team workspaces, admin controls, centralised billing, or any visibility into what the rest of your team is doing. If you are on Pro while three colleagues use personal accounts, you have no oversight of what they are typing, what data they are sharing, or whether any of it is material you would prefer kept out of a consumer-grade AI tool.
The NCSC is direct on this. Its guidance on using public generative AI services states that sensitive data, including personal data, commercially sensitive information, and client credentials, should not be entered into public tools unless you have contractual protections in place. A Pro subscription does not give you those protections for your team. If your colleagues are using their own accounts, they are outside any contract you hold.
The scenario where Pro works well is narrow: you use it yourself for tasks where no client-identifiable data is involved, and you have either briefed the rest of the team not to use it for sensitive work, or you are confident they have no meaningful access.
When should you move to Business?
Business is the right plan when more than two or three people in your business regularly use ChatGPT for work, and you want a single workspace with centralised billing, admin controls, and usage visibility. OpenAI describes it as a self-serve plan built for organisations that want a shared workspace without a sales process, and with governance features that give you at least some oversight of what is happening across the team.
Business also matters if your work involves personal or client data. The ICO expects organisations to have technical and organisational measures in place when AI tools are processing personal data, even for small firms. A Business workspace gives you something to point to: you can revoke access when staff leave, monitor activity at the workspace level, and demonstrate that you have given some thought to data governance. That is difficult to claim across a collection of unmanaged personal accounts.
The plan includes access to GPTs, Projects, Company Knowledge, Deep Research, and Codex, broadly the same frontier model capability as Pro but structured for a team. At $20 to $25 per user per month on an annual contract (or $30 on monthly billing), a team of five costs between $100 and $150 per month. The minimum is two users.
Enterprise sits a tier above this. Third-party guides put it at around $50 to $60 per user per month with minimum commitments around 150 users, plus enterprise SSO, SOC 2 controls, dedicated environments, and formal SLAs. For a business below that scale, the governance requirements are typically met at Business level.
What does getting this wrong actually cost?
The cost of under-specifying runs higher than the gap between subscription tiers. When your team operates on unmanaged personal accounts, you have no contractual basis for how data is handled, no visibility into what client information has been shared, and no way to demonstrate you took reasonable precautions if the ICO asks. Professional services firms carry particular exposure here, because client confidentiality is a professional obligation, not a policy preference.
UK GDPR fines can reach £17.5 million or 4% of annual worldwide turnover for the most serious data handling failures. A reference point: the ICO fined Tuckers Solicitors £98,000 following a ransomware attack in 2022, citing inadequate security measures as an aggravating factor. Tuckers was not a large firm. The fine alone, before legal costs and reputational impact, ran to nearly six figures.
The Hiscox Cyber Readiness Report (2023) puts the median cost of a cyber attack on a UK small business at around $16,300, with serious incidents running substantially higher. If an AI tool is cited in an incident response as a weak point in your data handling, you move into that risk range quickly.
The reverse problem also exists. Committing to an Enterprise contract, say 150 seats at $50 to $60 per user per month, when only a fraction of your staff will ever actively use the tool, locks in tens of thousands of pounds per year in unused capacity. The governance controls Enterprise brings are worth paying for when you genuinely need them. Paying for them when Business-level oversight would be adequate is simply a cost with no return.
What to ask before you commit?
Before you upgrade, three questions should settle the plan choice more reliably than any feature comparison chart. Who in your business will actually use this regularly over the next twelve months? Does any of that use involve personal data or confidential client information? Are you in a regulated sector where your professional body or a regulator might ask about your AI governance arrangements? The answers drive the decision.
Beyond those three, a few specific questions are worth putting to OpenAI directly. Ask whether prompts and outputs from your plan tier are used to train their models, and under what conditions that can be disabled. The NCSC specifically notes that providers may retain prompts for service improvement unless an organisation has contractual controls in place, a consideration that becomes more material as the work gets more sensitive.
Ask where data is stored and processed, and which sub-processors OpenAI uses. UK GDPR applies to international data transfers, and if your workflow involves personal data, you need a lawful basis for any processing outside the UK.
If you are in financial services, ask how the plan supports your FCA obligations on operational resilience and third-party risk management. The FCA’s Discussion Paper DP5/22 is clear that firms remain responsible for outcomes when using external AI services, including being able to demonstrate they have assessed and managed the third-party risk.
If your business serves EU clients, ask about EU AI Act implications. The Act covers providers and users of AI systems placed on the EU market, and UK firms delivering AI-enabled services to EU customers may fall within scope.
Once those questions are answered, the choice usually becomes clear. Three or more active users, client data in the workflow, or any regulatory exposure points toward Business as the minimum. A single power user with no sensitive data in the workflow stays on Pro.
