ChatGPT Usage Policy for Employees
ChatGPT (and tools like it) are already on your team's desktops, often without a license conversation. A short usage policy reduces shadow AI without pretending people will stop experimenting.
A ready-to-use ChatGPT usage policy for employees: what data can and cannot be pasted, when outputs need human review, how to request access to new features, and how to report a concern.
TL;DR: A ready-to-use ChatGPT usage policy for employees: what data can and cannot be pasted, when outputs need human review, how to request access to new features, and how to report a concern.
Quick reference
| Signal | Consumer ChatGPT | ChatGPT Team | ChatGPT Enterprise |
|---|---|---|---|
| Data used for training | Yes (default) | No | No |
| Admin controls | None | Basic | Full (SSO, DLP) |
| Conversation retention | Indefinitely | 30 days (configurable) | Customer-controlled |
| BAA available (HIPAA) | No | No | Yes |
| Approved for PII | No | No (check DPA) | With controls |
| Approved for customer data | No | No | With DPA |
| Approved for public drafts | Yes | Yes | Yes |
| Cost (per seat/month) | Free / $20 | $30 | Contact sales |
Use this table to decide which tier your team needs before writing any policy. Most small teams land on Team plan, Enterprise adds SSO and a BAA, which matters for healthcare or financial services.
Start here (5 minutes)
- If you need a full baseline (not just ChatGPT rules), start with the AI Policy Starter Kit.
- For copy-paste employee rules beyond ChatGPT, use the AI Acceptable Use Policy Template.
- To reduce unapproved tool sprawl, read Shadow AI: What It Is and How to Prevent It.
Green light (usually fine)
- Brainstorming headlines, outlines, and internal notes that contain no customer or employee personal data.
- Rewriting rough text you already wrote when the source material is non-sensitive.
- Learning a concept or API from public documentation you summarize yourself.
Yellow light (manager or security input)
- Anything involving revenue, roadmap, or unreleased product details.
- Code that will ship to production (human review required).
- Summaries of contracts, HIPAA-, GDPR-, or PCI-scoped material.
Red light (do not use consumer ChatGPT for this)
- Pasting credentials, API keys, or secrets.
- Dumping full customer records, spreadsheets with PII, or regulated health/financial exports.
- Generating legal conclusions, medical advice, or anything that binds the company without expert review.
Enterprise vs consumer accounts
If you adopt ChatGPT Enterprise (or similar), document where data is processed, retention, and admin controls. The policy should name the approved product, "OpenAI with workspace SSO" beats "any AI chat."
Data classification in prompts: a practical rule
Most employees don't think in terms of "data classification", they think in terms of specific tasks. Give them a concrete rule they can apply in the moment:
Before pasting anything into ChatGPT, ask: "Would I be comfortable if this exact text appeared in a news article about a data breach?"
If the answer is no, don't paste it into a consumer AI tool. If the answer is "maybe", route it through the yellow light approval channel.
This test is easy to remember and catches the most common category of mistake: employees who know the policy rules but don't connect them to the specific thing they're about to paste.
How to roll out this policy without triggering resistance
Policy rollouts fail when employees hear "new rules" and read it as "new ways to get in trouble." Frame the rollout around capability, not restriction.
In your all-hands or team meeting:
- Lead with what the policy enables: "We're officially approving ChatGPT for [specific use cases]. Here's how to use it well."
- Present the green-light list first, not the red-light list
- Acknowledge that employees are already using AI tools, the policy exists to protect them, not surveil them
Follow up with documentation:
- Post the policy in a shared doc or Notion page, somewhere employees can find it without asking
- Add a one-line summary to your employee onboarding checklist
- Include the approval channel link (Slack channel, form, or email) prominently
After 30 days:
- Check whether the approval channel is being used, if it isn't, nobody knows it exists or nobody trusts it
- Review whether any incidents occurred and what category they fell into (green, yellow, or red)
- Adjust the policy based on real patterns, not assumed risks
When the policy fails: incident response for AI misuse
Mistakes will happen. An employee will paste something they shouldn't. When it does, the response matters as much as the prevention.
Immediate steps:
- Have the employee delete the conversation from their ChatGPT account history (Settings → Data Controls → Delete all chats)
- Document what was pasted, to which tool, and when
- Assess the data classification of the pasted content (was it PII, regulated data, confidential IP?)
If personal data of EU or California residents was involved: Your DPO or legal counsel must assess whether the incident triggers GDPR Article 33 breach notification (72-hour window from discovery) or CCPA notification obligations.
After the incident: Update the policy if the mistake reveals an ambiguity in the green/yellow/red guidance. A policy that generates repeat mistakes is a policy that needs clarification, not just enforcement.
Enforcement that works
Pair rules with fast approval: a single Slack channel or form for "yellow light" asks beats a policy nobody can interpret. Measure success by fewer repeat mistakes, not zero questions.
Set a 90-day check-in: review how many questions came through the approval channel, whether any incidents occurred, and whether the green/yellow/red lines need to shift based on what employees actually tried to do. A policy that's reviewed and updated is one employees trust. A policy that was published once and never touched isn't a living document, it's a compliance artifact.
Frequently asked questions
Can employees use ChatGPT to write customer-facing emails?
Yes, with restrictions. Drafting is fine as long as the prompt contains no customer PII (names, account numbers, transaction history). Write the email skeleton yourself, then paste the non-sensitive draft into ChatGPT to improve tone or clarity. A human must review and send, never let ChatGPT send directly through an integration.
What happens if an employee accidentally pastes confidential data into consumer ChatGPT?
Report it immediately to your manager and IT security. Consumer ChatGPT retains conversations and may use them for training. OpenAI's privacy controls allow users to request deletion, but there is no guarantee of removal from training sets. The incident should be logged, the conversation deleted from the ChatGPT account history (Settings → Data Controls → Delete all chats), and the data classification of the pasted content documented. If the data includes personal information of EU or California residents, your DPO or legal team should assess whether a breach notification is required.
Does ChatGPT Enterprise protect company data from being used to train OpenAI models?
Yes. ChatGPT Enterprise (and ChatGPT Team) do not use your conversations to train OpenAI models. Enterprise adds a BAA for HIPAA-covered entities, admin audit logs, SSO, and the ability to set data retention periods as short as 0 days. That said, Enterprise is not a substitute for a DPA review, verify the current terms apply to your jurisdiction before processing regulated data.
Who in the company approves new AI tool requests?
Designate a single owner (often IT security or the CTO for small teams). Employees should submit requests through a short intake form (tool name, use case, data types that will be pasted, estimated number of users). Approval should happen within 5 business days. Unapproved tools should be blocked, not just discouraged, most enterprise browser management tools support domain-level blocking.
References
- National Institute of Standards and Technology, AI Risk Management Framework (AI RMF 1.0)
- European Parliament and Council, EU AI Act
- OECD, OECD AI Principles
