A support lead has six minutes before a customer call. She copies the full ticket history into ChatGPT and asks for a calm summary. The text includes the customer's name, email address, order number, refund amount, and a note about a medical leave request mentioned in the thread.
An HR manager wants a clearer performance-review paragraph. He pastes the draft into his personal ChatGPT account. The draft includes the employee's name, salary band, warning history, and a note from an occupational-health conversation.
Neither person is trying to leak data. Both are trying to move faster. That is why ChatGPT privacy risk is hard to manage: the risky action feels like ordinary work.
The risky moment is before ChatGPT answers
Most organisations discuss ChatGPT risk as if the problem starts with the model: Will it train on our data? Will it hallucinate? Will it expose our files?
Those are real questions, but they come second. The first risk is the paste. Once an employee has copied a customer record, contract excerpt, HR note, source file, screenshot, or spreadsheet into the prompt box, the organisation has already created a data-processing event. The answer may be useful. The input may still have been excessive.
This is why a good ChatGPT policy cannot simply say "use the business version" or "turn off training." The better question is: what did the employee send into the tool, and did the tool need that much context?
Where a ChatGPT prompt can travel
The privacy posture changes depending on workspace, feature, and account type.
| ChatGPT context | Training default | Visibility and retention risk | Admin control |
|---|---|---|---|
| Personal Free, Plus, or Pro workspace | Chats may be used for model improvement unless the user turns this off | Chat history, memory, shared links, file uploads, and personal connected apps are controlled by the individual user | No organisation-level control |
| ChatGPT Business | Workspace data excluded from training by default | Each user has private chat history unless they share; workspace shared links are restricted to members | Workspace owners/admins manage members, apps, GPT controls, and usage settings |
| ChatGPT Enterprise or Edu | Workspace data excluded from training by default | More options for SSO, SCIM, RBAC, data controls, app permissions, and retention/residency depending on plan | Strongest central control |
| Temporary Chat | Not used for model training | Does not appear in history or create memories, but copies may be kept up to 30 days for safety review | Useful for individuals, not a complete governance model |
The practical lesson is simple: "ChatGPT" is not one privacy state. A prompt in a personal account, a Business workspace, an Enterprise workspace, a temporary chat, a GPT with actions, or a connected app has different implications.
Seven ChatGPT leakage patterns to govern
1. Raw records pasted for summarisation
This is the everyday case. A support thread, intake form, patient note, complaint, order record, or incident report is pasted so ChatGPT can summarise it. The model rarely needs the real name, email address, phone number, account ID, BSN-equivalent, or full chronology to do the job.
2. Files uploaded because copy-paste is too much work
File upload feels safer because it is tidier. It is not automatically safer. A PDF, CSV, Word document, contract pack, or exported ticket file can contain hidden metadata, tracked changes, comments, extra sheets, or rows outside the section the employee meant to share.
3. Screenshots that carry more than the visible problem
Employees upload screenshots for help with an error, invoice, dashboard, or email. The visible issue may be harmless. The side panel, browser tab, notification banner, URL, customer row, or account name may not be.
4. Memory turning one prompt into future context
Memory can make ChatGPT more useful, but it changes the boundary of a single conversation. If sensitive facts are remembered, they can influence later responses. Turning memory off does not delete memories already saved; they need to be managed separately.
5. GPTs, apps, and connectors extending the data path
A prompt can call a GPT, an app, or a connector. That may be exactly what the user wants, but it also means data may be sent to or retrieved from another system. In managed workspaces, admins should decide which apps are allowed and who can use them.
6. Shared links used as "quick collaboration"
Shared links are convenient. They are also easy to misunderstand. A link can reveal a snapshot of the conversation, and anyone with access to the link can view it. In 2025, OpenAI removed an experiment that allowed shared conversations to be discoverable through search engines after concerns that users could accidentally share more than intended.
7. Personal accounts used for real work
This is the quietest risk. The employee is not bypassing IT to be reckless; they already have ChatGPT open, so they paste the work there. But a personal workspace has individual settings, individual shared-link history, individual memory, and no central offboarding or audit process.
What is actually at stake
For GDPR purposes, a ChatGPT prompt can contain personal data just like an email, spreadsheet, or ticket system. If the prompt includes an identifiable person, the organisation needs a lawful basis, a purpose, data minimisation, appropriate processor terms where relevant, and a way to answer basic questions later: what was shared, why, and under whose controls?
