Drafting an email, summarising a report, producing code: generative AI tools have settled into many working environments. They deliver real time savings, but professional use calls for method and caution. Here are some pointers drawn from official frameworks.
Training teams: AI literacy
Since 2 February 2025, the AI Act has imposed an AI literacy obligation: providers and deployers must ensure a sufficient level of AI competence among the people who use these systems on their behalf. In practice, employers should raise awareness and train their staff.
Put governance in place
Under the AI Pact, a voluntary initiative of the European Commission, more than 230 organisations have committed to adopting an AI governance strategy, mapping their systems (including those likely to be high-risk) and promoting staff awareness. Human oversight and transparency of generated content are also part of these commitments.
Protect the data
Generative AI often processes personal data: the GDPR applies in full. As data protection authorities point out, new technologies are not excluded from the scope of the GDPR. It is therefore prudent not to enter confidential or personal information into a public tool without a legal basis and safeguards, and to check the provider's terms.
Copyright and verification
Mind copyright and the confidentiality of sources too: according to the European Parliament, providers of generative AI must comply with EU copyright law. And because these tools can reproduce bias, it is prudent to check for discrimination when an output is used to assess or select people, and to inform those people when AI plays a part in a decision affecting them.
Keep a human in the loop
Generative models can produce plausible but inaccurate answers. Any output should be reviewed and verified, especially when it feeds a decision affecting people. A few good practices: set up an internal policy, designate approved tools, train teams, provide for human review, and avoid entering sensitive data into unvetted tools. Keeping a record of approved tools and review steps also helps demonstrate responsible use.
As the framework is evolving, it is advisable to update internal rules regularly and to consult your data protection officer in case of doubt.