IA

CHARTERED ACCOUNTANT - Generative AI and data protection: how to reconcile innovation and confidentiality? Académie Notebook No. 43

The dramatic rise of generative artificial intelligence is transforming professional practices, particularly in the use of AI for accounting and legal professions. Since late 2022, tools such as ChatGPT, Copilot, Claude and Llama have become embedded in everyday use. They make it possible

Contents
Schedule a discussion

Reading time:

6 min

The dramatic rise of generative artificial intelligence is transforming professional practices, particularly in the use of AI for accounting and legal professions. Since late 2022, tools such as ChatGPT, Copilot, Claude and Llama have become embedded in everyday use. They make it possible to draft, analyse, summarise and automate numerous tasks.

But one question is becoming increasingly pressing: what happens to sensitive data when it is used in these systems? Where is it stored? Who can access it? Is it used to train the models?

To address these concerns, the Académie des Sciences et Techniques Comptables et Financières published in April 2025 its Notebook No. 43: “Generative AI and data protection: confidentiality, GDPR, professional secrecy”. This document is the result of collaborative work by experts, in which Mirabile Avocat took part.

The objective is clear: to provide legal and practical safeguards to govern the use of generative AI, in particular within professions subject to strict confidentiality obligations (AI and accounting professions).

If you would like to engage an AI lawyer, contact me!

Why generative AI is disrupting data protection

Generative AI is based on a simple principle: ingesting vast volumes of data to produce new content (text, code, images, etc.). Its effectiveness is undeniable, but it raises a paradox: the more powerful it is, the more it relies on the use of data that is often sensitive.

In the daily work of accounting professionals and lawyers, use cases are multiplying: – A chartered accountant tests ChatGPT to analyse accounting entries. – A finance department submits a cash flow statement to an AI tool to obtain an instant forecast. – A lawyer uploads a contract in order to obtain a summary or a clause review.

These practices raise fundamental questions:

  • Is the data sent to these tools stored?
  • Can it be reused to train the models?
  • What guarantees exist regarding its confidentiality?

In reality, generative AI does not create data-related risks. Rather, it acts as an accelerator, as it encourages the use of powerful tools that often fall outside the control of organisations.

Identified risks: confidentiality, GDPR and professional secrecy

The use of generative AI gives rise to a series of legal and organisational risks that directly affect regulated professions and businesses handling sensitive data.

Risks related to the GDPR

The General Data Protection Regulation (GDPR) strictly governs the processing of personal data. Using an AI tool often involves:

  • transfers outside the European Union (notably to the United States),
  • a lack of a clear legal basis to justify the use,
  • a lack of transparency regarding the purpose of the processing.

For example, submitting an accounting file containing information about employees or clients may constitute a breach of the GDPR if the tool does not comply with security and transfer obligations.

Risks to confidentiality and trade secrets

Beyond the GDPR, the protection of confidential data and trade secrets is at stake. Uploading strategic information (cost price, commercial negotiations, restructuring plan) into a chatbot could, in the absence of safeguards, expose that data to a third party or even to uncontrolled reuse (AI and the accounting profession).

Risks for regulated professions

Professions subject to professional secrecy (lawyers, chartered accountants, statutory auditors) face an additional challenge:

  • Professional secrecy covers all information entrusted by the client.
  • Using a tool that does not guarantee the absence of data leakage or reuse may constitute a breach of secrecy, exposing the professional to disciplinary and criminal sanctions.

A concrete example: a lawyer who uses ChatGPT to analyse an employment dispute file. If the data entered is stored and reused, this may constitute a breach of professional secrecy under Article 226-13 of the Criminal Code.

The Académie's Notebook No. 43: practical guidance for accounting professionals

In response to these challenges, the Académie des Sciences et Techniques Comptables et Financières published a reference document in April 2025: Notebook No. 43.

Collaborative work by experts

The Notebook was drafted by a multidisciplinary group, bringing together legal professionals, lawyers, chartered accountants and academics. Among the contributors: Mirabile Avocat, long committed to issues relating to digital matters (AI and accounting professions).

Practical questions at the heart of the document

The publication answers very concrete questions:

  • Can an accounting file be uploaded into ChatGPT or Copilot?
  • What risks does an audit firm face if it uses AI to analyse a client portfolio?
  • What minimum precautions must a business take if it wishes to experiment with generative AI?

Three key contributions of the Notebook

AI and data protection
Three key contributions of the Notebook
ContributionDescription
Assessing the risks of generative AIAnalysis framework based on the nature of the data, its sensitivity and the status of the profession.
Implementing best practicesData anonymisation, contracting with AI providers, raising team awareness.
Drawing on international experienceRecommendations from the United Kingdom, Canada and the United States cited in the Notebook.
Provided for informational purposes only; does not constitute legal advice.

