Practical guide: framing AI in your association or your foundation

20.05.26 | Non classé

Let’s take action. How to implement a realistic, effective and protective framework for AI use in your association?

 

Step 1: The honest audit (without judgment)

Why start there?

You cannot regulate what you do not know. And above all: you cannot forbid what is already massively being done. The first step is not to create a policy. It is to map reality.

How to carry out this audit?

Anonymous survey (this is crucial!)

Questions to ask:

  • Do you use AI tools in your work? (ChatGPT, Claude, Gemini, others)
  • How often? (daily, weekly, monthly, occasional)
  • For what types of tasks? (writing, analysis, translation, summary, advice, code, etc.)
  • With what types of information? (personal data of beneficiaries, internal strategy, financial documents, public content)
  • Do you know if your data is used to train the models?
  • Have you ever hesitated to use AI out of fear? If yes, why?

Format: Anonymous online form, maximum 5 minutes. The objective is NOT to monitor, but to UNDERSTAND.

What you will discover

  • 80–90% of your team already uses AI
  • Practices vary greatly (from very cautious to very risky)
  • Many questions and uncertainties
  • A real need for support

Good news: You are not creating a problem. You are solving a problem that already existed.

 

Step 2: The realistic usage policy

Start from reality, not from the ideal

Common mistake: Creating a “zero AI” policy or “everything must be validated by the DPO”.

Result: No one respects it, everything continues underground.

Realistic approach: Create three clear categories.

The three levels of use

🟢 AUTHORIZED (without prior validation).

Examples:

  • Improvement of public texts (social media posts, blog articles)
  • Translation of non-sensitive content
  • Creative idea generation (project names, slogans)
  • Summary of public documents
  • Generation of visuals for communication

Condition: No personal or sensitive strategic data

🟡 TOLERATED WITH PRECAUTIONS (anonymization protocol).

Examples:

  • Writing responses to beneficiary situations (after full anonymization)
  • Analysis of internal reports (after removing identifying data)
  • Improvement of grant applications (generic version only)

Conditions:

  • Strict anonymization (names, specific places, dates, exact amounts)
  • Use of typical cases
  • Peer review before sending

🔴 FORBIDDEN (without exception).

Examples:

  • Copy-pasting personal data of beneficiaries
  • Detailed and nominative financial information
  • Health data
  • Situations involving minors with identifiable details
  • Confidential strategies with names of partners/competitors
  • Non-finalized contractual documents

Why: Major legal risks (GDPR, AI Act) and reputational risks

The policy document (1 page maximum)

Your policy must fit on one A4 page. If it is longer, no one will read it.

Simple structure:

  • Why we regulate (2–3 sentences)
  • The 3 categories with concrete examples
  • In case of doubt: who to contact?
  • What to do in case of error? (reporting procedure without sanction)

An example: our AI commitment charter

 

Step 3: Technical solutions

Option 1: Paid versions with contractual guarantees

For whom? Teams using AI daily

Solutions:

  • ChatGPT Team/Enterprise (no training use guarantees)
  • Claude Pro (same guarantees)
  • Microsoft Copilot 365 (integrated with your Office suite, possible EU servers)

Budget: €20–50/month/user

Advantages:

  • Clear contractual guarantees
  • Professional support
  • Easier GDPR compliance
  • Secure history

To negotiate: Data location (European servers preferred)

Option 2: Strict anonymization protocols

For whom? Occasional use or limited budget

Rule of the 5 removals:

  • Names → “a person”, “a beneficiary”, “Marie” becomes “Person A”
  • Specific locations → “a city of 50,000 inhabitants” instead of “Monza”
  • Exact dates → “a few months ago” instead of “March 15, 2024”
  • Exact amounts → “around €10,000” instead of “€8,247.50”
  • Ultra-specific details → generalize as much as possible

Template to provide to your teams:

❌ Risky version
“…”

✅ Anonymized version
“…”

 

Option 3: Alternative tools and local hosting

For whom? Associations with highly sensitive data or significant IT budget

Solutions:

  • Locally hosted open-source models (Llama, Mistral)
  • Certified European platforms
  • Isolated environments (dedicated servers, VPN)

Advantages: Full data control
Disadvantages: Cost and technical expertise required

 

Step 4: Training and support

Train rather than forbid

Training module (2 hours)

Part 1: Understanding (30 min)

  • How AI really works
  • What happens with your data
  • GDPR and AI Act risks

Part 2: Practice (1h)

  • Group anonymization exercises
  • Real-life cases
  • What is OK and what is not

Part 3: Tools (30 min)

  • Access to paid tools
  • Anonymization templates
  • Who to contact

Appoint AI referents

Role: Not control, but support

Step 5: Continuous improvement culture

Quarterly AI meeting

  • Feedback
  • Incidents (no sanctions)
  • Updates
  • Adjustments

 

Step 6: Turn constraint into opportunity

Value your approach

  • For funders
  • For beneficiaries
  • For teams

 

Realistic timeline

Month 1: Audit + policy
Month 2: Training + tools
Month 3: Implementation

 

Conclusion

AI without a framework is over.

You now have all the keys to transform this invisible and risky practice into a controlled and protective usage.

Where to start Monday morning?
 → Launch the anonymous survey

Need support?
 We help associations implement responsible AI strategies. Let’s talk.

Ces articles pourraient aussi vous intéresser