AI and Data Privacy: What Every Business Must Know

Every AI tool you or your team uses either handles your data safely or it doesn't. The gap between a free consumer plan and a business tier is often the whole privacy story. Getting this wrong means confidential data in a training corpus, GDPR exposure, or a customer audit finding you'd rather not face.

How AI tools use your data

Consumer tiers of tools like ChatGPT, Gemini and Claude may use your conversations to improve their models by default. Business tiers (ChatGPT Team, Claude for Work, Gemini for Google Workspace) typically don't train on your data and offer DPA agreements. The difference is a plan upgrade and a policy that points staff to the right tier.

GDPR and AI

If your organisation handles personal data of EU residents and you pass that data to an AI tool, GDPR applies. You need a Data Processing Agreement (DPA) with the AI vendor, a lawful basis for the processing, and records of that processing activity. Many teams do this without realising it every time customer names or emails touch an AI assistant.

HIPAA and AI

US healthcare teams face a harder line: any AI tool that processes protected health information (PHI) must sign a Business Associate Agreement (BAA). OpenAI, Anthropic and Google all offer BAAs on their enterprise plans, but not their consumer ones. Using a non-BAA tier with any PHI is a HIPAA violation.

Practical first steps

Check which AI tools your team actually uses (not just the ones IT approved). Verify which tier each is on. Require business-tier accounts for anything that touches client data, PII or confidential plans. Document that in your AI usage policy. Greenlightly's tool directory shows the data-handling profile of the most popular tools so you don't have to read every privacy policy yourself.