Can We Use ChatGPT, Claude, Copilot, or Gemini at Work?

Show help for each answer

0 of 11 questions answered0%

Q1. Are employees already using the standard chat interfaces for ChatGPT, Claude, Copilot, or Gemini for work tasks?

Select one

A. No — nobody is using these tools for work yet. We want to understand whether we can, what the risks are, and how to manage them.

B. Possibly — we suspect some employees are using them informally, but we haven't confirmed it and have no visibility.

C. Yes, informally — some employees use personal or free accounts for work tasks, without company approval or controls.

D. Yes, in a limited way — we've allowed use for specific tasks and want to understand what else we can safely use them for.

E. Yes — we're using them across the team and want to check our controls are adequate or confirm we haven't missed anything.

There's no wrong answer here. Each starting point has a different set of risks and a different set of actions. The assessment is calibrated to give you the most relevant output for your situation.

Q2. What is your primary industry?

Select one

A. General professional services (consulting, marketing, operations, administration)

B. Education or training

C. HR & Recruitment

D. Financial services (accounting, lending, insurance, investment advice)

E. Healthcare (clinical, dental, therapy, pharmacy, allied health)

F. Legal services

G. Technology / SaaS

H. Other

Choosing D or E doesn't mean your team can't use these tools. It means extra rules apply to what they type in. A healthcare worker pasting patient notes into Claude has transmitted protected health information to a third-party system.

Q3. Where does your business operate and serve customers?

Select all that apply

'We're based in the US' is not a legal defence when EU customer data is involved. GDPR applies to the data, not the postcode of the business. Even a handful of EU clients brings GDPR into scope.

Q4. How many employees would use — or are currently using — these chat interfaces for work?

Select one

A. Just me (solo founder or freelancer)

B. 2-10 employees

C. 11-50 employees

D. 51 or more employees

With more than 10 employees on personal or free accounts, you have essentially no visibility into what data is being entered. You can't audit it, control it, or demonstrate you took reasonable steps if something goes wrong.

Q5. What tasks are these chat interfaces used for — or what are you planning to use them for?

Select all that apply

A. Drafting or editing text using only the user's own words — no personal data, no client details, no confidential content pasted in

B. Summarising or analysing content pasted in — meeting notes, customer emails, research, documents

C. Work tasks involving company data — financial figures, internal product plans, business processes, proprietary information

D. Work tasks involving client or customer information — names, contact details, account data, case notes, correspondence

E. Research, explanations, and general questions — no personal or confidential data is pasted in

F. No defined scope — employees decide themselves what to include each time

If you're not using these tools yet, select what you're planning to use them for. If use is informal or uncontrolled, select what you think is most likely happening. Options B, C, and D are where risk concentrates — each involves content leaving your systems.

Q6. What personal data does your business hold about customers, clients, or staff?

Select all that apply

A. No personal data — our work does not involve information about identifiable individuals

B. Basic personal data — customer or employee names, email addresses, phone numbers, job titles, addresses

C. Sensitive personal data — health or medical records, financial account details, identity documents, biometric data, data about children, ethnic or religious data, or other GDPR special category data

D. Employment and HR data — staff records, performance reviews, payroll information, disciplinary records, recruitment data

E. Client personal data held under a duty of care or professional obligation — patient records, legal client files, financial advisory records, social care files

F. Regulated personal financial data — credit scores, loan applications, insurance records, investment account details, transaction histories

The key question is: does your business hold information about identifiable people — your customers, clients, patients, candidates, or employees? If so, those people have legal rights over how their data is processed. Using an AI chat interface to process it is a data processing event that triggers obligations.

Q7. What confidential or legally protected business information does your company work with?

Select all that apply

A. None — our business does not hold proprietary IP, confidential commercial information, privileged communications, or regulated professional work product

B. Proprietary intellectual property — source code, product designs, trade secrets, patents pending, proprietary algorithms, or confidential business processes

C. Confidential commercial information — board materials, financial forecasts, M&A activity, unreleased product plans, investor data, or pricing strategies

D. Legally privileged communications — attorney-client correspondence, active legal matter files, or legal advice given by or to lawyers

E. Regulated professional work product — financial advice, medical or clinical recommendations, or advice that carries formal professional liability

This is about your business information, not your customers data. A company with no personal data at all can still have serious exposure here — if proprietary source code, a board presentation, or a client legal file gets pasted into a free ChatGPT account, the legal consequences have nothing to do with GDPR.

Q8. Has your business enabled (or plans to enable) any integrations connecting these chat tools to other systems?

Select all that apply

A. No — the tools are used standalone. Employees copy and paste manually. No integrations have been set up or are planned.

B. Calendar and scheduling — the AI can read or create calendar events

C. Email — the AI can read, draft, or send emails on behalf of employees

D. Cloud storage or documents — the AI can access files in Drive, SharePoint, or OneDrive

E. CRM or customer data systems — the AI can read or write to systems like Salesforce or HubSpot

F. We don’t know — integrations have not been audited and we cannot confirm what connections exist

G. Other business applications or internal tools

This applies to built-in integrations available to any user, not custom software development. Examples include: connecting ChatGPT to your Google or Microsoft calendar via a plugin, enabling Claude to read emails in Gmail or Outlook, or giving Gemini access to Drive files. If nobody has set these up, select A. If you are not sure, select F — unknown integrations carry the same risk as known ones.

Q9. Which account tier is being used — or which are you planning to use?

Select one

A. Personal or free accounts — each employee uses their own login, possibly the same free account they use at home

B. Standard paid personal accounts — ChatGPT Plus, Claude Pro, Gemini Advanced — not centrally managed by the company

C. A company-managed Business or Enterprise account (e.g., ChatGPT Enterprise/Team, Claude for Work, Google Workspace with Gemini)

D. A mix — some employees on company accounts, some on personal accounts

E. We don't know — we haven't audited what accounts employees are using

F. We haven't deployed yet — this assessment is informing the decision

ChatGPT's free and Plus plans use conversation data to train their models by default. Anything typed — customer details, financial figures, internal strategy — may become training data for a public AI model. Enterprise plans turn this off, but you must verify the setting is actually disabled after setup. If you're not sure what accounts people are using, select E.

Q10. Does your business have an Acceptable Use Policy covering these tools?

Select one

A. Yes — we have a written AI Acceptable Use Policy that explicitly covers these tools and employees have acknowledged it

B. We have a general IT or data use policy that mentions AI but doesn't cover these tools specifically

C. No written policy — employees use their own judgement

D. We are drafting one, or we plan to before deployment

E. Not yet applicable — we haven't deployed these tools

The most important clause is a clear list of what cannot be typed in. Most employees don't think of pasting a customer email into Claude or Copilot Chat as a compliance event. One sentence prevents most real-world incidents. If you haven't deployed yet, drafting the policy first is the right order.

Q11. Have employees been trained on what not to type into these tools?

Select one

A. Yes — we have run a formal or documented session specifically covering safe use of these tools

B. We have shared articles or guidance informally, but nothing documented or verified

C. No training has taken place

D. Solo operator — no team to train

E. Not yet — we plan to train staff before giving them access

Minimum viable training: a 20-minute session covering what these tools are, what cannot be typed, and how to report a concern. Keep an attendance record — that record is your evidence of reasonable steps if a data incident occurs later. If you haven't deployed yet, run training before you grant access.