Using ChatGPT at Work? New Legal Obligations Take Effect August 2
If your company uses ChatGPT or any other artificial intelligence tool in the workplace, mark August 2 on your calendar. Starting from this date, a set of new legal obligations kicks in that could significantly affect how businesses, employees, and HR departments handle AI-powered tools. Ignoring these rules is no longer an option — violations can result in substantial fines and reputational damage. Here is everything you need to know to stay compliant.
What Is Changing on August 2?
August 2 marks a critical enforcement milestone under the European Union's AI Act, the world's first comprehensive legal framework specifically designed to regulate artificial intelligence. While the regulation was officially published and entered into force in the summer of 2024, its provisions are being rolled out in phases. The August 2 deadline represents one of the most impactful phases for everyday business users — particularly those relying on general-purpose AI systems such as ChatGPT, Google Gemini, Microsoft Copilot, and similar tools.
From this date forward, companies operating within the EU — or offering services to EU-based users — must comply with a new tier of transparency, documentation, and accountability requirements when deploying AI at work.
Who Is Affected?
The obligations apply to a wide range of actors in the AI ecosystem. Understanding which category your organization falls into is the first step toward compliance.
Providers of AI Systems
Companies that develop and offer AI tools — such as OpenAI with ChatGPT — must comply with the most stringent set of requirements, including registering their systems in the EU database, providing technical documentation, and ensuring transparency with users.
Deployers (Businesses Using AI)
This category covers any company or professional using AI tools in a work context. If your business uses ChatGPT to draft emails, generate reports, support customer service, or automate HR processes, you fall into this category. Deployers have specific obligations that differ from those of providers, but they are no less important.
Employees and Individual Users
Individual workers are not exempt either. The law requires that employees who interact with AI tools in professional settings be properly informed and trained. HR departments will need to implement new onboarding procedures and update internal policies accordingly.
Key Legal Obligations for Businesses Using AI at Work
Here are the main obligations that come into effect starting August 2 for companies using general-purpose AI tools in the workplace:
1. Transparency and Disclosure
Companies must be transparent about when and how AI is being used in their workflows. This is especially important in human-facing applications — for example, if your company uses a chatbot powered by ChatGPT for customer support, users must be clearly informed that they are interacting with an AI system, not a human agent.
2. Risk Assessment and Documentation
Businesses must carry out a preliminary risk assessment for each AI application they deploy. This involves documenting the intended use, potential risks, and mitigation strategies. The documentation must be kept up to date and made available to authorities upon request.
3. Human Oversight
One of the cornerstones of the EU AI Act is the principle of meaningful human oversight. Companies must ensure that AI tools do not make fully autonomous decisions in high-stakes areas — such as performance evaluations, hiring, promotions, or dismissals — without adequate human review and intervention mechanisms in place.
4. Employee Training and AI Literacy
Starting August 2, there is a formal requirement for AI literacy. Companies must ensure that employees who use AI tools in their daily work are adequately trained. This does not mean everyone needs to become a data scientist — but workers must understand how the tools work, their limitations, and the ethical implications of using them.
5. Data Protection and GDPR Alignment
Using ChatGPT at work often involves processing personal data — whether it is client information, employee records, or sensitive business data. Companies must ensure that their use of AI tools remains fully aligned with the General Data Protection Regulation (GDPR). This includes reviewing data processing agreements with AI vendors and ensuring that no prohibited data transfers take place.
6. Prohibition on Certain AI Practices
The EU AI Act introduces an outright ban on several AI applications considered to pose unacceptable risks. These include:
- AI systems that manipulate individuals through subliminal techniques
- Social scoring systems used by employers to rank employees
- Real-time biometric surveillance in public spaces (with limited exceptions)
- AI that exploits the vulnerabilities of specific groups
Practical Steps Your Company Should Take Before August 2
If your organization has not yet started preparing, there is still time — but you need to move quickly. Here is a practical checklist to help you get compliant:
- Audit your current AI tools: Make a complete inventory of all AI systems used across departments, including ChatGPT, Copilot, automated scheduling tools, and AI-powered analytics platforms.
- Classify your AI use cases by risk level: Not all AI applications carry the same risk. The EU AI Act uses a tiered risk model — from minimal risk to high risk. Understanding where your use cases fall will determine your compliance obligations.
- Update internal policies: Revise your acceptable use policies, HR policies, and IT governance frameworks to explicitly address AI tool usage.
- Train your employees: Develop or source AI literacy training for staff. Even a basic introductory course can satisfy the law's requirements while improving responsible AI adoption.
- Review vendor contracts: Check the terms of service and data processing agreements with AI providers. Ensure that these agreements meet GDPR standards and that liability is clearly allocated.
- Appoint an AI compliance officer or team: For larger organizations, it may be necessary to assign a dedicated person or team to oversee AI governance.
What Are the Penalties for Non-Compliance?
The EU AI Act introduces a tiered penalty system that mirrors the structure of GDPR fines. Companies found to be non-compliant can face:
- Fines of up to €35 million or 7% of global annual turnover for violations related to prohibited AI practices
- Fines of up to €15 million or 3% of global annual turnover for non-compliance with other obligations
- Fines of up to €7.5 million or 1.5% of global annual turnover for providing incorrect information to authorities
Beyond financial penalties, companies risk significant reputational damage, loss of client trust, and potential litigation from employees or customers affected by non-compliant AI use.
ChatGPT Specifically: What You Need to Know
ChatGPT, developed by OpenAI, is classified as a general-purpose AI (GPAI) model under the EU AI Act. This means it is subject to specific transparency and documentation requirements. OpenAI, as the provider, bears the primary responsibility for complying with provider-side obligations — but this does not absolve businesses from their own duties as deployers.
For example, if your company uses ChatGPT to assist in writing performance reviews, you are responsible for ensuring human oversight of those reviews and for informing employees that AI was used in the process. If you use it to screen CVs, you enter high-risk AI territory and face a much more demanding compliance framework.
The Broader Context: Why These Rules Matter
The introduction of AI in the workplace is not just a technological shift — it is a social and legal transformation. Tools like ChatGPT can dramatically improve productivity, reduce costs, and enable innovation. But they also raise profound questions about fairness, privacy, accountability, and the future of work.
The EU AI Act is Europe's answer to these challenges. By establishing clear rules for AI use in professional settings, it aims to ensure that the benefits of AI are realized without undermining fundamental rights, worker protections, and democratic values.
For businesses, compliance is not just about avoiding fines. It is an opportunity to build trust with employees and clients, demonstrate ethical leadership, and position your organization as a responsible adopter of transformative technology.
Final Thoughts
August 2 is not a distant deadline — it is here. Whether you are a small business using ChatGPT to write marketing copy or a large enterprise integrating AI across multiple departments, the new legal obligations apply to you. The good news is that compliance is achievable with the right preparation, tools, and commitment.
Start with a clear inventory of your AI tools, invest in employee training, and work with legal and HR professionals to update your internal policies. The effort you invest now will not only keep you on the right side of the law — it will help you use AI more responsibly, effectively, and sustainably in the long run.
The era of unregulated AI in the workplace is over. The era of responsible, compliant, and human-centered AI has officially begun.