Data Privacy Action: What You Can Do for Others

Most organizations don't. Start with the basics: What AI tools are employees using? Is anyone pasting sensitive data into free-tier AI tools? Does the organization know which vendors use AI to process their data? A Virginia state agency with criminal penalties for data breaches doesn't have an AI policy. If a government agency hasn't figured this out, your client probably hasn't either. You can be the person who helps them get ahead of it.

Every vendor your client uses (payroll, CRM, email marketing, cloud storage, HR software) is potentially using AI to process data. Your client's SOC 2 compliance doesn't mean much if their vendors aren't also compliant. Help them ask: Does your vendor have a written AI use policy? Is client data used to train AI models? Where is data stored? Who has access? Can the client opt out of AI processing? If the vendor can't answer these questions clearly, that's a red flag. Build vendor AI policy review into your advisory practice.

Most organizations deploy AI tools with default settings and never configure them for their specific needs. The result: AI that agrees with everything, produces generic outputs, and doesn't push back on bad ideas. Help your clients configure their AI to challenge assumptions, ask clarifying questions, and flag risks. This isn't a technical problem. It's a leadership problem. AI should function as a thinking partner, not a yes-machine. If you want to go deeper on this, explore the AI Coworker Blueprint and AI Thinking Model frameworks.

Shadow AI is your biggest risk. Employees are using ChatGPT, Claude, Gemini, and other tools on personal accounts to do company work. Customer data, HR records, financial information, strategic plans, all flowing through tools the organization doesn't control and hasn't approved. Audit what tools are in use, which accounts are free vs. enterprise tier, and what data is being shared. Then build an approved tools list and train staff on why it matters.

Permissions are your biggest vulnerability. Microsoft Copilot and Google Gemini in Workspace can now surface data that sat quietly unnoticed for years, internal documents with overly broad sharing, old files in shared drives, messages that were never meant to be searchable. AI doesn't create the permission problem. It makes the existing problem visible and exploitable. Audit your permissions. Lock down shared drives. Review who can access what. Do it before AI does it for someone you don't want looking.

Your constituents trust you with sensitive data: names, addresses, health information, financial situations, family details. If your CRM vendor uses AI to process that data, your constituents' information may be part of a training dataset they never consented to. Review your vendor contracts. Ask the hard questions. And be honest with your constituents about what you know and what you're doing about it. Transparency builds trust. Silence erodes it.

You don't need to be an expert. You need a room, a screen, and this website. Walk your community through the consumers section. Do a live "privacy party" where people check their phone settings together. Show them the LLM comparison chart. Give them the government contact templates. One hour of guided exploration will do more for your community than a hundred social media posts about AI ethics.