Introduction
You will have been living under a rock or 100% off-grid if you weren’t aware of the rise and rise of AI. It’s pretty impressive what AI models like ChatGPT can do, and it’s also clear governments and regulators are all scrabbling to keep it under control, with concerns ranging from the end of the world to its usage and its abilities moving too fast.
Personally, I believe AI has its place and uses in our personal lives as well as for businesses, but it has to be used with a very big caveat: how will you make sure it’s correct in what it’s telling you? For example, if you use AI to keep a transcription and summary of a video call you have attended, are you sure it’s documented it correctly? Are you happy that it’s understood the salient points from the meeting and summarised all the actions?
This article therefore looks at this, but from a personal data, GDPR perspective.
AI and GDPR
GDPR’s impact on AI occurs when AI is used to process personal data for businesses. Now remember any identifying information will be personal data and covered by GDPR and depending on the nature of the information, other aspects of the data may be that individual’s personal data as well. This means even if you’re not discussing an individual at a meeting, the fact that the attendees all have names means personal data is processed by an AI meeting note taker, transcriber, etc.
This means businesses have to think about the impact GDPR will have on their intended use of AI in all scenarios. This isn’t without its challenges – as well accuracy, AI tools are the new shiny tool that everyone wants to use, without perhaps remembering if the AI model is processing personal data, it’s a data processor and therefore GDPR compliance due diligence is needed along with a data processing contract (Article 28 of GDPR). Couple that with the possibility the personal data may be used to train the AI engines, that some AI providers just say you’re not to use it for processing personal data or aren’t necessarily transparent about how they process data, use of AI is not without its challenges. And of course, there is the internal pressure to be more efficient and the fact these tools will save time and money. This all leads often to questions about whether GDPR is a barrier – it doesn’t have to be, you just need to make sure you’re implementing AI in a GDPR compliant way.
The problem with accuracy and AI
So, if you use AI to process personal data, either by providing the model with personal data or asking it about someone, you are processing personal data, but the results are only as good as what the AI model knows and this will vary depending on whether you’re using free AI or a paid version, whether it’s integrated into a specific tool which is about helping you with that tool, not necessarily wider application and what data it was trained on.
The GDPR right to accuracy requires that an individual has a right to have their personal data updated or corrected, for example, if the data you hold on them is out of date and in some cases just wrong.
I thought I’d look into this a bit more, particularly with ongoing issues with so-called AI hallucinations, where an AI system generates information which is incorrect or misleading, but is presented in way that could seem plausible.
Using a number of different AI models, I asked questions mainly about GDPR compliance, and on the whole, they got most of it right, but I did discover that I couldn’t necessarily trust the output I was getting. For example, I asked if a particular SaaS provider was GDPR compliant and had all the required Article 28 GDPR clauses in their DPA. It presented its response in a way that was useful, stating clearly that it was compliant, but I spotted (having already “manually” carried out due diligence on the supplier) that it hadn’t picked up a required clause that was missing from the DPA. When I challenged this, it said I was right and therefore the supplier wasn’t compliant after all, and it adjusted its compliance report accordingly. All good you might think but it didn’t remember this when I started a new chat, so nothing I had corrected it on, had been “remembered” which meant I can’t trust the AI models to give me accurate data processor due diligence checks in the future.
I then asked it about individuals and picked my wife as the subject of my investigations. I asked AI what it could tell me about her, and it came back with a detailed summary about her activities in the local community – all good, but she hasn’t done those activities for well over 3 years. I pointed this out and it just repeated all that it knew. I asked how she could correct its output, and it suggested getting her to update her online profiles and maybe contacting the AI provider. I didn’t take it up on the last suggestion, but it does highlight the fact that AI only knows what it knows and maybe shouldn’t be relied on as correct and unlike a Google search you’re not presented with a raft of information which you can then make your own mind up about.
Now my wife’s online profile as reported by AI was not an AI hallucination. Plus, in the scale of things what was wrong and not being able to tell AI otherwise, is minor, but imagine if AI reported something which was factually incorrect and significantly incorrect or out of date?
Take the case that NOYB (None of Your Business – a privacy organisation which works to enforce data protection laws) has taken up about a Norwegian, who for some reason ChatGPT suggested was a murderer, having made up a fake story about him. You can read more about this here: https://noyb.eu/en/ai-hallucinations-chatgpt-created-fake-child-murderer
So, what does this all mean for you?
If you’re using AI for research about an individual, can you be sure the AI response is correct – are you sure you can rely on AI to get it right every time.
So, for example, if you’re using AI to transcribe HR related meetings, or asking it to process a spreadsheet of individuals’ data, remember (a) the AI model is a data processor and you have GDPR obligations: (b) you need to be confident AI is telling you the real truth or indeed up to date; (c) you will need to be able to allow an individual to correct any inaccuracies about the information you hold about them (AI generated or otherwise).
Over to you – how are you relying on AI in your business? How are you ensuring you’re getting accurate results?
