As the capabilities of AI continue to expand, governments and regulatory bodies are racing to define the rules that will govern its use. While specific AI laws are yet to be codified, it is increasingly clear that organizations and AI providers must exercise caution in the deployment and use of generative AI technologies.
This is particularly evident in the context of data privacy, with existing regulations like the General Data Protection Regulation (GDPR) extending their reach to encompass AI applications.
A recap of the GDPR
The EU General Data Protection Regulation (EU GDPR), enacted in 2018, marked a significant milestone in the realm of data privacy legislation. It established a global benchmark for countries to reassess their approaches to safeguarding consumer privacy.
It’s essential to note that if your organization handles the data of EU citizens, the EU GDPR is applicable to you, irrespective of your organization’s geographical location.
Under the GDPR, individuals have the right to…
- Access: The right to request access to their personal data
- Correction: The right to request amends to any errors in their personal information
- Portability: The right to request their personal information is consigned to another entity
- Erasure: The right to request their personal information is erased
- Consent: The right to choose if their personal information can be shared or sold to third-parties, or used for advertising purposes.
- Appeal: The right to appeal under law if a business denies one of the above requests
In addition to granting individuals these fundamental rights, the GDPR also establishes a framework of controls that organizations are obligated to implement to ensure the confidentiality, integrity, and availability of personal information. These controls encompass:
- Privacy by design: The organization must implement a data management system using the principles of privacy by design, using techniques such as data mapping and data loss prevention (DLP). The goal is to create a system whereby organizations know where all personal data is at all times, and that is protected appropriately according to its sensitivity.
- Record keeping: The organization will contain adequate records for all personal information collected, processed and used throughout its lifecycle.
- Data minimization: Organizations must only collect the information they need from an individual to accomplish a specific purpose. This information, especially if it is deemed sensitive, must only be kept for the duration needed to serve its intended purpose, after which it should be deleted.
- Informed consent: Organizations must gain informed consent from individuals before collecting their data. They must be transparent about their intended uses in language that is clear and simple for the individual to understand, and the individual can decline their request as they see fit.
- Data protection officers & impact protection assessments: Organizations, where applicable, will appoint a data protection officer to oversee compliance and privacy initiatives. As part of their duties, they will also perform data impact protection assessments to identify and mitigate risks.
- Cybersecurity effectiveness: Organizations should implement cybersecurity best practices to safeguard data from malicious actors and accidental leakage.
- Data breach notifications: Organizations must prepare and rehearse an incident response plan, which should be put into action in the event of a data breach. Part of the incident response process includes notifying appropriate entities in a timely manner.
- Employee education & training: Employees must be educated on privacy protection policies, and access to sensitive information must be limited to a need-to-know basis among the employee population.
- Third-party risk management: Organizations must take into account their partners and suppliers within their risk management framework, ensuring that contracts include language and controls regarding how suppliers will protect personal information.
The above list of principles and rights is not an encyclopedic take on the GDPR. The regulation has 99 articles with many more nuanced controls and principles.
The GDPR & generative AI: where organizations stand
Already, some data protection authorities (DPAs) have taken action against generative AI for GDPR non-compliance. In March, for example, Italy’s DPA, the Garante, issued an emergency order that temporarily blocked OpenAI–the parent company of platform ChatGPT–from processing personal data belonging to people in Italy.
The Garante cited several potential violations of GDPR provisions, including concerns about the lawfulness, transparency, protection of data subject rights, and much more. A month later, OpenAI made adjustments in response to the DPA’s requirements, leading to the lifting of the ban, at least for now.
While the Garante was the first DPA to investigate generative AI and data protection compliance, it certainly won’t be the last. In fact, since then, DPAs in Canada, Brazil, South Korea and the US have all launched data privacy investigations into generative AI platforms.
8 steps to GDPR-compliant generative AI
Although the spotlight has, so far, been put on providers themselves, organizations must also prioritize compliance. Despite its newness, platforms like Bard and ChatGPT fall under the remit of the GDPR, and companies that use them must do so lawfully.
With that in mind, here are eight steps to follow to ensure the compliant use of generative AI in the enterprise:
- Lawfulness of processing: When dealing with personal data, it’s essential to establish a suitable lawful basis, such as obtaining consent or demonstrating legitimate interests.
- Roles and responsibilities: If you’re using or adapting models created by others, you will need to consider whether you are a controller, joint controller, or processor. As part of this, you will need to establish a robust data processing agreement, outlining the delineation of roles, responsibilities, and data protection obligations between your company and the provider.
- Data Protection Impact Assessment (DPIA): Prior to initiating any personal data processing, conduct a DPIA to assess and mitigate potential data protection risks. Keep your DPIA up to date as the processing and its associated impacts evolve.
- Transparency: Unless specific exemptions apply, you must make information about the processing publicly accessible. If feasible without undue effort, directly communicate this information to individuals whose data is involved.
- Security risks: How will you mitigate security risks like data theft and leakage?
- Data minimization: Collect only data that is relevant and essential to fulfill your stated purpose.
- Individual rights: Put in place to respond to requests from individuals regarding their information rights.
- Automated decision-making: Do you plan to use generative AI for solely automated decisions? If so, you must be aware of additional privacy rights within the GDPR.
From planning to action with Polymer DLP
To implement the above steps, organizations need to assemble a proficient team capable of interpreting the applicable rules governing their operations. This team will take responsibility for identifying potential conflicts with the GDPR, implementing processes and tools to mitigate risk, and staying informed about emerging regulations that might impact their existing compliance strategy.
The ideal composition of this team should encompass legal counsel, a data protection officer (DPO), experts in data management and security, a privacy officer, and reliable IT personnel. With this team in place, harnessing the potential of generative AI while upholding stringent data protection measures becomes much more realistic.
Furthermore, as highlighted in steps 5 and 6 above, investing in DLP is of paramount importance–and this is where we step in. As industry leaders in DLP and compliance for cloud applications, we are at the forefront of cloud data governance for GenAI.
Here’s how our tool helps you meet GDPR obligations while using generative AI.
- Bi-directional monitoring: Safeguard sensitive data in real-time with Polymer DLP for AI. Our advanced monitoring system scans and analyzes conversations, whether initiated by employees or generated by ChatGPT, to prevent data exposure. The bi-directional monitoring ensures that sensitive data is never received by employees, even if inadvertently generated by ChatGPT.
- Logs & audits: Elevate your data security with Polymer DLP for AI’s robust logging and audit features. Gain comprehensive insights into employee transactions, track policy violations, investigate data breaches, and monitor ChatGPT’s usage patterns.
- E-discovery for GenAI interactions: Our solution empowers organizations to efficiently conduct searches and retrieve relevant generative AI interactions when faced with e-discovery requests. This capability helps meet legal and regulatory obligations, streamlining investigations, audits, and legal proceedings with ease using Polymer DLP for AI.
- User training & nudges: Our platform supports point-of-violation training, providing real-time nudges to users when violations occur. This approach has demonstrated a significant reduction in repeat violations by over 40% within days. Additionally, Polymer offers workflows that enable users to take responsibility for sharing sensitive data externally when it aligns with business needs.
To learn more about Polymer DLP for AI, read our whitepaper today.