How to use ChatGPT in companies: policy, cases and typical mistakes

Using ChatGPT in a company isn't the same as every employee opening a free account. It's deciding which plan to contract, which usage policy to publish, what data canNOT go in, and how adoption is measured. Without that, what you have is noise in the chat and a legal risk.

ChatGPT Free vs. Plus vs. Team vs. Enterprise (the real decision)

Plan	Cost	Does your data train the model?	When to pick it
Free	$0	Yes (by default)	Individual curiosity, NEVER company use
Plus	$20/month	Yes (you can opt out)	Individual professional, not for confidential data
Team	$25/user/month	No	Small-to-mid teams, reasonable default
Enterprise	Negotiated	No + SSO + stronger DPA	Compliance, high volume, specific regulatory requirements

Usage policy: template and what it covers

A minimum viable usage policy fits on one page. A serious policy runs 5-10 pages. Better to start with the minimum viable than have none. The mandatory components:

Who owns the policy inside the company.
Which plan is procured and how to get an account.
What data CANNOT go into external chats (closed, specific list).
What decisions CANNOT be delegated to AI.
How to report misuse or an incident.
Consequences of non-compliance (scaled by severity).
How often the policy is reviewed.

Sensitive data: the 4 classic mistakes

Pasting full contracts to "summarize them". Sensitive personal and commercial data going into a chat. Risk: data leak + privacy compliance issues.
Uploading resumes to "pre-screen". No documented criteria, hidden bias: regulatory exposure on the horizon.
Pasting customer conversations to "analyze sentiment". Third-party personal data with no clear legal basis.
Processing billing or financial information without a DPA. Possible contractual breach with auditors and/or customers.

How to actually measure adoption

The metric that matters is impact, not logins. A reasonable measurement structure:

Level	What it measures	How
1 · Access	% with an active account	Team/Enterprise plan dashboard
2 · Frequency	Sessions/person/week	Same dashboard
3 · Cases covered	% of identified use cases in real use	Semi-annual survey
4 · Impact	Hours saved/month per process	Self-report by process owner

Training that ACTUALLY works (vs. "look at the keys")

General training is theatre. What works is role-specific, with tested prompts and a 2-week review.

Identify 8-12 real use cases for the role with the process owner.
Design specific tested prompts. Not generic "prompting frameworks".
A 3-4 hour workshop — beyond that is diminishing returns.
A 1-2 page doc with the prompts and when to use them.
Two-week review: what stuck, what didn't, adjust.

Frequently asked questions

Enterprise is justified when you need: mandatory SSO (compliance), specific data residency (EU), reinforced DPA, or high volume to negotiate price. Below 50 users and without strong regulatory requirements, Team covers 95% of cases at 1/3 the cost. Many companies pay Enterprise for marketing, not need.

GDPR applies from day one — including data your team puts into any AI chat. AI Act applies from 2026 based on system risk level: most ChatGPT enterprise uses are limited risk (mandatory transparency) or minimal risk (no specific obligations). What does change: any use deciding on people (HR, scoring) becomes high risk. That requires serious documentation.

Mandatory from day one. Not optional. Any company deploying ChatGPT without a written policy is building debt — legal, reputational or both. A basic policy (1 page) is better than none. A full policy (5-10 pages) is what's right. Without a policy, don't deploy.