One central message emerges: generative AI does not create confidentiality problems, but it amplifies them. This calls for heightened vigilance, particularly for professions subject to professional secrecy (AI and accounting professions).

Let's discuss your needs over 15 minutes!

What best practices should you adopt right now?

Notebook No. 43 does not stop at observations. It provides practical recommendations that firms and businesses can implement immediately.

Limit sensitive uses

Avoid uploading into a generative AI tool documents containing:

  • non-anonymised personal data (GDPR),
  • strategic information (trade secrets),
  • elements covered by professional secrecy.

Put in place internal AI usage charters

More and more businesses are creating usage charters to govern the use of AI by their staff. These charters define:

  • the authorised tools,
  • the types of data that may be entered,
  • the validation procedures to follow before use.

Secure contractual relationships

Businesses must include specific contractual clauses in their agreements with AI providers and their subcontractors:

  • data location,
  • a prohibition on training using the data entered,
  • confidentiality guarantees.

Regularly audit GDPR compliance

A periodic audit makes it possible to verify:

  • that the tools comply with security principles,
  • that the data is stored in accordance with European rules,
  • that individuals' rights (access, rectification, erasure) can be exercised.

Train your teams

Raising staff awareness is essential. The Notebook stresses the importance of internal training so that everyone understands:

  • what they may or may not do with generative AI,
  • the risks incurred in the event of poor practice,
  • the available alternatives (secure internal tools, sovereign solutions).

To learn more

Is generative AI compatible with professional secrecy?

The use of generative AI by accounting and legal professionals raises questions of confidentiality and professional secrecy. Notebook No. 43 of the Académie des Sciences et Techniques Comptables et Financières proposes legal safeguards to reconcile innovation and data protection.

What is the Académie's Notebook No. 43?

Notebook No. 43, published in April 2025 by the Académie des Sciences et Techniques Comptables et Financières, addresses generative AI and data protection: confidentiality, GDPR and professional secrecy. Mirabile Avocat took part in this collaborative work by experts.

What happens to sensitive data used in generative AI?

This is a central concern. The questions relate to where the data is stored, who can access it and whether it may be used to train the models. Notebook No. 43 aims to provide legal safeguards to protect professionals' sensitive data.

Does generative AI comply with the GDPR?

The use of generative AI tools must comply with the GDPR, in particular as regards the personal data processed. Notebook No. 43 examines these issues and proposes a framework to reconcile the innovation these tools offer with data protection requirements.

Which generative AI tools are concerned?

Tools such as ChatGPT, Copilot, Claude and Llama have become embedded in everyday use since late 2022. They make it possible to draft, analyse and automate tasks, but their use raises questions of confidentiality and the protection of sensitive data.

Why is confidentiality an issue for the accounting professions?

Chartered accountants and legal professionals handle sensitive data covered by professional secrecy. The use of generative AI creates a risk to the confidentiality of this data, which is why legal safeguards are important to govern these practices.

What is the objective of Notebook No. 43?

The objective is to provide legal safeguards enabling professionals to use generative AI while protecting sensitive data, in compliance with the GDPR and professional secrecy. It thereby reconciles innovation and confidentiality.

Is a lawyer helpful in governing AI within the accounting professions?

A lawyer helps accounting and legal professionals govern the use of generative AI, protect sensitive data and comply with the GDPR and professional secrecy. This support makes it possible to reconcile innovation and confidentiality.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

5 min

External DPO or GDPR lawyer: which solution should you choose for your compliance?
Faced with the strict requirements of the General Data Protection Regulation (GDPR), companies are looking for the best strategy to ensure their compliance. They essentially have two options: calling on an external Data Protection Officer (DPO) or surrounding themselves with a

5 min

The major legal risks for digital businesses in 2025
At a time when digital transformation is accelerating, the legal risks for businesses are evolving at a dizzying pace.

3 min

The Digital Sector Targeted by the DGCCRF in 2023
In 2023, more than ever, the digital sector is at the heart of the DGCCRF's concerns.

5 min

The 5 Major Legal Risks for Software Publishers in 2025
In a constantly evolving digital world, software publishers face an increasingly complex legal environment. Between the new European regulations and the rise in cybersecurity threats, it is essential to properly identify legal risks in order to b

15 min

Cloud outsourcing and GDPR: the 7 key points to watch for flawless compliance
The massive adoption of cloud solutions is profoundly transforming the IT landscape of companies. This outsourcing offers flexibility, scalability and often cost reduction, but raises major challenges in terms of data protection.

7 min

Drafting a privacy policy
Discover how a robust privacy policy can protect your personal information, strengthen your online security and ensure worry-free browsing: everything you need to know is here!
Prendre rendez-vous
Book an appointment