Close your eyes and hope no one notices
One subject that comes up a lot (and I mean a lot) is using generative AI within organisations in relation to privacy laws: “is it OK for our team to use ChatGPT?”, “We limit people to Copilot so we’re good?”, “If we tell employees not to paste anything private into their chats, we’re ok right?”, …
Well, as always, it’s complicated.
Every time someone from your team pastes text into a chatbot, whichever one it is, that’s data processing. If that text contains anything that could identify a real person, that’s personal data under the GDPR and you need a lawful basis to process it.
It may seem like you’re just “asking the computer a question” but, legally, you’re sending personal data to a third-party. Usually outside Europe.
Most people I talk to about this just close their eyes and hope no one notices.
It also might feel like it’s no different than using a standard cloud service. After all, data processing agreements already exist for this. But AI chatbots are different, if not worse.
With normal cloud stuff, data stays where you put it. With generative AI, the data is actively processed by a model and, depending on the subscription, could be used to train future ones. This is definitely true on the free or lower tier subscriptions.
There are usually opt-outs on (expensive) enterprise tiers, but “usually” doesn’t pair well with “compliance”.
If you want to be compliant, you need a Data Processing Agreement (DPA) with the service. That means you need to be on an enterprise subscription at minimum. And, to be fair, I’m not even sure that would suffice if someone dug deep enough.
There are anonymisation tools out there that sit between you and the chatbot and promise to scrub any personal data before it gets there. These are harm reduction, though, not harm elimination. Some data will get through and that’s enough to put you at risk. And you’ll need to sign a DPA with that service too!
So, it’s basically impossible to use chatbots without risk. That begs the question: is it worth it? Will it really help your work or is just another tool you’re being pressured to adopt?
If you believe you need generative AI, get a proper subscription, a DPA and educate your team about what data is allowed. Then close your eyes and hope no one notices…
Colin