The risk is not only regulatory. A pasted contract excerpt may reveal a negotiation position. A support record may expose a vulnerable customer. A source file may include credentials. A screenshot may show a production incident name. A performance review may reveal special-category data or occupational-health context.
The uncomfortable part: these prompts are usually created by good employees doing useful work. That is exactly why policy alone does not catch them.
Verified incidents
March 2023 - ChatGPT history and payment-data bug
OpenAI took ChatGPT offline after a bug in an open-source library allowed some users to see titles from other active users' chat histories. OpenAI later reported that the same bug may also have exposed payment-related information for 1.2% of ChatGPT Plus subscribers active during a nine-hour window. Source: OpenAI, March 2023.
April-May 2023 - Samsung restricts generative AI after internal leaks
Samsung temporarily restricted generative AI use on company devices after employees reportedly pasted sensitive internal information into ChatGPT, including source code and meeting content. The nuance matters: this was not ChatGPT "hacking" Samsung; it was employees using a public AI tool for real work without enough controls. Source: TechCrunch/Bloomberg, May 2023.
March 2023 and December 2024 - Italian Garante enforcement
Italy's data protection authority temporarily limited ChatGPT processing in March 2023 while investigating privacy concerns. In December 2024, the authority fined OpenAI 15 million euros after concluding that OpenAI had violated transparency and legal-basis requirements in its management of ChatGPT. OpenAI said it would appeal. Source: Garante/AP, December 2024.
July 2025 - Shared ChatGPT conversations indexed by search engines
Reports found shared ChatGPT conversations appearing in search results. OpenAI said it removed the discoverability feature, describing it as a short-lived experiment that created too many chances for people to share things accidentally. The lesson for workplaces is direct: a share link is a publication decision, not a private note. Source: TechCrunch/Fast Company, July 2025.
These incidents point to different failure modes: platform bugs, employee paste behaviour, regulatory uncertainty, and sharing controls. A serious ChatGPT rollout has to account for all four.
Settings that help
Six settings and admin decisions are worth reviewing before broad workplace use.
1. Move work from personal accounts to a managed workspace Use ChatGPT Business, Enterprise, or Edu for work. OpenAI states that these workspace data types are excluded from training by default. A managed workspace also gives the organisation a place to set app, GPT, member, and sharing rules.
2. Turn off model improvement in personal accounts For users who still have personal accounts, go to: profile icon > Settings > Data Controls > Improve the model for everyone > Off. This keeps new conversations visible in chat history but stops them from being used for model improvement.
3. Use Temporary Chat for sensitive one-off tasks Temporary Chat is available from the new-chat interface. It does not appear in history, does not create memories, and is not used for model training. OpenAI still says copies may be kept for up to 30 days for safety purposes, so do not treat it as a secure vault.
4. Review memory and personalization Go to: profile icon > Settings > Personalization. Review "Reference saved memories" and "Reference chat history." Use Manage memories to delete saved memories that should not influence future chats. Deleting the original chat does not always remove a saved memory.
5. Audit shared links Go to: Settings > Data Controls > Shared links > Manage. Delete links that contain work content, personal data, or confidential context. In Business workspaces, check whether shared-link behaviour matches your internal collaboration rules.
6. Restrict apps, GPTs, and connectors In managed workspaces, review which apps and GPT capabilities are enabled. OpenAI states that Enterprise and Edu apps are disabled by default and can be controlled by workspace owners. Business admins can also manage app availability and role-scoped permissions.
Steps verified in May 2026 with ChatGPT web app at chatgpt.com, ChatGPT Business admin documentation, and OpenAI Help Center pages updated in May 2026.
What settings do not solve
Settings decide how ChatGPT handles data after it arrives. They do not decide whether the employee should have pasted the data in the first place.
No training opt-out removes an unnecessary customer number from a prompt. No Temporary Chat setting tells a support agent that a medical note is irrelevant to a refund summary. No Enterprise workspace automatically knows that a screenshot includes a visible client name in the browser tab.
The control gap is the few seconds before submission, when the employee is still drafting and can still remove, replace, or mask the sensitive parts.
How BeeSensible helps before the prompt is submitted
BeeSensible checks personal data in browser text fields while the prompt is still being written. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. In ChatGPT, names, emails, phone numbers, IBANs, BSNs, payment-card details, and other configured categories can be highlighted before the employee presses Enter.
The user can remove the value, replace it with a placeholder, or mask it. BeeSensible does not store the prompt text. Admins can see patterns by category and application without reading employee conversations.
ChatGPT