Why read this article?
Imagine a bank advisor copying a client's statement into an artificial intelligence (AI) assistant to summarize their credit profile. The summary arrives quickly, and it seems useful. But one question remains open: is the client's information retained by the tool? Can it be read by someone else? Can it be used to improve the service without clear consent?
Also imagine a hospital or university wanting to classify patient or student files. Should names, grades, diagnoses, identification documents, and addresses be masked before use? Who verifies that these files are not stored longer than necessary? Before asking an AI to 'save time,' one must know what it does with your data.
What is it, concretely?
Knowing whether an AI protects your data means checking if it treats your information like a bank treats its clients' money. A simple phrase: before using an AI, ask seven questions about what it receives, why it receives it, who can access it, where the data is stored, how long it remains, how it is rendered unreadable to unauthorized persons, and whether it is used to train the tool. The issue is not only technical: it is also a legal, financial, and trust risk.
Why this is important for you
- Banks: A statement, transaction history, or client identification document should be treated as sensitive assets, not just as simple text to copy and paste.
- Administrations: Civil status, tax, or land files require clear traceability: who accesses what, when, and for what reason?
- Universities: Grades, disciplinary records, unpublished theses, and student information must be anonymized before analysis.
- Hospitals: A diagnosis or test result can expose a person to medical, social, insurance, or legal harm.
- Small and medium-sized enterprises (SMEs): Human resources data, salaries, CVs, evaluations, or geolocation should not feed opaque decisions.
Views from Gabon and Africa
In Gabon, imagine an SME in Libreville wanting to use an online AI to analyze client files, or a university wishing to sort enrollment files. The first question should not be: 'Is the tool efficient?' but: 'Where do the data go?'. Gabonese law provides for an authority responsible for the protection of personal data and privacy, the Authority for the Protection of Personal Data and Privacy (APDPVP). It also stipulates that a transfer of personal data to another state requires authorization and a sufficient level of protection. For Francophone Africa, the issue is clear: an imported AI must comply with local rules, not just the supplier's conditions.
To go further
For digital teams, several benchmarks exist. The National Institute of Standards and Technology Artificial Intelligence Risk Management Framework (NIST AI RMF) helps structure risks. The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 42001 standard organizes AI management. The Open Worldwide Application Security Project (OWASP) Top 10 for Large Language Model Applications addresses the risks of large language models (LLM), including prompt injection. Microsoft Presidio and Google Cloud Sensitive Data Protection, also known as Data Loss Prevention Application Programming Interface (DLP API), detect or mask sensitive data. Open Policy Agent (OPA) automates certain access rules.
Sources
- CNIL — AI: consider data protection in data collection and management
- CNIL — Guide to Personal Data Security 2024
- NIST — Artificial Intelligence Risk Management Framework AI RMF 1.0
- ISO — ISO/IEC 42001:2023 AI management systems
- OWASP — Top 10 for Large Language Model Applications
- IBM — Cost of a Data Breach Report 2025
- Official Journal of Gabon — Law No. 025/2023 on Personal Data
- African Union — Convention on Cyber Security and Personal Data Protection


