You're considering using AI for strategic planning. Maybe data from your financial numbers, your customer data, your sales results.
Then you think: "What about GDPR? What about the EU AI Act? What if I send sensitive data to an AI system and it gets out?"
That's a completely valid concern.
Here's the good news: it's actually possible to use AI safely in the EU. It just requires knowing what you're doing.
The two main risks
There are two things that can go wrong:
1. Data leaks: You send data to an AI system, and it gets used or shared in ways you wouldn't have allowed.
2. Illegal transfers: You send data to an AI system hosted outside the EU, or one that doesn't comply with EU rules. That's not allowed for certain types of data.
Classify your data first
Before you send anything to AI, you need to classify it.
You likely have four types of data:
PUBLIC: Anything publicly known. Your brand name. Your website. Published prices. This data you can send to any AI system without concern.
INTERNAL: Data only for your people. Sales pipeline. Internal emails. Strategy documents. Competitive data you've gathered. This data you can send to AI systems — but they need to be secure and can't be shared.
CONFIDENTIAL: Data that could hurt your business if it became known. Customer contracts. Salaries. Detailed financial figures. This data you can ONLY send to AI systems that are exclusively for your use.
RESTRICTED: Personal data about other people. Social security numbers. Email addresses from your customer list. Names of important contacts with their private information. This data you MUST NOT send to AI systems, period.
Draw a table. List your main data types. Classify them. Be strict.
Data Guardian: A practical safeguard
Data Guardian is a concept meaning: before data reaches an AI system, there's a filter that says "no, that's too sensitive."
In practice it means: 1. When you're about to send data to AI, ask: what classification is it? 2. If it's RESTRICTED: don't send it. Period. 3. If it's CONFIDENTIAL: only send it to AI systems that are completely private to you and only your data. 4. If it's INTERNAL or PUBLIC: you have more freedom.
One company did this:
- They had a customer list with contact info (RESTRICTED).
- They wanted to analyze which customer segments were most profitable.
- Instead of sending whole lists to AI, they did this: "We group customers into categories (A, B, C based on geography and size) without sending names or contact info. NOW AI can analyze profitability per category without seeing personal data."
Same result. Zero data leaks.
EU AI Act: What does it mean for you?
The EU has passed the AI Act. It's coming in gradually. For SMEs it mainly means:
High-risk AI must be documented: If you use AI to make significant decisions about people (hiring, credit, who you should serve), it needs to be documented and auditable.
Most companies use AI for analysis, not for deciding. You use AI to give you insights. You decide. That's not high-risk — it's just analytics.
Transparency: If AI affects an important decision involving a person, they need to know.
One company used AI to analyze which leads were worth following up on. They didn't tell leads "AI decided to follow up with you." They just used the AI ranking internally. That's fine.
Data minimization: You only send to AI the data you really need.
Example: you want to analyze market trends. You don't send ALL customer details to AI. You send aggregated numbers. "We had 10 customers from sector X, average purchase value Y."
EU-only hosting as a practical safeguard
Here's a simple rule: if you're concerned, only use AI systems hosted in the EU.
USA (Cloud providers like OpenAI, Google) and non-EU countries can be problematic because:
- They may not follow GDPR
- They can be forced by their government to share data
- They may not have the same security standards
The solution: use a European AI provider, or use local AI systems (like LLMs running on your own computer).
Several European alternatives:
- Mistral (France)
- Aleph Alpha (Germany)
- Local LLMs like Qwen or Llama (open, you control it yourself)
They're not always as good as OpenAI. But they're EU-compatible.
Practical security plan for your company
Here's how you do it properly:
Step 1: Inventory (1 hour) List your main data sources:
- Financial figures
- Customer data
- Sales pipeline
- Strategic documents
- Competitive data
Step 2: Classification (30 minutes) For each source: PUBLIC, INTERNAL, CONFIDENTIAL, or RESTRICTED?
Step 3: Rules (1 hour) Write your rules:
- "RESTRICTED data is NEVER sent to AI"
- "CONFIDENTIAL data is only sent to [specify secure AI system]"
- "INTERNAL and PUBLIC data is okay to send to [name your approved AI systems]"
Step 4: Checkpoints (ongoing) Every time you're about to send data to AI: what class is it? Am I checking my rules? Is it allowed?
A concrete example
A Danish consulting firm needed to analyze their client portfolio to see which type of client was most profitable.
Their data:
- Client name, contact, ID number (RESTRICTED — customer list)
- Contract value (CONFIDENTIAL)
- Contract types (INTERNAL)
- Industry (INTERNAL)
They wanted AI to say: "Here's your most profitable segment."
Instead of sending the raw data, they did this: 1. Put data in their own system 2. Removed all RESTRICTED info (name, contact, ID) 3. Aggregated at level: "sector X, contract size Y, we have 15 examples of" 4. Sent the aggregated data (INTERNAL) to the AI system
AI analyzed the pattern and said: "You make the most from sector X with larger contracts."
Safe. GDPR-compatible. EU AI Act-compatible.
What if you're not sure?
If you're unsure, contact:
- Your data protection officer (if you have one)
- A law firm that knows IT security
- Your industry organization — many have guidance
It's not extremely expensive. An hour of legal advice might cost 200-300 EUR, but it can save you from both violations and data leaks.
The bottom line
AI in the EU is legal and safe. It just requires: 1. Classification. Know what you have. 2. Rules. Write down what you're allowed to do. 3. Checkpoints. Ask yourself before you act.
It's not more complicated than normal data hygiene. But it means you can use AI to strengthen your strategy without risking your data — or breaking the rules.