Adopting Artificial Intelligence in the workplace: a practical guide to responsible AI adoption

Key takeaways on AI in business

• AI in business should be regarded as an assistive tool rather than an autonomous decision-maker. Any decision involving data, customers or regulatory considerations should remain subject to human oversight.
• The primary source of AI-related risk arises from the data entered by users. Organisations should avoid sharing confidential information, sensitive information or personal data with external AI tools.
• Effective AI governance relies on internal policies, approved tools, professional licences, data anonymisation and data processing agreements that comply with the UK GDPR and applicable data protection requirements.
• Organisations using AI should assess their regulatory obligations, including the need to carry out a Data Protection Impact Assessment (DPIA) where processing activities are likely to result in a high risk to the rights and freedoms of individuals.
• Ongoing employee training and the implementation of a dedicated AI governance framework are necessary to reduce the risks of data leakage, bias, hallucinations and non-compliance associated with artificial intelligence.

AI as an assistant in the workplace 

The most effective way to think about AI is as an assistant—not a decision-maker. AI serves as a supplemental professional resource rather than as a standalone solution. Companies must implement safeguards to ensure that human judgment remains the primary decision-maker, particularly because organisations remain accountable for AI outputs, data processing activities, and resulting decisions.  

An initial strategy for implementing AI safely should be deliberate and reasoned, clearly defining:  

• The defined purpose of AI within the company; 
• Authorised and prohibited AI tools; 
• Approved tasks and use cases for AI support; and 
• Categories of data permitted for AI processing.  

It is important to define AI use at your company by implementing internal policies rather than leaving it to employees’ discretion. Critical and reasoned safeguards will obviate legal or security risks. 

Managing data inputs when using AI at work 

The majority of AI risks arise from the information being provided by the user. On principle, employees should never input information into AI that they would not be comfortable disclosing externally. This includes: 

• Confidential information; 
• Proprietary business information; 
• Personal data beyond what is strictly necessary; and 
• Regulated or sensitive materials. 

Any AI input should be minimised, redacted, and anonymised, whenever possible. Names, identifying details, and full documents should be avoided in favor of redacted excerpts or abstracted descriptions. 

It is also imperative to be cautious when using AI-powered meeting transcription and recording tools. These tools often capture meeting participants’ voices, identities, chat messages, and shared materials—all of which constitute personal data. Transparency is fundamental: inform participants of the use of AI in advance, remind them at the outset of the meeting, and provide a meaningful opportunity to object or opt out. 

Vital safeguards for secure AI use in the workplace

To safely integrate AI into the workplace, companies must implement technical and organisational safeguards. Internal risk assessments have identified the following high-risk behaviors, which require immediate mitigation when implementing AI in the workplace:

• Mandatory business licenses: Employees must be prohibited from using personal AI licenses for work. Personal accounts prevent organisational control over data security, access logs, and auditability, often leading to indefinite data retention. Employees should transition to business licenses, which enable centralised administrative control, enforceable data retention and deletion settings, and audit logging.
• Approved tools and controlled access: Companies should maintain a list of approved AI tools and permitted use cases.
• EU data residency: For those operating in the EU, ensuring that data is processed and stored within the EU is an important factor in GDPR compliance, particularly in reducing international transfer and surveillance risks associated with non-EU hosting. If AI tools process data outside the EU/EEA, companies must ensure appropriate transfer safeguards are in place, such as Standard Contractual Clauses and supplementary technical or organisational measures.
• Internal AI tools: For the most sensitive, proprietary, or confidential client information, external tools should be avoided entirely. Using an internal AI system stored on company-controlled infrastructure is the gold standard for protecting confidentiality and proprietary information.
• Redaction and anonymisation: Before inputting data into any external AI tool, employees must redact all identifying elements, such as client names or specific project identifiers, substituting them with fictional placeholders (e.g. “Client X”).
• Data Processing Agreements: Where an AI provider acts as a data processor, a Data Processing Agreement (DPA) is typically required. This ensures clarity around processing instructions, security measures, retention, sub-processors, and international data transfers.

Effective AI governance rests on a combination of technical, contractual, and organisational safeguards. Such safeguards ensure compliance and address the security risks identified address by intelligence agencies. When implemented cohesively, these measures allow companies to benefit from AI’s efficiency and innovation while ensuring regulatory compliance and preserving client trust.

