{"id":13475,"date":"2025-08-27T08:00:00","date_gmt":"2025-08-27T06:00:00","guid":{"rendered":"https:\/\/haimagazine.com\/uncategorized\/unauthorized-ai-is-already-operating-in-your-company\/"},"modified":"2025-09-03T09:15:09","modified_gmt":"2025-09-03T07:15:09","slug":"unauthorized-ai-is-already-operating-in-your-company","status":"publish","type":"post","link":"https:\/\/haimagazine.com\/en\/ai-in-industries\/unauthorized-ai-is-already-operating-in-your-company\/","title":{"rendered":"\ud83d\udd12 Unauthorized AI is already operating in your company"},"content":{"rendered":"<p>An HR employee opens ChatGPT and pastes the resumes of people participating in the recruitment process. They contain all the data: first names, last names, education and experience, phone numbers, email addresses. &#8220;Analyze these resumes and point out the best candidate,&#8221; they request.<\/p><p>A few seconds and it&#8217;s done. Sounds great? Maybe for him. But you&#8217;re at risk of a penalty that could reach up to 20 million euros. Why? Because your company has just violated the GDPR and AI Act regulations.<\/p><p>According to <a href=\"https:\/\/www.deloitte.com\/pl\/pl\/services\/consulting\/services\/artificial-intelligence-and-data\/trust-in-AI-polska-perspektywa-2024.html\" data-type=\"link\" data-id=\"https:\/\/www.deloitte.com\/pl\/pl\/services\/consulting\/services\/artificial-intelligence-and-data\/trust-in-AI-polska-perspektywa-2024.html\" target=\"_blank\" rel=\"noopener\"><mark style=\"background-color:#82D65E\" class=\"has-inline-color has-contrast-color\">Deloitte<\/mark> <\/a>18% of employees in Poland already use generative AI at work, and nothing suggests that this percentage will decline. On the contrary. Meanwhile, a <a href=\"https:\/\/kpmg.com\/pl\/pl\/home\/insights\/2025\/07\/sztuczna-inteligencja-w-polsce.html\" data-type=\"link\" data-id=\"https:\/\/kpmg.com\/pl\/pl\/home\/insights\/2025\/07\/sztuczna-inteligencja-w-polsce.html\" target=\"_blank\" rel=\"noopener\">badanie <mark style=\"background-color:#82D65E\" class=\"has-inline-color has-contrast-color\">KPMG<\/mark><\/a> study shows that over half of them do so without their supervisors&#8217; knowledge. In practice, this means that in every company employing more than 50 people, at least five employees regularly use AI without their employer&#8217;s knowledge.\u00a0<\/p><p><strong>This phenomenon is called Shadow AI.<\/strong><\/p><p>These employees often follow the principle that &#8220;if no one forbade it, it&#8217;s allowed.&#8221; It&#8217;s no wonder they opt for a solution that makes the work faster and simpler. However, the legal and financial liability for this choice falls on the company.<\/p><h4 class=\"wp-block-heading\"><strong>Why is Shadow AI a ticking time bomb?<\/strong><\/h4><p>GDPR leaves us no room for interpretation \u2014 personal data must be processed securely and under control. Data controllers should know where and how long data are stored and who has access to them.<\/p><p>When we paste them into a public ChatGPT, we automatically lose control over them. It immediately violates three basic principles of <a href=\"https:\/\/eur-lex.europa.eu\/eli\/reg\/2016\/679\/oj?locale=EN\" data-type=\"link\" data-id=\"https:\/\/eur-lex.europa.eu\/eli\/reg\/2016\/679\/oj?locale=EN\" target=\"_blank\" rel=\"noopener\">GDPR<\/a>:<\/p><ul class=\"wp-block-list\"><li>it violates the principle of data integrity and confidentiality \u2014 Art. 5(1)(f),<\/li>\n\n<li>data are used for purposes other than originally planned \u2014 Art. 5(1)(b),<\/li>\n\n<li>it provides more information than necessary \u2014 Art. 5(1)(c).<\/li><\/ul><p>If the information was sensitive, such as health details or religious beliefs (Art. 9 of GDPR), the situation becomes even more serious. Such data require special protection, meaning encryption, limited access and detailed logs. These types of data can only be processed with explicit consent or in exceptional situations, for example, when there&#8217;s a threat to life or it stems from legal obligations.<\/p><figure class=\"wp-block-table\"><table class=\"has-contrast-color has-accent-background-color has-text-color has-background has-link-color has-fixed-layout\"><tbody><tr><td>Under GDPR, the data controller (who&#8217;s usually the employer) is responsible for the actions of their employees. This includes cases where an employee independently pastes data into ChatGPT. This responsibility stems from Art. 24 of GDPR, which mandates the implementation of appropriate technical and organizational measures.