What you should know about the use of artificial intelligence
Artificial intelligence, ChatGPT and OpenAI are currently on everyone’s lips. Perhaps your company is also considering using these services – or maybe projects are already underway?
What does this mean from a data protection perspective?
There are currently no data protection requirements in Europe specifically governing the use of artificial intelligence (AI). The general, strict rules of the GDPR therefore apply.
It is important to note that employees cannot/may not decide on their own whether and how they use AI in the workplace. The company must make the decisions on this and e.g. summarize them in a policy.
If AI is going to be used: If possible, avoid using personal data. Then the data protection laws will not apply. Don’t just consider about the data that you enter into the AI (such as customer data), but also your own data as a user of the AI.
Where possible, you should anonymize the data beforehand: One example would be when using AI to write a letter, you only write “addressee” instead of the recipient’s real name. And with regard to the data of AI users, you could use a separate email address to log in (for example AI@xxx.com).
If processing personal data is unavoidable when using AI, please observe the usual data protection regulations.
Consider in particular:
- Before using AI, check whether a data protection impact assessment is necessary.
- Clarify whether a data processing agreement or joint controller agreement needs to be concluded with the AI service provider.
- Provide the data subjects with a data protection notice for the processing.
- Document the data processing in foxondo or your register of processing activities.
- Do not use the results to make automated decisions for individual cases (e.g. using AI to sort out applications). According to the GDPR, decisions with legal effect must be reviewed by humans.
You should also keep the following in mind:
- It is not just personal data which is protected – other data can be sensitive too, such as business or trade secrets.
- Check the results and statements you receive from the AI: as you have probably already heard, they are not always correct in terms of content.
Summary: If artificial intelligence is to be used, do not give it any personal data. If this is not possible, the usual data protection requirements must be complied with.
Feel free to involve fox-on if you are planning or implementing AI projects.
We are monitoring the topic with interest and will inform you if there are any changes to the legal framework.