Generative AI and Data Privacy: What Your Enterprise Must Do Before the Fine Arrives
Every time an employee pastes client data into ChatGPT, it's a personal data processing event under GDPR, LGPD, and other privacy laws — requiring a legal basis, a data processing agreement, and a processing record. Here's what to implement now.
The problem nobody wants to face
Every time an employee types a client's name, a contract detail, or a colleague's information into a generative AI tool, something specific happens under privacy law: personal data processing.
GDPR, LGPD, CCPA, and their equivalents define "processing" broadly — collection, storage, use, transmission. Sending a prompt containing personal data to ChatGPT, Gemini, or any LLM is, legally, sharing that data with a third party.
That has direct consequences for your company.
What privacy law requires when you use AI with client data
1. A valid legal basis
You need a valid legal basis to process personal data using AI tools. The most common in enterprise contexts:
- Legitimate interest — requires documentation and a balancing test against data subject rights
- Contractual necessity — if the processing is necessary to deliver a service to the data subject
- Consent — when obtained specifically, freely, and in an informed manner
"It's convenient" and "it improves productivity" are not legal bases.
2. A Data Processing Agreement (DPA)
The AI provider processing your clients' personal data acts as a data processor under GDPR (Art. 28) and equivalent frameworks. This requires:
- A formal contract with data protection clauses
- A guarantee the provider won't use that data to train models without consent
- Clear liability allocation in the event of a data incident
OpenAI, Google, and Anthropic provide DPAs for enterprise clients (API and Enterprise plan customers). If your company uses free or consumer-tier versions of these tools, those contracts almost certainly don't exist.
3. A record of processing activities
If you systematically process personal data using AI tools, you must:
- Record this activity in your Record of Processing Activities (RoPA)
- Assess whether a Data Protection Impact Assessment (DPIA) is required — especially for sensitive data categories
What the fines actually look like
Under GDPR: up to 4% of global annual revenue or €20 million, whichever is higher.
Under LGPD: up to 2% of Brazil-sourced revenue, capped at R$50 million per infraction.
Beyond financial penalties:
- Suspension of data processing activities (potentially halting core operations)
- Reputational damage with clients and partners
- Employment liability if employee data is compromised
- Joint liability in the event of a breach involving an AI vendor
Data protection authorities in the EU, UK, and Brazil are actively investigating AI-related incidents. Enforcement velocity increased 3x in Q1 2026.
The 4 highest-risk scenarios in enterprise settings
Scenario 1: AI-powered customer service
A chatbot processing client names, emails, purchase history, and national ID numbers. Requires a documented legal basis, a DPA with the AI provider, and — where applicable — explicit customer consent.
Scenario 2: HR and AI
CV screening, performance analysis, automated feedback generation. Employee data is personal data — and labor law adds additional obligations beyond privacy frameworks.
Scenario 3: Legal AI use
Attorneys using AI to review contracts containing client or counterparty data. Beyond privacy law, attorney-client privilege and bar association ethics codes are at stake.
Scenario 4: Financial analysis
Using AI to analyze cash flows, credit risk, or payment behavior involves financial data that may qualify as sensitive in certain jurisdictions, triggering stricter processing requirements.
What to do in the next 30 days
Step 1: Inventory AI tools by department
List every AI tool in use. Ask explicitly whether client, employee, or partner data is being used as input. Many shadow AI tools only surface at this stage.
Step 2: Check contracts with AI providers
Does each provider have a signed DPA? Free and consumer-tier accounts are typically incompatible with enterprise data processing — this isn't interpretation, it's the providers' own policies.
Step 3: Define and document the legal basis
For each type of personal data processed with AI, document the applicable legal basis. Involve your DPO or legal counsel. This documentation is the first thing a data protection authority will request.
Step 4: Create or update your AI acceptable use policy
Specify which tools are approved, which data categories can be used as input, and how to report and escalate incidents.
Frequently asked questions
Does every AI tool need a DPA?
Yes, if you're processing third-party personal data as input. If the AI only processes fully anonymized or synthetic data, the calculus changes — but that's genuinely rare in enterprise day-to-day use.
Does ChatGPT have a DPA available?
Yes — for API customers and ChatGPT Enterprise subscribers. For free and ChatGPT Plus accounts: no DPA is available for processing third-party personal data.
Do privacy laws apply to AI tools hosted outside my country?
Yes. If the data subjects are in the EU, UK, Brazil, or other regulated jurisdictions, those laws apply regardless of where the server is located.
An employee used AI with client data without authorization. Is the company liable?
Yes. The company is the data controller and is accountable for its processors' and employees' actions. Having a formal usage policy and documented training is your primary defense.
Further reading
Related articles
- AI Transparency Is Now Law — What Your Chatbot, Marketing Content, and Employee Tools Must Display by August 2026
- Your Recruitment Software Is Already Regulated as High-Risk — The August 2026 Deadline Your HR Team Doesn't Know About
- 95% of Enterprises Are Spending Billions on AI and Seeing Nothing Back — The Organizational Failure at the Root