<\/td><\/tr><\/tbody><\/table><\/figure><p>The second piece of the puzzle is the AI Act, which came into effect in 2024, but its key provisions regarding high-risk systems like recruitment and customer service will start being enforced in August 2026. The regulation establishes legal frameworks for artificial intelligence across the European Union. Employers who use AI in these areas will have to meet additional obligations. General consent or internal policies won&#8217;t suffice. They&#8217;ll need to ensure system transparency, human oversight of the process, and maintaining a register of AI usage.<\/p><div class=\"wp-block-media-text is-stacked-on-mobile has-accent-color has-contrast-background-color has-text-color has-background has-link-color wp-elements-628e74e7c549c062a08ad9b49f6e1d3c\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/haimagazine.com\/wp-content\/uploads\/2025\/08\/freepik__expand__411-1024x1024.png\" alt=\"\" class=\"wp-image-13112 size-full\" srcset=\"https:\/\/haimagazine.com\/wp-content\/uploads\/2025\/08\/freepik__expand__411-1024x1024.png 1024w, https:\/\/haimagazine.com\/wp-content\/uploads\/2025\/08\/freepik__expand__411-300x300.png 300w, https:\/\/haimagazine.com\/wp-content\/uploads\/2025\/08\/freepik__expand__411-150x150.png 150w, https:\/\/haimagazine.com\/wp-content\/uploads\/2025\/08\/freepik__expand__411-768x768.png 768w, https:\/\/haimagazine.com\/wp-content\/uploads\/2025\/08\/freepik__expand__411-600x600.png 600w, https:\/\/haimagazine.com\/wp-content\/uploads\/2025\/08\/freepik__expand__411-100x100.png 100w, https:\/\/haimagazine.com\/wp-content\/uploads\/2025\/08\/freepik__expand__411.png 1320w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><div class=\"wp-block-media-text__content\"><p><strong>AI in HR \u2014 How to recruit effectively and legally<\/strong><\/p>\n\n<p>Check out how to recruit employees effectively and painlessly using AI tools. From sending emails, scheduling meetings and recording to analyzing CVs and choosing candidates. How can you avoid the pitfalls of the AI Act and GDPR? You&#8217;ll find the answers in the article by Bartosz Dobrowolski and Zuzanna Ro\u017cek.<\/p>\n\n<p class=\"has-text-align-center has-contrast-color has-accent-background-color has-text-color has-background has-link-color wp-elements-f77c4975a0f870cd9565dfe3301670b9\"><strong><a href=\"https:\/\/haimagazine.com\/en\/ai-in-industries\/ai-in-hr-how-to-recruit-effectively-and-legally\/\" data-type=\"link\" data-id=\"https:\/\/haimagazine.com\/en\/ai-in-industries\/ai-in-hr-how-to-recruit-effectively-and-legally\/\">Read more &gt;&gt;<\/a><\/strong><\/p><\/div><\/div><p>The worst thing you can do is pretend the problem doesn&#8217;t affect us. Shadow AI won&#8217;t disappear, and regulations are already a fact. So we need to take action now. And by now, I really mean RIGHT NOW.<\/p><p>Within the next 48 hours <strong>check what the situation looks like in your company<\/strong>. The simplest way is to conduct a short survey among employees: &#8220;<em>Do you use AI at work? What tools do you use? For what?<\/em>&#8221; This will quickly assess the extent of the phenomenon and identify the areas of greatest risk. At this stage, you should also introduce a temporary ban on pasting candidate or client data into public models like ChatGPT, Claude or Gemini.<\/p><p>The next step should be <strong>risk mapping<\/strong>. Review all the processes in your company and answer the question: in which of them can employees use AI? The greatest threats usually lurk in three areas: recruitment (CV analysis), customer service (responding to inquiries) and marketing (content creation). It&#8217;s there that the most personal data often leak.<\/p><p>Later (within the next 30 days) <strong>consider switching to enterprise solutions<\/strong> that offer Data Processing Agreements (DPA). This legal safeguard means that the AI provider commits to protecting your data, not sharing it with other companies and deleting it after the contract ends, unlike free versions, where data can be used to train models. ChatGPT Teams (about 25 \u20ac per month per user), Claude for Business (28 \u20ac), or Google Workspace with AI (from 7 \u20ac) are already available. It&#8217;s a small price for legal peace of mind. At the same time, <strong>appoint someone responsible for supervising AI in your company<\/strong>. The AI Act will require such an &#8220;AI guardian&#8221;. Also, <strong>organize training for employees<\/strong> to explain, clearly and without technical jargon, what is allowed, what isn&#8217;t and why.<\/p><p>Within three months, the company should have the following documents and procedures: an AI usage policy, a system registry, and rules for informing candidates or clients that AI supports processes.