Chapter 8

Security and compliance

Build a data classification framework to protect the privacy of financial and HR data, ensure compliance requirements are met, and enable secure cross-department collaboration.

Code safety

Protect code security and prevent sensitive information leaks.

Code upload strategy

  • Do not upload sensitive code: Use local models to handle sensitive code
  • Code anonymization: Remove sensitive information such as API keys, passwords, and secret keys
  • Code review mechanism: AI assistance + human review to ensure safety
  • Allowlist mechanism: Clarify which code can be uploaded

API Key management

  • Unified key management tool: Use tools such as 1Password and Vault
  • Key rotation mechanism: Rotate API keys regularly
  • Key access control: Set access permissions and follow the principle of least privilege
  • Key usage monitoring: Record all key usage

Data protection and privacy

Establish a data classification framework and choose appropriate tools and processing methods based on data sensitivity.

Data classification system

Level 1: Public data

Information that can be made public, with no sensitive content

Tool selection:You can use any cloud AI tool
Example:Public technical documentation、Blog post、Public API documentation
Level 2: internal data

For internal use only, not publicly disclosed

Tool selection:Use enterprise edition tools (with data protection agreements)
Example:Internal technical documentation、Project documentation、Internal Wiki
Level 3: Sensitive data

Contains personal information and trade secrets

Tool selection:Use a local model (Ollama), do not upload to the cloud
Example:Employee information、Customer Data、Financial data
Level 4: Confidential data

Highly sensitive, legally protected

Tool selection:Do not use AI tools, or use a fully offline local model
Example:Financial data、Legal contracts、Medical records

Financial data privacy protection

Financial data classification
  • Public financial information: Can use cloud tools (such as public financial statements)
  • Internal financial data: Use enterprise tools, with a data protection agreement
  • Sensitive financial data: Use a local model (Ollama), fully offline
  • Confidential financial data: Use of AI tools is prohibited
Financial Data Usage Guidelines
  • Data anonymization: Financial data must be anonymized before use (amounts, account numbers, etc.)
  • Tool selection: Use the local model first for financial data
  • Approval workflow: Using AI tools to process financial data requires approval
  • Audit records: Record all AI tool usage related to financial data
Financial report generation
  • • Use Fabric to generate report templates (no actual data)
  • • Use local models to analyze financial data
  • • Use Cursor to write financial documents (without sensitive data)

HR data privacy protection

HR data classification
  • Public information: Job descriptions, publicly available training materials
  • Internal Information: Employee handbook, training plan
  • Sensitive information: employee personal information, performance data, salary information
  • Confidential information: Employee health information, background check data
HR data usage guidelines
  • Personal data protection: Employee personal information is not uploaded to the cloud
  • Data analysis: Use a local model to analyze employee data
  • Report generation: Use templates to generate reports, without including personally identifiable information
  • Compliance requirements: comply with GDPR, the Personal Information Protection Law, and other regulations
HR AI use cases
  • • Hiring JD generation: Use Fabric to generate job descriptions (without sensitive information)
  • • Interview question generation: use AI to generate interview question templates
  • • Training material writing: use Cursor to write training documents
  • • Data analysis: use a local model to analyze employee feedback (after anonymization)

Data anonymization

Data masking rules
  • • Personal information: name, ID number, mobile number → anonymized
  • • Financial information: amounts, account numbers, transaction records → anonymize
  • • Trade secrets: customer information, contract contents → anonymize
Anonymization tool
  • • Automatic anonymization script
  • • De-identification rule configuration
  • • Verify anonymization effectiveness
Anonymization process
  1. Data classification: identifying sensitive data
  2. Masking: apply masking rules
  3. Effect validation: check the masking effect
  4. Use AI tools: process anonymized data

Compliance requirements

Comply with relevant laws and regulations, and establish audit and logging mechanisms.

Compliance with laws and regulations

Personal data protection
  • • GDPR (EU)
  • • Personal Information Protection Law (China)
  • • Data minimization principle
  • • Principle of purpose limitation
Financial compliance
  • • Financial data protection
  • • Audit requirements
  • • Compliance checks
Industry compliance
  • • Medical data: HIPAA
  • • Financial data: financial regulation
  • • Education data: FERPA

Audit and logging

Tool usage log
  • • Record all AI tool usage
  • • Record data upload status
  • • Record the model selection status
API call log
  • • Record the time, content, and result of API calls
  • • Record token usage
  • • Record cost information
Sensitive data access logs
  • • Record access to sensitive data
  • • Record data anonymization status
  • • Record the approval process

Compliance check

Regular compliance checks
  • • Monthly check: compliance with tool usage
  • • Quarterly check: data protection compliance
  • • Annual check: comprehensive compliance audit
Remediation of compliance issues
  • • Find issues → fix them immediately
  • • Corrective actions → record archiving
  • • Improvement effect → verification confirmation
Compliance report
  • • Monthly compliance report
  • • Quarterly compliance report
  • • Annual audit report

Cross-departmental privacy protection collaboration

Establish cross-department collaboration standards to ensure data security.

Collaboration between HR and Finance

  • Data sharing standards: Clearly define which data can be shared
  • Tool selection: choose tools based on data sensitivity
  • Approval workflow: cross-department data usage requires approval

Legal and financial collaboration

  • Contract review: Use a local model to review finance-related contracts
  • Compliance check: Use AI tools to check financial compliance
  • Document generation: Use templates to generate financial and legal documents

Hands-on practice

Practice suggestion:

  • 1Establish a data classification framework (definitions and usage guidelines for Levels 1-4)
  • 2Design a financial data protection scheme (data classification, usage rules, approval process)
  • 3Establish HR data privacy protection processes (data classification, usage guidelines, compliance requirements)
  • 4Create cross-department collaboration guidelines (data sharing, tool selection, approval workflow)
  • 5Design compliance check process (regular checks, issue remediation, compliance reports)

Learning outcomes

After completing this chapter, you will:

  • 1Master data classification and protection methods (Level 1-4 data classification system)
  • 2Can protect the privacy of financial and HR data (data classification, usage guidelines, approval process)
  • 3Understand compliance requirements (legal and regulatory compliance, audit logs, compliance checks)
  • 4Master cross-department privacy protection collaboration methods (coordination guidelines for HR, finance, and legal departments)