Generative AI and Data Protection: What Are the Biggest Threats for Employers?
If you're an employer willing to experiment with generative AI tools like ChatGPT, there are some data protection pitfalls you'll need to consider. With the rise of privacy and data protection legislation in recent years – in the US, Europe and around the world – you can't just feed HR data into a creative AI tool. After all, personnel data is often highly sensitive, including performance data, financial information, and even health data.
Obviously, this is an area where employers should seek appropriate legal guidance. It's also a good idea to consult with an AI expert about the ethics of using creative AI (so you're not only working within the law, but also ethically and transparently). But as a starting point, there are two important considerations that employers should be aware of.
Feeding personal data into generative AI systems
As I said, employee data is often highly sensitive and personal. This is exactly the type of data that, depending on your jurisdiction, is usually subject to the highest forms of legal protection.
And that means feeding that data into a creative AI tool is extremely risky. Why? Because many creative AI tools use the information given to them to refine the underlying language model. In other words, it may use the information you feed it for training purposes – and possibly disclose that information to other users in the future. So, let's say you use a creative AI tool to create a report on employee compensation based on internal employee data. This data can potentially be used by an AI tool to generate responses from other users (outside your organization) in the future. Personal data can, very easily, be absorbed and reused in a creative AI tool.
It's not as secret as it sounds. Review the terms and conditions of many generative AI tools, and they will clearly state that data submitted to the AI can be used for training and fine-tuning or when users view examples of previously submitted questions. If called, it can be expressed. So, the first port of call is to always understand what you're signing up for when you agree to the Terms of Use.
As a basic safeguard, I would recommend that any data submitted to the Generative AI service be anonymized and stripped of personally identifiable data. This is also called de-identifying the data.
Risks related to generative AI outputs
It's not just about the data you feed into a creative AI system. There are also risks associated with the output or content created by generative AIs. In particular, there is a risk that the output from generative AI tools may be based on personal data that was collected and processed in violation of data protection laws.
For example, let's say you ask a creative AI tool to generate a report on IT salaries specific to your local area. There is a risk that this tool could scrape personal data from the internet – without consent, in violation of data protection laws – and then pass that information on to you. Employers who use any personal data submitted by a creative AI tool may bear some liability for a data protection breach. This is a legal gray area for now, and most likely, the producing AI provider will bear most or all of the liability, but the risk is there.
Such cases are already coming up. In fact, one lawsuit claims ChatGPT was trained on “vast amounts of personal data,” including medical records and information about children, collected without consent. You don't want your organization to be unwittingly caught up in a lawsuit like this. Basically, we're talking about the “inherited” risk of breaching data protection laws. But it is a risk nonetheless.
In some cases, data publicly available on the Internet is not eligible for collection of personal data because the data already exists. However, this varies from jurisdiction to jurisdiction, so be aware of the nuances of your jurisdiction. Also, do your due diligence on any generative AI tools you're considering using. Look at how they collect data and, where possible, negotiate a service agreement that minimizes your legacy risk. For example, your contract may include an assurance that the Generative AI provider complies with data protection laws when collecting and processing personal data.
Way forward
It is important that employers consider the data protection and privacy implications of using generative AI and seek expert advice. But don't let that put you off using generative AI entirely. Used carefully and within the bounds of the law, generative AI can be an incredibly valuable tool for employers.
It is also worth noting that new tools are being developed that take data privacy into account. One example comes from Harvard, which has developed an AI sandbox tool that enables users to use some major language models, including GPT-4, without giving away their data. The cues and data entered by a user can only be viewed by that individual, and cannot be used to train models. Elsewhere, organizations are building their own proprietary versions of tools like ChatGPT that don't share data outside the organization.