ChatGPT has over 200 million active users worldwide. A significant share of them use it for work — often without their company being aware of it. This creates a paradox: a tool that can hugely boost productivity becomes, without the right rules, a risk to corporate data security.
In this article we look at the real opportunities ChatGPT (and similar tools such as Claude and Gemini) offers in a business context, the concrete risks to privacy and security, and the actions to put in place right away for safe use.
The opportunities: what ChatGPT can do at work
Used correctly, ChatGPT is an extraordinarily versatile tool for everyday work:
- Writing and communication: drafts of emails, reports, sales proposals, marketing content. The quality of the first draft drastically cuts down review time.
- Analysis and research: summarizing long documents, extracting key information, comparing data, generating preliminary analyses.
- Problem solving: structured brainstorming, scenario analysis, generating alternatives. AI as a “sparring partner” for strategic thinking.
- Light automation: creating Excel formulas, simple scripts, document templates, operating procedures.
- Training and support: answering technical questions, explaining concepts, creating training material, generating assessment quizzes.
The estimated time savings for those who use AI regularly at work is 5-10 hours a week. For a team of 10 people, that's 50-100 hours a week of productive capacity recovered.
The concrete risks: what can go wrong
The risks are not theoretical. Here are scenarios that play out daily in companies of every size:
Scenario 1: the contract in the prompt
A salesperson pastes a contract containing client data into ChatGPT to get a summary. The contract contains names, addresses, amounts and confidential terms. In the free version, that data can be used to train the model.
Scenario 2: the shared source code
A developer pastes proprietary code to ask for help with a bug. That code, which represents the company's intellectual property, ends up on the AI vendor's servers.
Scenario 3: the HR data in the chatbot
An HR manager uses ChatGPT to write performance feedback on an employee, including names and evaluations. Sensitive personal data processed with no legal basis and no privacy notice.
Scenario 4: the decision based on made-up data
A manager asks ChatGPT for a market analysis. The AI generates a convincing report with completely invented data and statistics (so-called “hallucinations”). The manager bases a strategic decision on that data.
Free versions vs. Enterprise: what changes for security
Not all versions of AI tools are the same from a security standpoint. Here are the key differences:
| Aspect | Free/Plus version | Enterprise/Team version |
|---|---|---|
| Data used for training | Yes (default) | No |
| Data retention | 30+ days | Customizable management |
| SSO and user management | No | Yes |
| Audit log | No | Yes |
| GDPR compliance | Problematic | Guaranteed |
The difference is substantial. If your company uses the free version of ChatGPT to handle corporate data, the risk is real. Enterprise versions cost more, but they offer guarantees that are essential for professional use.
The 7 rules for using ChatGPT safely at work
Here are the best practices every company should implement right away:
- Adopt the Enterprise or Team version of the tool you choose. The cost difference is minimal compared with the risks of the free version.
- Create a clear policy that spells out what can and cannot be entered into AI tools. Share it with the whole team and make it easily accessible.
- Explicitly forbid entering personal data, contracts, confidential financial data and proprietary source code into non-Enterprise versions.
- Train the team on the policy and the best practices. Sending out a document isn't enough: you need hands-on sessions where people understand the reasoning behind the rules.
- Make validation mandatory: every AI output must be checked by a human before it's used for decisions or external communications.
- Turn off the data-training option in ChatGPT's settings (if not Enterprise). It's an available option that few people know about.
- Consider on-premise alternatives for the most sensitive data. AI models you can install on your own servers exist and can be the solution for specific use cases.
What the GDPR says about using ChatGPT at work
The GDPR doesn't prohibit the use of AI tools, but it imposes precise obligations when personal data is processed:
- Legal basis: transferring personal data to OpenAI (or other vendors) must have a legal basis (consent, legitimate interest, contractual necessity).
- Privacy notice: clients and employees must be informed if their data is processed through AI tools.
- DPIA: for systematic, large-scale use, a Data Protection Impact Assessment is required.
- Transfers outside the EU: if the vendor's servers are outside the EU, the rules on international transfers apply.
Penalties for GDPR violations can reach up to 4% of global annual turnover. It's not a theoretical risk: the Italian Data Protection Authority has already taken action against AI services.
The key takeaway
ChatGPT and similar AI tools are too useful to ignore and too risky to use without rules. The solution isn't to ban them — it's to govern them. With the right policies, proper training and the choice of the right tools, your company can tap into AI's potential while protecting its data.
Want to make your company's use of AI secure?
Codebaker, a consulting firm specialized in integrating artificial intelligence for Italian companies, offers security audits, policy creation and team training.
Discover the AI Security Service