French intelligence agency warns against uncontrolled AI use in companies

France’s intelligence agency, the Direction Générale de la Sécurité Intérieure (DGSI) has recently highlighted the risks associated with uncontrolled use of artificial intelligence in companies. The DGSI cautions that many public, free, and standard versions of generative AI tools commonly reuse user-submitted data to train their models, a practice liable to expose sensitive corporate information.

The DGSI also emphasises the data protection and security implications of certain generative AI tools whose privacy policies require user data to be stored on servers located outside the EU, often without obtaining clear and explicit consent. According to the DGSI, these practices increase exposure to economic interference, data leakage, and loss of control over strategic information, particularly when AI tools are used to process confidential documents or assess business partners.

More broadly, the DGSI identifies several concrete risks arising from uncontrolled AI use in the workplace, including:

• Reuse of user-provided data by public generative AI tools for model training;
• Storage of sensitive information on foreign servers without adequate safeguards;
• Biases and hallucinations affecting AI-assisted evaluations of commercial partners; and
• Acts of foreign interference and fraud using AI-generated deepfakes that replicate the voice or image of company executives.

The DGSI further notes that, despite widespread use of AI tools, a significant proportion of European companies still lack a formal AI policy or clear internal guidelines. This absence of governance significantly increases the risk of misuse, data leaks, and manipulation. The authority therefore calls on companies to establish an AI framework, emphasising the need for clear internal rules and comprehensive employee training to mitigate these risks.

Employee training and awareness for responsible AI use

Employee awareness is key in preventing accidental AI data exposure. In order to strengthen your company’s defenses and prevent AI-related risks, we advise providing employees with regular training and awareness, through measures such as:

• Mandatory annual AI and GDPR awareness training;
• Practical workshops on safe AI data input;
• Clear guidance on approved AI tools and permitted use cases;
• Awareness initiatives addressing AI hallucinations, inaccuracies, biases, and misinterpretation; and
• Training on obtaining meaningful consent before using AI notetaking tools.

We advise holding recurrent training and awareness events. Ongoing programs, such as refresher sessions, onboarding modules, short reminders, and internal guidance will allow employees to uphold safe practices as AI tools continue to evolve.

GDPR compliance and AI in the workplace 

For EU-based companies, complying with the GDPR is mandatory. A central pillar of this compliance is the Data Protection Impact Assessment (DPIA). A DPIA is a privacy risk assessment designed to identify, evaluate, and mitigate risks to individuals’ rights and freedoms arising from data processing. It allows companies to properly identify the types of data processing prior to introducing a new technology into the workplace, such as AI.  

Under Article 35 of the GDPR, a DPIA is required when processing is likely to result in a high risk to individuals. Without completing a DPIA where required, companies risk non-compliance with Article 35 of the GDPR, including inadequate risk assessment, insufficient safeguards, potential violations of individual rights, and unlawful international data transfers.  

A DPIA helps companies to understand and document risks to individuals, assess necessity and proportionality, identify appropriate safeguards, and demonstrate accountability. For AI, a DPIA should address issues such as data minimisation, retention, international transfers, vendor reliance, and human oversight. It should be reviewed regularly and updated when tools or use cases materially change. 

A well-structured DPIA should include:  

Description of the processing  

• What data is processed? 
• What is the purpose of the data processing?  
• Who is processing the data?  
• How is the data being used? 
• How is the data being collected?  
• Is the data stored in the EU or outside of the EU? 
• How often and in what circumstances is the data being deleted?  
• What tools are being used for processing? 
• Which vendors are being used for processing?  

Purpose and legal basis 

• Why is the processing necessary?  
• Which lawful basis applies under GDPR?  

Assessment of necessity and proportionality 

• Is the processing appropriate for its purpose? 
• Is more data being collected than is necessary? 
• Do less intrusive alternatives exist?  

Risk analysis 

• What are the potential risks to individuals’ rights? 
• What is the likelihood and severity of harm?  
• Will any freedoms be infringed upon? 
• Are the AI tools engaging in international transfers? 
• What are the risks of data leaks, misuse, bias, and loss of control?  

