The 5 Questions Every Researcher Should Ask Before Using AI

marketingQual Researchgenerative ai
Written By Stefan Oglesby

In market research, we often ask consumers to share personal stories, opinions — sometimes even emotions.
That’s not just “data.” That’s trust.

When AI tools became part of our workflow, I quickly realized something:
not all of them treat that trust with the same respect.
Many send information to servers around the world, where control and compliance become blurry at best.

That’s why I set a personal rule:
If I use AI to analyze qualitative data — interviews, focus groups, open comments — there must be clear answers to these questions 👇

🧩 1. Where is the AI hosted?

Easy to verify.
The physical location of the servers determines which jurisdiction applies (e.g., United States → Cloud Act).

In practice, most AI models (OpenAI, Anthropic, Google, etc.) are hosted in the US — outside strict GDPR protection.
Even when companies claim to be “compliant,” it’s often based on Standard Contractual Clauses (SCCs) rather than true European-native compliance.

There are exceptions.
For instance, Microsoft’s Azure OpenAI Service allows enterprise clients to host models like GPT-4 in regional data centers (Switzerland, Germany, France).
In these cases, Microsoft — not OpenAI directly — ensures that data stays under local jurisdiction, offering stronger guarantees around data sovereignty.

👉 A fundamental question — and even though regional hosting options exist, they’re limited to enterprise-grade tools, not public AI platforms.

🔒 2. Is the environment truly GDPR-compliant?

⚠️ Not necessarily.
Many platforms claim to be “GDPR-compliant,” but that term is often used in a marketing sense, not a legal one.

True compliance depends on:

  • the legal basis for processing (consent, legitimate interest, etc.),

  • transparency with the user,

  • the ability to completely delete data on request.

👉 In reality, few systems are 100 % compliant.
A truly GDPR-compliant environment would mean that data never leaves Europe, and that traceability + deletion are guaranteed — something very few AI systems currently offer.

🧠 3. How is the data encrypted, stored, and deleted?

🟡 Not always clear.
Most providers encrypt data (in transit and at rest).
However:

  • few guarantee immediate and total deletion,

  • some retain logs for weeks or months “for security or service improvement.”

👉 Yes to encryption — but no guaranteed deletion unless you fully control your own infrastructure.

🧬 4. Can I guarantee that consumer data will never be reused to train other models?

🚨 Very often not.
By default, public AI models (ChatGPT, Gemini, Claude, etc.) may use submitted data to train or improve systems — unless you’re on an enterprise plan with explicit opt-out.
Even then, transparency is often partial (temporary logs, caching, etc.).

👉 Without a clear contractual agreement, you simply can’t guarantee full data isolation.

⚖️ 5. Is the AI compliant with the data protection laws of my client’s country?

⚠️ Rarely, if ever, fully.
GDPR is already demanding — but local laws in Canada, Brazil, or Switzerland differ.
Few AI providers adapt their data handling to each jurisdiction.

👉 Unless you host your own model locally (e.g., an open-source LLM), full compliance with every national framework remains nearly impossible today.

These are not minor details.
They define whether we respect the people behind the insights.

That’s why we designed Insight-lab, an AI tool built to meet these standards. — because behind every transcript, there’s a human voice that trusted us to protect it.

👉 How do you check that your research tools protect the people behind the data?

Stefan Oglesby
Next

The Cinderella of market research