720-891-1663

Best Practices, Legal, Privacy, Security Practices

ChatGPT and Data Protection Laws

Leave a comment

Things are moving very quickly in the AI/Generative Pretrained Transformer (GPT) business. This is a super-competitive world between say Google, Microsoft, Meta, IBM and many others with – more to come.

But there are still privacy laws to deal with and a court system that is ill-prepared to even fully understand the problem.

There are already many class action lawsuits filed, but right now most of the lawsuits are against the tool makers like Meta and Microsoft/OpenAI.

But give the attorneys some time and they will, guaranteed, start going after the end users of AI tools (that would be you). It is only a matter of time.

One concern is the sharing of personal information (PII) with an AI tool which will then assimilate that data into its model. It seems neat to be able to input a customer’s query into a GPT and get a personalized answer in seconds. But you may be breaking the law.

Another big concern is the input of corporate proprietary information into a GPT. Samsung has banned the use of GPTs because of multiple episodes of uploading sensitive data to a GPT.

As I said above, AI tools are not exempt from laws like GDPR, HIPAA, PCI and CCPA – among many others. And, there seems to be new laws every week.

So what are some recommendations for businesses?

  1. Train employees. Employees need to understand what is legal and what is not and what is acceptable under corporate policies.
  2. Obtain explicit customer consent. This may also require conducting a privacy impact assessment (PIA), depending on specific state laws. Hoping your actions will go under the radar is not a smart plan.
  3. Implement data minimization whenever possible. To the degree that you can do this you reduce the potential for data to be stolen or exposed.
  4. Review and update your data protection policies regularly. Things keep changing and that is not likely to end any time soon.

In about a dozen states consumers have rights like the right to be forgotten. How do you plan to do that if you feed that data into a GPT?

It is also possible to replace PII with synthetic data. It is not easy and the odds of missing something are greater than zero, but it may be an option.

If you need help working through these issues, please contact us.

Credit: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy