ChatGPT in the Workplace: Risks, Policies, and What to Tell Employees

The primary risks of ChatGPT in the workplace are: confidential data shared with a consumer product whose training data policies permit use of inputs, personal data processed without a lawful basis or Data Processing Agreement, AI-generated outputs presented as original work or used in regulated advice, hallucinated facts treated as accurate, and browser plugin access to broader company data than intended. The appropriate response is not a ban but a tiered policy: define which ChatGPT tier is permitted for which use cases, and train employees on the difference between safe and unsafe use.

Understanding the ChatGPT tiers

One of the most common governance mistakes is treating "ChatGPT" as a single product. OpenAI offers several distinct tiers with materially different data handling terms, and the risk profile of each is different.

Free tier

Available to anyone with an account. Conversations may be used by OpenAI to improve its models unless the user opts out in settings (this option exists but is not enabled by default). No administrative controls, no data retention management, no DPA available. Not appropriate for any work data beyond public-domain information.

ChatGPT Plus

A paid personal subscription. Better model access and higher usage limits, but the same data handling terms as the free tier by default. The opt-out for training data use is the same. Still a consumer product — no enterprise controls, no DPA. Not appropriate for confidential or personal data.

ChatGPT Team

A business subscription that explicitly excludes conversation data from model training. Includes a workspace admin console for user management. OpenAI publishes a Data Processing Addendum (DPA) for Team accounts. Significantly more appropriate for business use than free or Plus — but still requires review against your specific data classification rules before you permit sharing of Internal or Confidential data.

ChatGPT Enterprise

The highest-tier business offering. Includes enterprise-grade security, SOC 2 compliance, no training on customer data, longer context windows, and custom admin controls. OpenAI will sign a BAA for HIPAA-regulated businesses. If you are handling sensitive data at volume and want to use ChatGPT, Enterprise is the appropriate tier.

The five key risks

Risk 1: Confidential data in a consumer product

This is the most common and most immediate risk. An employee drafts a client proposal, pastes the client's name, budget, and strategy into ChatGPT free to get a better structure. That data has now been shared with a consumer product. Whether it is used for training or not, the client did not consent to this, and your confidentiality obligations to that client may have been breached.

Risk 2: Personal data without a DPA

Under UK GDPR, sharing personal data with a third-party processor requires a Data Processing Agreement that specifies how the data will be handled, retained, and deleted. Consumer ChatGPT tiers do not offer a DPA. If an employee shares personal data of clients or staff, the business is likely processing personal data without the required contractual safeguards.

Risk 3: AI output used without human review

ChatGPT hallucinates — it generates confident-sounding incorrect information. In low-stakes drafting this is a minor inconvenience. In regulated contexts (legal advice, financial recommendations, medical information) or client-facing work presented as researched and accurate, it is a serious risk. Every use of AI-generated output in professional or client-facing contexts should require human review and sign-off.

Risk 4: Intellectual property and confidentiality

Employees sometimes share proprietary code, unpublished research, product roadmaps, or business strategy with ChatGPT as context for a question. Even where data training opt-out is in effect, these inputs are processed by OpenAI's systems. The intellectual property implications of this are unresolved and vary by jurisdiction.

Risk 5: OAuth and plugin access

ChatGPT Plus and Enterprise support plugins and integrations that can be connected via OAuth. Employees who enable plugins — including browsing tools, calendar connectors, and email access — may be granting ChatGPT access to broader company data than they intend. Plugin usage should be reviewed as part of your OAuth audit.

What to allow versus prohibit

A workable policy for most SMEs:

• Permitted without restriction (any tier): Drafting based on public information, brainstorming, grammar and style review of non-confidential text, code generation for non-proprietary logic
• Permitted with ChatGPT Team or Enterprise only: Drafting that references internal processes or company-specific information, summarising internal documents, any use involving employee names or roles
• Prohibited (any tier): Sharing client personal data, sharing financial data, sharing unpublished product information, sharing legally privileged material, using AI output in regulated advice without qualified human review

How to communicate the rules to employees

Frame the communication around empowering employees to use AI safely, not restricting them from using it. Explain the difference between tiers clearly — most employees do not know that free ChatGPT and enterprise ChatGPT are different products with different data handling terms. Give concrete examples of what is and is not permitted. Provide a contact route for questions: "If you're not sure whether a use is safe, ask [name] before sharing anything."

UK GDPR considerations

Any use of ChatGPT that involves personal data of UK residents must comply with UK GDPR. The key requirements: a lawful basis for processing (usually legitimate interests or contractual necessity — but the AI use must be proportionate to the purpose), a DPA with OpenAI where applicable, and data minimisation (do not share more data than the task requires). If you have a DPO, involve them in reviewing your ChatGPT policy before publishing.

Frequently asked questions

Can employees use ChatGPT for work?

Yes, but with conditions that depend on which tier they are using. Free and Plus tiers are not appropriate for confidential client data or personal data. ChatGPT Team and Enterprise tiers commit to not training on customer data and are more appropriate for business use, subject to your data classification rules.

Is using ChatGPT at work a GDPR violation?

It can be. If an employee shares personal data using the free or Plus tier, the business may be processing personal data without a lawful basis or required contractual protections. Under UK GDPR, businesses are responsible for how employees handle personal data, including when sharing it with AI.

What is the difference between ChatGPT and ChatGPT Enterprise?

Free and Plus are consumer products where OpenAI may use conversation data to improve its models. Team and Enterprise are business products where OpenAI commits not to use customer data for model training, with administrator controls and available Data Processing Agreements.

Should businesses ban ChatGPT?

A blanket ban is rarely effective — employees will use it via personal devices or mobile data. A tiered policy defining which tier is permitted for which use cases, with clear prohibitions on high-risk uses and access to appropriate business tiers where needed, is more durable than a blanket prohibition.