Data Security and AI | Privacy Protection

The real risks: what happens without a policy

Every day, in thousands of Italian companies, employees use ChatGPT and other AI tools for work. Often without the company being aware of it. Here is what can happen:

Sensitive data on external platforms

An employee pastes a contract containing client data into ChatGPT to summarize it. That data is now on third-party servers, outside the company's control.

Unwitting GDPR violations

Personal data of customers or employees entered into cloud AI tools can constitute an unauthorized data transfer. GDPR penalties reach up to 4% of turnover.

Intellectual property at risk

Source code, business strategies, financial data: anything entered into non-corporate AI tools can potentially be used to train future models.

Decisions based on incorrect data

Without oversight, AI can generate false information presented as facts. If used for critical business decisions, the consequences can be serious.

The good news? These risks are manageable. You need the right policies, adequate training and the correct tools.

Cloud vs. on-premise: which to choose

Option 1
Cloud AI Tools

ChatGPT, Claude, Gemini and the like in their cloud version. Data is processed on the provider's servers.

Pros: easy to use, contained costs, automatic updates, no infrastructure to manage
Cons: data leaves the company perimeter, dependence on the provider, less control
When to use them: for generic tasks that do not involve sensitive data, or with Enterprise versions that guarantee no data retention

On-premise AI solutions for data protection

Option 2
On-premise and private solutions

AI models installed on your servers or in a private cloud. Data never leaves the company perimeter.

Pros: full control over data, native GDPR compliance, complete customization, no risk of leaks
Cons: higher infrastructure costs, requires technical expertise, updates to manage
When to use them: for sensitive data, regulated sectors (healthcare, finance, public administration), critical intellectual property

The best solution? Often a hybrid approach: cloud tools for generic tasks, private solutions for sensitive data. We help you find the right mix for your organization.

GDPR and AI Act: what your company must do

GDPR and artificial intelligence

GDPR applies fully to the use of AI when personal data is processed. In practical terms:

Every transfer of personal data to AI tools must be documented and legitimized
Employees must be informed about how their data is processed
Automated decisions that impact people require transparency and the possibility of appeal
The record of processing activities must be updated to reflect the use of AI tools

European AI Act

The AI Act is the European regulation on artificial intelligence, coming into force progressively from 2024. The practical implications for companies:

Risk classification: high-risk AI uses (HR, credit, healthcare) carry stricter obligations
Transparency requirement: users must know when they are interacting with an AI
Documentation and audit: companies must be able to demonstrate the compliance of their AI systems
Penalties of up to 35 million euros or 7% of global turnover

How to create a company policy on AI use

Company policy on the use of artificial intelligence

AI Policy
The rules every company should have

An effective AI policy is clear, practical and easy to follow. Here is what it should contain:

Authorized tools: which AI tools can be used and which cannot
Prohibited data: what must never be entered into AI tools (personal data, contracts, confidential financial data)
Mandatory validation: all AI outputs must be verified by a human before being used
Accountability: who is responsible for the use of AI and for decisions based on its outputs
Training: all employees must complete a training program before using AI tools

Checklist: before using an AI tool

A practical checklist to share with the whole team. Before entering any data into an AI tool, make sure that:

1
The tool is among those authorized by the company policy
2
The data you are about to enter does not contain personal information about customers, employees or suppliers
3
You are not sharing intellectual property, source code or confidential financial data
4
The AI output will be verified by a human before being used for decisions or external communications
5
If the tool is cloud-based, the terms of use guarantee no retention and no training on your data
6
The use is documented if it falls within high-risk categories under the AI Act

Our AI security service

Audit

We analyze how AI is used in your company today, identify the risks and map the vulnerabilities. Often the first audit reveals uses of AI the company was not even aware of.

Policy and framework

We create the company policy on the use of AI, select compliant tools and define the procedures. A clear document that everyone can follow, not an incomprehensible legal manual.

Security training

We train the whole team on the security rules for using AI. Having a policy is not enough: people need to understand it and apply it in their daily work.

Complete the journey

AI Integration in Processes

Once the security framework is defined, you can integrate AI into your business processes with the certainty that your data is protected.

Discover AI integration →

Employee Training

Security starts with people. Our courses always include a dedicated module on the safe use of AI tools.

Discover AI training →

Frequently asked questions about AI security

Is it safe to use ChatGPT with company data?

It depends on the version and the use. The free version of ChatGPT may use the data you enter to train its models, so it is not suitable for confidential data. The Enterprise and Team versions guarantee no retention and no training on company data, and they are the standard for professional use. Even with the Enterprise version, however, you need clear policies on what to enter and what not to.

What is the difference between the free version and the Enterprise version of ChatGPT?

The key differences are: training on data (the free version may use it by default, the Enterprise version does not), manageable data retention, SSO and user management, audit log, guaranteed GDPR compliance. The cost difference is substantial compared to the risks of using the free version for business purposes.

Is the use of AI in a company GDPR compliant?

It can be, with the right precautions. GDPR applies fully when personal data is processed through AI tools. You need to: have a legal basis for the data transfer, inform customers and employees, update the record of processing activities, assess whether a DPIA is required, and correctly manage transfers outside the EU. A clear company policy and team training are essential.

What does the European AI Act require of Italian companies?

The AI Act is the European regulation on artificial intelligence, coming into force progressively from 2024. It classifies AI uses by level of risk and imposes increasing obligations. For companies: high-risk uses (HR, credit, healthcare) carry strict documentation and audit obligations; transparency towards users is required when they interact with an AI; penalties reach up to 35 million euros or 7% of global turnover.

What should I do if my employees are already using ChatGPT without a policy?

This is the most common situation today. The first step is an audit to understand how AI is actually used in the company — the surprises are often many. The second step is to create a clear policy on authorized tools, permitted data and validation rules. The third step is to train the team. Banning AI without alternatives does not work: employees will use it anyway, in secret. Governance is the only viable path.

Request an AI security assessment

Discover how your company uses AI today and what risks it faces. Our audit identifies vulnerabilities and provides you with a concrete action plan to protect your data.

Data Security and Privacy in the Use of AI