Safeguards and mitigation measures 

• What technical controls will be used to reduce identified risks? 
• What organisational controls will be used to reduce risks?  
• What specific actions will be undertaken to reduce risks?  
• Will the company be using Data Processing Agreements with vendors that include Standard Contractual Clauses?  

Residual risk evaluation 

• Of the risks identified, which are acceptable?  
• Do any of the risks identified require further action? 
• Can any additional mitigation measures be implemented? 

Review and governance 

• How often will the DPIA be reviewed? 
• Who is the DPO of the company?  
• Who will implement the mitigation measures and in what time frame?  
• Who is responsible for oversight of the DPIA? 

A sample DPIA template is available on the GDPR website for your convenience to help your company draft its own DPIA: https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf

A practical framework for implementing AI in the workplace

As AI becomes a routine part of daily business operations, it must be accompanied by clear guidelines, accountability, oversight, and principled governance. The principles below provide a clear and practical framework that companies can adopt to manage AI-related risks:  

• Define the purpose of AI: AI should be used to support specific professional tasks (drafting, summarisation, research, customer support, etc.). Identify how AI is used across the company and what data it touches. Each use should have a clearly defined purpose and scope.
• Establish a company AI policy: Companies should provide employees with clear, accessible AI policy governing the use of AI. The company policy must define which tools are permitted or prohibited, identify appropriate tasks for AI support, emphasise the use of business licenses, specify what types of data may and may not be used, and ensure human oversight of all AI-generated output.
• Implement legal and technical controls: Employees should only use AI tools that have been formally approved by the company and exclusively through business accounts. Contracts, DPAs, security configurations, and retention settings should be considered and soundly implemented. Personal AI accounts should be prohibited, as they limit security, oversight, and compliance.
• Minimise and protect data: Only the minimum information necessary should be shared with AI tools. Confidential, client-restricted, or sensitive personal data should be excluded, anonymised, or handled through controlled internal systems.
• Ensure transparency and oversight: Privacy notices, client communications, and internal documentation should be updated to reflect AI use. Individuals should be notified transparently and in advance of meeting transcription AI use. AI should never operate without human oversight or be used as the sole basis for decisions.
• Provide training and awareness: Regular company-wide training, awareness initiatives, and periodic reviews of AI tools and practices are important as technology and regulations evolve. A company steering committee dedicated to the evaluation and approval of new AI tools should be established.
• Remain informed about evolving AI regulation: Companies should monitor emerging regulatory frameworks, including the EU AI Act, which will introduce additional compliance obligations based on the risk level of specific AI applications. Staying informed allows companies to anticipate regulatory requirements, proactively adjust governance practices, and avoid disruption as new obligations arise.

Frequently asked questions about AI in the workplace

Can employees use public AI tools such as ChatGPT at work?

The use of public AI tools in the workplace should never be left to individual discretion. Companies should define which AI tools are permitted, the scope of their permitted use, and the account types through which they may be accessed. In most cases, employees should be prohibited from using personal AI accounts for professional purposes, as these prevent organisational control over data retention, security, and auditability. If public AI tools are authorised, they should be accessed exclusively through business licenses and subject to strict data-input limitations.

Is the use of artificial intelligence in the workplace GDPR compliant?

Artificial intelligence can be used in a GDPR-compliant manner, provided that appropriate safeguards are implemented. This includes defining a lawful basis for processing, ensuring transparency and limiting data inputs to what is strictly necessary, and maintaining human oversight over AI-assisted outputs. In many cases, particularly where AI processes personal data or introduces new risks, a Data Protection Impact Assessment (DPIA) will be required before deployment.

What types of data should never be shared with AI tools?

As a general rule, employees should never input data into AI tools that they would not disclose externally. This includes confidential client information, proprietary business data, regulated materials, and unnecessary personal data. Where AI support is needed, information should be minimised, anonymised, or abstracted wherever possible, and highly sensitive data should be processed only through controlled internal systems.

Artificial intelligence and the regulatory expectations will continue to evolve and mature symbiotically. Companies that embed governance, accountability, and transparency into their AI practices will be best positioned to adapt with confidence and compliance. A responsible and deliberate approach to AI will allow your company to evolve safely and sustainably.