ChatGPT in the workplace – Is it ok for our employees to use ChatGPT to do their work?

Is it ok for our employees to use ChatGPT to do their work? Can we use the OpenAI API for a chatbot?

It depends. We are in a period of rapid development in the AI world with new EU regulation around the corner and the safest option would be to wait until further guidance is provided by your country’s supervisory authority. However, the following actions shall be taken at a minimum:

1. ChatGPT usage by employees

  • Employees entering personal data of employees and clients, as well as business secrets – are OpenAI trustworthy?
  • ChatGPT is a high-profile target for data breaches.
  • Quality control and accuracy of responses are an issue – we are sure that you have used ChatGPT for a quick response and have been confused by the answer.
  • International data transfers to the U.S.
  • Lack of transparency from OpenAI regarding how the Large Language Model (LLM) works – their privacy policy is constantly being updated, but it currently (08/06) does not provide the necessary information.

This is not a perfect solution, but you will need to implement either an ‘AI Usage Policy’ to cover all tools or a ‘ChatGPT Acceptable Use Policy’.  It is likely that if you don’t provide some guidance, employees will use ChatGPT without authorisation anyway. This policy should cover at least the following:

  • Ensure that employees do not sign up with their real name or an email address containing their name. Your company can create several disposable emails for this purpose with generic names [e.g. [email protected]].
  • Ensure employees don’t sign up with their work email that could identify the company they work for [e.g., [email protected]].
  • Ensure that employees do not input the personal data of employees, clients, etc.
  • Ensure that employees do not overly rely on ChatGPT, and always double-check the accuracy of outputs.
  • Engage ‘private mode’ on ChatGPT.

Best practice: ban the use of ChatGPT in the organization until further guidance is released by the supervisory authorities or EDPB.

2. OpenAI API Integration

  • International data transfer of all personal data entered by website visitors, requiring contractual changes & Transfer Impact Assessment [TIA – risk assessment covering the transfer].
  • Lack of transparency from OpenAI regarding how the model is trained and how it processes inputs.
  • ‘Use of innovative technology’, which many supervisory authorities specifically indicate includes AI tools, would require a Data Protection Impact Assessment prior to implementation – this would require some input from OpenAI on their processing, which they currently do not provide.
  • You cannot accurately reply to Data Subject Requests as you cannot explain the data processing involved. OpenAI do not provide this information. If you cannot answer, you can face significant fines/sanctions!
  • A new AI regulation is coming for the EU which could impact your implementation.

Again, not a perfect solution as it is very much developing with regulation and different country authorities – e.g., Italy banned then unbanned it, and any country within the EU  could do that tomorrow which would naturally affect your implementation. The best option would be to wait for more guidance, however, if you have made the business decision to implement it you should consider the following:

  • Request, review and sign Data Processing Agreement with OpenAI with EU Standard Contractual Clauses for EU clients. OpenAI offers a DPA here, but you must request a signed version via their form. 
  • Transfer Impact Assessment [TIA]  to evaluate the risk of the international transfer.
  • Data Protection Impact Assessment [DPIA] for the use case, prior to implementation – very important!
  • Add the use of the API & chatbot to the Register of Processing Activities [RoPA].

Best practice: Not implementing the API until OpenAI provides detailed information on their processing which would enable you to complete a TIA and DPIA. Also, speak to your DPO/Lawyer/Advisor regarding the issue.

Even with these measures, the environment is changing and unclear. It may not be compliant tomorrow and many practitioners will say it is not compliant today! In these instances, you must conduct the above risk and impact assessments, and make a business decision on whether the tool is worth implementing when considering the associated risks.


Note: This blog entry does not constitute legal advice and is for informational purposes only.

Share this article


HIPAA Compliance Guide: Overview, checklist, and risk analysis best practices

In this practical HIPAA Compliance Guide, you find everything you need to know about the Health Insurance Portability and Accountability Act in a compact format. Discover if you are already compliant and what you have to do to get to full HIPAA compliance with practical checklists.

Created by:

Picture of Charles Maddy-Trevitt

Charles Maddy-Trevitt

UK Market GDPR Specialist at Borneo.
Charles has a background in a wide range of industries and sectors with international experience (US/UK/Canada/EU) in data protection, it’s this knowledge & experience that allows Charles to guide clients through the minefield of data protection regulations, and make compliance simple.

Related articles



Subscribe to our legal newsletter and you will be the first to receive our new blog articles, webinar information, ebooks, and more.

Free Webinars