Why ChatGPT Is a DLP Problem — and What You Can Do About It

AI tools like ChatGPT are now standard in the workplace. The problem: no one controls what gets pasted in.

This is happening in your company — right now.

A sales rep opens ChatGPT to draft an email. They paste the entire customer contract into the input field — because the model "understands everything." An HR manager uploads a payroll spreadsheet so the tool can summarize it. A developer pastes source code into a coding assistant to explain a bug.

What looks like modern workplace productivity on screen is actually data leaving your organization. Every day. In every office. Without anyone knowing.

What happens to this data.

The input lands on servers operated by OpenAI, Anthropic, or Google — in the US, in non-EU countries. Without an enterprise contract with proper data protection clauses, those data inputs may be processed, stored, and potentially used for training. Whether this violates GDPR? Yes, in many cases. The legal situation is clear enough to be problematic — and vague enough that you cannot rely on it.

What you can do today.

First: Inventory. Ask your employees directly — not through indirect channels, not through IT. Which AI tools do you use? The answers will surprise you. That list is your first risk inventory.

Second: Define rules. Create a clear list: which data categories never go into an external AI tool? IBANs, HR records, contract contents, source code? Then that's your red line.

Third: Deploy technical controls. DLP solutions detect sensitive patterns — IBAN numbers, personal data, customer names — when they appear in browser inputs. These can block, warn, or mask. That's the only way to maintain control.