How to use AI in your company without the risks

Your employees are already using ChatGPT. Even if you don’t know it. The question is not whether to use it — it’s how to use it without hurting yourself.

ChatGPT Free and Plus (the personal plan at $20/month) use conversations to train models, by default. If one of your employees pastes an NDA with client Rossi SpA and asks for a summary, that data leaves the company and ends up on American infrastructure. This touches GDPR (transfer of personal data to a non-European data controller without a legal basis), NDAs with clients, and financial data with heightened protection.

What to never put in a prompt

Before buying any tools, train your people. A blocklist to share with the entire team:

• Names and personal data of clients, suppliers, and employees
• Contents of contracts, offers, and quotes
• Proprietary source code or system configurations
• Internal financial data: revenue, margins, costs
• Credentials, even “masked” ones
• Confidential communications (board emails, meeting minutes)

Write this list in a one-page document and have everyone sign it. It is not the final solution, but it cuts 90% of the most obvious risks immediately.

Enterprise versions that comply with GDPR

If you want to use AI seriously, enterprise versions exist with real contractual guarantees.

Azure OpenAI Service — GPT-4o and GPT-4 models through Azure. Your data is not used to train models, you have data residency in Europe (Sweden Central, France Central), and you sign a DPA with Microsoft. Pay-per-token, roughly $0.005 per 1K input tokens on GPT-4o.

ChatGPT Enterprise — explicit policy: prompts are not used for training, data managed with SOC 2 Type II, DPA available. Starting at ~$60/user/month at volume.

Microsoft 365 Copilot — if you already have M365 Business Premium, Copilot respects the same guarantees as your Microsoft contract: data in the EU tenant, signed DPA, zero training on your data. Add-on at ~$30/user/month.

Gemini for Google Workspace — if you already use Workspace Business/Enterprise, included in Business Plus plans or add-on at ~€22/user/month, same GDPR guarantees as the Google Workspace contract.

The practical rule: before activating any enterprise AI tool, look for the Data Processing Agreement and verify that it includes European data residency.

Local solution: data that never leaves

For sensitive internal use cases — document analysis, drafting assistance, log review — a local LLM is the zero-risk solution by definition.

# Install Ollama
curl -fsSL https://ollama.com/install.sh | sh

# Download a model (Llama 3.1 8B, ~5GB)
ollama pull llama3.1:8b

# ChatGPT-like web interface running locally
docker run -d -p 3000:8080 \
  --add-host=host.docker.internal:host-gateway \
  -v open-webui:/app/backend/data \
  ghcr.io/open-webui/open-webui:main

Access it at http://192.168.0.X:3000, create internal user accounts, and you have a private company ChatGPT. Minimum decent hardware: 16 GB RAM for CPU-only (slow but functional), a GPU with 8 GB VRAM for something usable (RTX 3060, used ~€150).

AI policy in 30 minutes

You don’t need an external lawyer to get started. All you need is an internal document that answers five questions: which tools are authorized, what must never be uploaded, who approves new tools, how output is verified, and how incidents are reported. One page, signed by everyone. Have your lawyer review it later, but distribute it now.

What to do

• This week: send an anonymous form to employees to find out which AI tools they are already using — the answer will surprise you
• Within 15 days: distribute the internal AI policy (even just the one-page v1.0) and verify that M365 or Google Workspace has an active DPA and EU data residency configured
• If you have devs on the team: evaluate Ollama + Open WebUI on an internal server for all tasks that touch proprietary code or customer data