AI at Work: What Small Businesses Need to Know Before Using ChatGPT with Client Data

What Is the Actual Risk?

When your staff types client information into an AI tool, that data goes to a third-party server. Depending on which tool, which plan, and what the privacy settings are, that data may be used to train future AI models.

For most casual business uses, this is a theoretical risk. For businesses handling financial data, medical records, or legal documents, it is a real one that needs a real policy.

The Problem With Client Data in AI Prompts

Imagine a staff member pastes a client's financial records into ChatGPT to help draft a summary. They are trying to save time. But that client data has now left your environment and your control.

Most consumer AI tools do not offer the same data protection guarantees as your cloud infrastructure. If you are subject to HIPAA, PCI-DSS, or financial services regulations, this is not a gray area.

Microsoft 365 Copilot Is Different, With Caveats

If your team is using Microsoft 365 Copilot, Microsoft has committed to not using your tenant data to train AI models. Your data stays within your Microsoft 365 environment under your existing compliance boundary.

But Copilot has access to everything in your tenant. If your file permissions and sharing settings are not configured correctly, Copilot can surface documents that a user should not normally be able to find. This is a real issue in businesses where SharePoint has grown without governance. Review your permissions before enabling Copilot.

Google Workspace and Gemini

Google has similar enterprise commitments for Workspace customers. If you are on a paid Google Workspace plan, Google does not use your data to train AI models by default.

The same caution applies. Google Gemini in Workspace operates within your tenant, but it can access files across Drive. Audit your Drive sharing settings and make sure sensitive client files are in appropriately restricted folders before your team starts using Gemini.

What Your AI Policy Needs to Cover

You do not need a lengthy document. You need a clear set of rules your staff can actually follow and understand.

• Which AI tools are approved for work use
• What types of data can be entered into AI tools, and what cannot
• Whether client names, financial data, or personal information can appear in any AI prompt
• Who to ask if they are unsure whether something is allowed

Practical Rules to Set Today

While you work on a formal policy, these rules cover the most common risks.

• No client names, account numbers, or financial details in any external AI tool
• No medical records, case notes, or legal documents in any external AI tool
• Use enterprise-tier plans with data privacy commitments, not free tiers, for any work use
• If you use Microsoft Copilot or Google Gemini, audit your file permissions before turning it on for your team

This Matters Especially for Accounting Firms

If you run a CPA or accounting practice, your clients trust you with some of the most sensitive information they have. A staff member summarizing a tax return with ChatGPT is a scenario we are already seeing in practice.

Your AI policy should be as clear as your data retention policy. If you do not have either, that is a conversation worth having before your team figures out their own rules.