<\/p><h4 class=\"wp-block-heading\"><strong>How much does it cost and why do we have to bear the cost?<\/strong><\/h4><p>I have good and bad news.<\/p><p>The bad news is safe AI requires investment.<\/p><p>The good news is using AI sensibly can give you an edge over the competition.<\/p><p><strong>Costs for different companies:<\/strong><\/p><figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Micro business (up to 5 people)<\/td><td>Annual security cost: 2000-3000 \u20ac. You can start with the basic ChatGPT Teams for 2-3 key employees. As your company grows, you can expand the system.<\/td><\/tr><tr><td>Small company (5-20 people)<\/td><td>Annual cost: 4000-6000 \u20ac. Implement enterprise solutions for the entire team plus basic training and procedures.<\/td><\/tr><tr><td>Medium-sized business (20-50 people)<\/td><td>Annual cost: 7000-9000 \u20ac for enterprise AI, training and legal consultations. At this point, you&#8217;ll need to appoint a responsible person for AI supervision.<\/td><\/tr><\/tbody><\/table><\/figure><p>The maximum GDPR fine is 20 million \u20ac. For the largest companies, the fine can be even higher (4% of annual turnover). It&#8217;s probably worth avoiding it. Especially since AI is an opportunity, not just a problem.<\/p><p><strong>Properly implemented AI can be a game changer for your business:<\/strong><\/p><ul class=\"wp-block-list\"><li><strong>In recruiting \u2013<\/strong> automated CV analysis reduces recruitment time by 70%<\/li>\n\n<li><strong>In customer service \u2013<\/strong> chatbots handle 80% of standard inquiries 24\/7<\/li>\n\n<li><strong>In marketing \u2013 <\/strong>AI generates personalized content in multiple languages, analyzes audience reactions and optimizes campaigns in real-time.<\/li><\/ul><p>Your competitors are already doing it. The question is: are they doing it legally? If you invest in secure solutions and they risk penalties, guess who will benefit in the long run.<\/p><h4 class=\"wp-block-heading\"><strong>Time is running out<\/strong><\/h4><p>The AI Act has already come into effect. Your time to prepare is running out. Shadow AI is like a time bomb: each day of delay increases the risk of explosion. Inaction can be seen as gross negligence and result in even higher fines. It&#8217;s not a question of &#8220;if&#8221; someone will check your company. It&#8217;s a question of &#8220;when&#8221; they will do it.<\/p>","protected":false},"excerpt":{"rendered":"<p>How to avoid a million-dollar fine for Shadow AI<\/p>\n","protected":false},"author":452,"featured_media":13382,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"rank_math_lock_modified_date":false,"footnotes":""},"categories":[797,888],"tags":[],"popular":[],"difficulty-level":[36],"ppma_author":[843],"class_list":["post-13475","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-in-industries","category-business-2","difficulty-level-easy"],"acf":[],"authors":[{"term_id":843,"user_id":452,"is_guest":0,"slug":"ewa-siciak","display_name":"Ewa Siciak","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/ebee7b40b99f8697a441e9c4e843181f1ee192815264acf918eb0ef697dfbe3e?s=96&d=mm&r=g","first_name":"Ewa","last_name":"Siciak","user_url":"","job_title":"","description":"Administratywistka i entuzjastka prostych rozwi\u0105za\u0144 AI dla ma\u0142ych firm. Bada i testuje technologie, kt\u00f3re realnie odci\u0105\u017caj\u0105 przedsi\u0119biorc\u00f3w."}],"_links":{"self":[{"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/posts\/13475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/users\/452"}],"replies":[{"embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/comments?post=13475"}],"version-history":[{"count":1,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/posts\/13475\/revisions"}],"predecessor-version":[{"id":13476,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/posts\/13475\/revisions\/13476"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/media\/13382"}],"wp:attachment":[{"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/media?parent=13475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/categories?post=13475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/tags?post=13475"},{"taxonomy":"popular","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/popular?post=13475"},{"taxonomy":"difficulty-level","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/difficulty-level?post=13475"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/ppma_author?post=13475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}