How to use AI at work while protecting clients' data and privacy

Which tool to choose

For a company the choice isn't the brand but the type of contract.

• For a team or an SME, the business plans (ChatGPT Business/Team, Claude Team, Gemini for Workspace) exclude training on content by default and give you management controls and a data processing agreement.
• For organizations with strong obligations (healthcare, legal, regulated sectors), the enterprise plans add security guarantees, access control, custom retention, and certifications; they often allow you to sign tailored legal terms.
• For the most sensitive data of all, an AI that runs on the company infrastructure or locally keeps everything within the walls, without passing through an external provider.

The personal plan, free or paid, isn't suited to working with client data: it trains by default and offers no contractual guarantees.

How to do it

1. Choose and configure the business plan. Check in the contract that training on content is excluded and that there's a data processing agreement (a document that governs, for the purposes of privacy regulations, how the provider processes data on your behalf). This is the legal foundation.

2. Write a one-page internal rule. What can and can't be pasted into the AI, who can use it, what must always be anonymized. Without a written rule, each employee decides by instinct, and that's where data leaks are born.

3. Anonymize client data, always. Even on the protected plan, data that identifies a person (name, tax code, contacts, sensitive data) is replaced with placeholders before pasting it. The business plan covers training; it doesn't authorize you to process third-party data without a legal basis.

4. Limit access and train people. Named corporate accounts, not shared; a brief training on what's risky. Most incidents arise from careless everyday use, not from an attack.

The operational syntax for the internal rule in one line, to be adapted:

Company AI rule:
1. Use only the [company business plan] account, never personal accounts for work.
2. Never paste data that identifies a client (name, contacts, tax code, sensitive data):
   first replace it with placeholders ("Client A", "amount X").
3. Confidential documents: only the anonymized version; the originals stay on company systems.
4. When in doubt, ask the contact person before pasting.

A concrete example

An accounting firm wants to use AI to draft letters to clients. It activates a Team plan, where training on content is excluded by contract. It writes a one-page rule and has everyone sign it. When a staff member prepares a letter, they replace the client's name and amounts with placeholders; the AI structures the text; the staff member re-enters the real data in the firm's management software. The client's data never leaves the company systems, and the AI speeds up the work anyway.

When it does NOT work (and how to fix it)

If employees use their personal accounts "because it's more convenient"

It's the most frequent flaw: the business plan only protects what passes through the business plan. Fix: make the corporate account available to everyone, block the use of personal ones for work in the internal rule, and explain the why, not just the prohibition.

If you need to give the AI a document that can't be anonymized

Some documents lose meaning without the real data. Fix: for these cases consider an AI that runs on the company infrastructure or locally, so the document doesn't leave; alternatively, limit that processing to those who have the legal basis and document it.

If you don't know whether your sector allows using AI on client data

For regulated sectors the answer lies in the sector's regulations, not in the provider's contract. Fix: have the internal rule validated by whoever handles compliance or by a lawyer before starting; the AI gives the structure, but responsibility for the legal basis stays with the company.

A tip from someone who actually uses it

The technology is the easy part: a business plan is activated in an afternoon. The part that really protects is the written rule and the training of those who apply it every day. Invest the time there: a clear page and ten minutes of explanation are worth more than the most expensive plan used badly.

Frequently asked questions

Does the business plan shield me from privacy regulations?

In part. It gives you the exclusion from training and the data processing agreement, which are the foundation. But the responsibility for having a legitimate reason to process a client's data stays yours: the provider's contract covers the "how," not the "whether you can." That's why anonymization and internal validation remain necessary.

Can I let all employees use the AI without rules, since the plan is safe?

That's the mistake that cancels out the protection you paid for. The business plan is safe on the training front, but without an internal rule each person pastes whatever they want, including client data that shouldn't be shared. The protected tool plus careless use still gives a data leak. The written rule isn't bureaucracy: it's what turns a safe tool into safe use.