Enabling AI across your company: a guide for data protection officers
Data protection officers can enable AI instead of banning it by removing personal data locally, before employees paste it into an AI tool.
Updated
Data protection officers can enable AI across the company instead of banning it, by removing personal data locally before employees paste it into an AI tool. The productivity gain stays, and no data is transmitted to the AI provider.
The dilemma: ban it, or lose control
Employees use AI anyway. An analysis by Cyberhaven (2023) found that around 11% of the content pasted into ChatGPT is confidential. A blanket ban rarely means less usage, it just means uncontrolled usage through personal accounts, out of sight of IT and data protection.
As a DPO, that leaves you with a bad choice: ban AI and lose the productivity benefit, or tolerate AI and give up control over personal data.
The third way: data minimization at the source
The GDPR requires data minimization (Art. 5) and appropriate technical measures (Art. 32). Local anonymization applies exactly there: personal data is removed on the employee’s device before anything reaches an AI tool. What leaves the machine no longer contains real names, addresses, or account numbers.
Because the processing happens locally, it creates no new transfer to yet another processor. That is the decisive difference from cloud-based anonymization services, which still send the data to someone else’s server.
Why context-aware detection lowers the error rate
Plain name detection flags every name the same way, including public bodies, courts, or cities, while missing personal data that is not a classic proper name. That produces both false alarms and gaps. Stript judges the context of each match and decides whether it is genuinely personal data. Employees confirm the suggestions before anything is anonymized.
What this achieves for you as a DPO
- An approvable, documentable solution instead of a shadow-AI problem.
- No new processing arrangement for the anonymization itself, since it is local.
- A verifiable process: the network traffic shows that no content is uploaded.
- Traceability, because the mapping is stored locally and encrypted.
Frequently asked questions
Is this a data-protection sign-off? No. Stript is a technical tool for data minimization. Assessing and approving it for your company remains your job; the tool supports it.
Can I roll it out company-wide? Yes. Stript runs as a local desktop application per workstation. Team and Business variants are planned for teams and central management.
Enable AI across your company without giving up control of personal data. Download Stript for free →