Someone from the sales team uses ChatGPT to write proposals. To make the output useful, paste customer names, contract details, industry information. He does it every week. No one has banned it because no one knows. Until today.
This happens in more companies than it seems. Not out of bad faith, but because no one has defined what can be done with AI tools and what not. And when there is no shared criteria, each person decides for himself.
If you have just discovered that this is happening in your company, this guide tells you what to do in the next few hours and what you need to build so that it does not happen again.
It is not a technology problem, it is a problem of judgment that no one has established. |
First: Understand what exactly happened
Before acting, you need to know:
What data has been processed?
Is it personal data of customers — names, emails, contract data? Are confidential business data — prices, strategies, supplier information? Or are generic data without identification? The answer determines what real risks you have.
With what tool and under what conditions?
ChatGPT has different conditions depending on the plan: the free version can use the inputs to train models; The Enterprise version includes guarantees of non-use of data for training. If the computer used the free version with customer data, the risk is different than if it used the Enterprise. The same applies to other tools: Gemini, Claude.
How often and who?
Is it an isolated case or an extended practice? Only one person or several departments? This determines the scope of the problem and the urgency of the response.
The Real Risk: GDPR and Liability
If the processed data is personal in the sense of the GDPR (any information that identifies or allows identifying a natural person) the company has a potential legal problem.
The GDPR establishes that the person in charge of the treatment, the company, must have a legal basis to process personal data and, if he uses third parties to do so, he must have a contract in charge of the treatment. ChatGPT, Gemini or any AI tool is a third party. If there is no contract, there is no legal basis for that processing.
The responsibility does not fall on the employee. falls on the company. What the team has done is a symptom of an organizational problem, not an individual.
What to do in the next few hours
1. Do not dramatize or scale before having data
Before calling meetings or sending communications to the team, collect the information you need: what data, what tool, under what conditions, who and for how long. Without that data, any action is precipitous.
2. Consult your DPO or legal advice
If you have a data protection delegate, this is the time to consult you. You need to know if the processing that has occurred requires notification to the Spanish Data Protection Agency. There is only commitment to notify if there is a security bankruptcy at risk for the rights of those affected. Not every misuse of AI with personal data automatically constitutes a notificationable bankruptcy, but the legal criteria matters here.
3. Communicate to the team clearly, without blaming
The team did not act in bad faith, acted in the absence of criteria. Internal communication should convey three things: that the company has detected a use of AI tools that need to be reviewed, that a clear criteria will be established soon and that in the meantime there is a provisional indication of what not to do.
4. Establish an immediate provisional indication
Until a formal policy exists: Do not use external AI tools with personal data from customers, confidential contract data, or strategic business information. That can be communicated in a short email today.
A provisional indication sent today is worth more than a perfect policy that will arrive in three months. |
What do you need to build so that it does not happen again
A provisional indication resolves the urgency, does not solve the problem. What solves the problem is an AI usage policy that the team understands, can apply, and knows why it exists.
That policy needs to answer at least these questions:
— What AI tools are approved for professional use in the company.
— What types of data can be used with AI and which are not.
— What process exists to approve the use of a new tool.
— Who answers if something goes wrong.
Without those answers in writing, the company will continue to depend on each person making the right decision individually. And that is trust without structure.
Frequently Asked Questions
Is it illegal for my employees to use ChatGPT with customer data?
Depends. If the data is personal, processing it with a third-party AI tool with no legal basis or treatment manager contract may violate the GDPR. The responsibility lies with the company, not the employee. The first thing is to understand what data has been processed and with what tool.
Do I have to notify the AEPD?
Only if there is a security bankruptcy that implies a risk to the rights of the affected people. The improper use of AI tools with personal data does not always constitute a noticeable bankruptcy, but it can be so if there is international transfer of data without guarantees. When in doubt, consult with the DPO or legal advice.
How do I prevent it from happening again?
With an AI usage policy that establishes which tools are approved, what data can be used with AI and who authorizes exceptions. Without that policy, the team will continue to make individual decisions about something that has collective consequences.
