What risks does Chat GPT pose to your business?

There is no doubt that AI can be a huge asset, but as the software relies on so much data, is it too big a risk for businesses?

In the US recently, two lawyers received a joint fine of $5,000 (£3,926) for using Chat GPT to conduct legal research which was wrongly used in Court papers and involved fake cases. This example demonstrates how businesses may rely on technology which is not fully reliable and causes repercussions further down the line. 

Whilst the US example shows the risk to businesses from misusing this technology and relying on it without checking facts and information, the greatest downside is the use of this software has also been criticised for not complying with data protection laws. 

Chat GPT relies upon huge amounts of data from a very wide range of sources, reading text scraped from all corners of the internet, and therefore personal data could well have been swept up in this process. 

We want to explore this idea further to help you feel informed about the risks before deciding whether to integrate these types of software into your everyday business operations.

What legislation would apply?

The UK data protection laws are still embedded within the EU GDPR, so this is the main data protection law which applies to businesses in the UK. The UK GDPR and the Data Protection Act 2018 are the main pieces of legislation which would be relevant to AI and Chat GPT, but other privacy laws would also be applicable.

Within the European Union, data protection authorities have reacted to the use of Chat GPT and have set up task forces or suspended services, pending investigations into compliance. 

Italy’s Garante is under the opinion that Chat GPT doesn’t limit age, so children under the age of 13 could use the software; it can also provide inaccurate information about people (see the US case study above); and the lawful basis for data collection has not been determined and possibly there is no lawful basis to rely upon where massive sets of data have been collated. The ban was lifted by the Garante but many countries’ data protection authorities are investigating the Chat GPT platform.

Those authorities have asked specific questions relating to data protection to OpenAI who is behind Chat GPT.

It is therefore impossible to say whether Chat GPT complies with UK data protection laws or not, although the ICO has provided some further information and guidance. Each organisation will have to consider the impact individually depending on how the software is being used and for what purpose. 

What should businesses do?

If personal data is being processed in the use of Chat GPT then it is recommended that you consider the following:

• What legal basis are you relying on?
• What role do you have? Are you a controller, processor, sub-processor or joint controller?
• Have you carried out a data protection impact assessment?
• Ensure you have complied with your requirements with regards to transparency, security and purpose limitation.
• How will you mitigate security risks?
• Will you use Chat GPT to make automated decisions? If so, consider the requirements of Article 22 of GDPR.

You therefore need to think about third parties and data sharing and how this might impact your business. Do your data protection policies cover this and give you the rights to share any data with Chat GPT?

In conclusion…

The jury is very much out on the laws on the use of the Chat GPT platform and its implementation into everyday life and businesses. 

We can offer you assistance on carrying out the relevant data protection impact assessments and ensuring your policies and processes are updated to reflect the use of Chat GPT.

We are also closely monitoring any further developments or guidance that may be issued around the use of Chat GPT and will provide such updates as and when necessary.

Get in touch with a member of the team for more information and to find out how we can help you and your business.