Generative AI: Data Privacy, Compliance, and Security

In one of our previous posts we discussed the concept of Generative AI and looked closely at two of the prominent ones that there are with points to consider in making a choice between either of them, the guides are also applicable to choosing from the very many other Gen AI tools accessible. This post introduces you to what you should know about data privacy, security, and regulatory compliance, with regards to the deployment of the generative AI tools. We recommend that you take a moment to read our previous post: “Exploring AI Tools: What’s with ChatGPT and Microsoft Copilot”, it provides a subtle background knowledge to how Generative AI works.

Generative Artificial Intelligence

Artificial intelligence (AI) became more prominent in 2023 with the development of AI-powered tools and software intended to assist users in performing tasks in less time than would have been normally required, and more efficiently amplify human abilities, drive innovations, and enhance individual and organizational productivity. The corporate world has witnessed heightened efforts to incorporate generative AI into Software as a Service (SaaS) product portfolios (Telliswall, 2024). Generative AI, subsets of AI, are technologies able to produce new data drawing from contents with which they have been trained. The possibilities inherent in the use of generative AI notwithstanding, it has become important to address emerging concerns capable of impacting how these tools are used and the consequences. The use of generative AI-based services bears with it some responsibilities of understanding how the information inputted into the tools are processed, shared, used and stored, bearing in mind the ethical deployment of the technologies to prevent privacy violation, bias amplification and misinformation.

By 2025, generative AI is projected to account for 10% of all data produced, up from less than 1% in 2021 (Gartner, 2021). Hence, generative AI service providers owe it as a sense of duty to create appropriate safety measures that assure of user and consumer privacy, compliance with regulatory standards, and a non-compromising secured application of the models.

Identifying and Navigating Generative AI Usage Concerns

Asides the “wow-effect” of using generative AI, there are also rising concerns that threaten this cause. A major challenge with generative AI is privacy violation given that many of the models are not trained with privacy-inclined algorithms which exposes them to risks and attacks. Since AI models generate data based on the myriad of information obtained from multiple sources with which they have been trained, it becomes crucial that the training data do not contain sensitive information, some of which may include Personally Identifiable Information (PII) accessed without consent. For instance, Large Language Models (LLMs) are developed with the ability to memorize and associate data, even sensitive data, which may be accidentally released, transferred and used for unscrupulous intents such as in the case of an exfiltration attack. Furthermore, the uniqueness and predictability of these generative AI also make it possible for certain prompts to generate information more than is required often including sensitive data resulting in new malware that target sensitive data (Baig, 2024). Recall that in 2023, certain ChatGPT users had complained of having other users’ chat histories appear in their accounts with a counter-report that only the titles of the other users’ chat histories rather than the full details appeared (BBC News, 2023). While this glitch stirred up concern of privacy violation, it is interesting to note that the privacy policy for OpenAI does states that it can share “aggregated information like general user statistics with third parties, publish such aggregated information or make such aggregated information generally available” (OpenAI, 2023), however ambiguous as this may present, it portends a slim gap between policy implementation and data privacy violation.

Consequently, there is the need to establish privacy-by-design principles such as effective data anonymization measures to remove identifiable personally data so that AI models can operate without memorizing and associating specific information with certain users (Kisluk, 2024). Likewise, strong protection strategies should be implemented, and the data with which AI models are trained must be obtained with informed consent.

Another concern with the use of these tools is that of security breach. Generative AI’s ability to process a vast amount of data and potentially expose sensitive data has assumed a security threat to data subjects. In addressing this challenge, individuals must be aware of their data privacy rights, be able to assert same and also be given the choice to opt-out at will. Kisluk (2024) also recommends that a strong access control be established to manage and restrict data access within the generative AI system to only authorized personnel and for authorized purposes. Furthermore, regular review of access logs should be conducted to sanitize data repository, identify and respond to potential risks.

A similar crucial requirement for the viable deployment of generative AI models is the need for strict compliance with established and evolving regulatory standards that govern the operation and use of generative AI solutions to avoid legal liabilities. Ensuring compliance with relevant data protection and privacy regulations is pertinent to the ethical and legal deployment of generative AI systems (IT Convergence, 2023). Compliance with regulations like the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission (FTC) law on reducing bias and enhancing transparency in AI, and the world’s first comprehensive AI law, the “EU AI Act” which proffers that AI systems used in the region are “safe, transparent, traceable, non-discriminatory and environmentally friendly. And that AI systems should be overseen by people, rather than by automation, to prevent harmful outcomes” (European Parliament, 2023). These regulations presents the importance of obtaining user consent, enabling users’ rights regarding their data, providing transparent information about data usage, and ensuring data security (Antonipillai, 2023). Businesses are fast realizing that prioritizing strong privacy regulation improves consumer confidence and trust in the organizations with whom they choose to share their data (Cisco, 2024).

Tips to Help with Maintaining Privacy Control, Compliance and Security

Keating and Waymouth (2024) opine that organizations can develop a generative AI governance strategy or policy that guides the use of generative AI, such as a cloud access security broker (CASB) control such that generative AI users are redirected to an AI policy which they have to read and accept before they can further access the AI tools. This will ensure a responsible use of the models, help users recognize and navigate the risks associated with deploying generative AI, guide cloud usage across devices and cloud-based applications, and also ensure regulatory compliance and data protection. Additionally, organizations can ban the use of certain applications or opt for paid versions for enhanced privacy and security features.

In addition, users must be trained and re-trained on a people-centric approach and privacy-conscious culture of responsible and ethical use of generative AI models in such a way as to enforce compliance, data privacy protection and security.

What’s more, periodic audits and testing should be conducted to ensure that security measures such as encryption, efficient data management and access control, align with privacy regulations, security frameworks, ethical considerations, and industry best practices (Antonipillai, 2023). Likewise, building ethical guidelines into the development process will ensure an accountable use of AI while reducing the potential risks of generative AI technologies.

Furthermore, organizations should implement data retention and deletion policies, to ensure that data obtained is only deployed for intended purposes, only for as long as is necessary, and that they are securely deleted when the purposes have been served (Obi, 2023). Businesses can also conduct exhaustive Data Protection Impact Assessments (DPIAs) and AI System Impact Assessments (SIAs) to identify and mitigate potential risks before deploying these innovative technologies (Hogan and Goodbun, 2024).

Conclusion

Generative AI is the anticipated future that has come to stay. Understandably, it is a relatively novel innovation at its infancy stage, and with accompanying teething challenges, its viability lies largely in adherence to regulations encompassing data privacy, security, transparency, and respect for user rights. Organization and individuals can harness the potentials inherent in generative AI for productivity and growth while complying with regulatory and ethical standards and maintaining customers’ trust and confidentiality.

At Telliswall Inc., we understand how crucial Gen. AI solutions are to your productivity and we know more concisely how important it is to mitigate the emerging challenges peculiar to this terrain. We are also aware of the weight of responsibility implementing the measures discussed above may impose on your development and operations (DevOps) teams, this is the reason outsourcing your periodic GDPR-compliant generative AI solutions audit and testing, with the integration of a robust data privacy technique into your AI systems, to us is the best business decision that you can make so that you can focus on the other areas of your business.  We can also train your staff on all they need to know about generative AI, compliance, data privacy, security, and everything in between.

References

Antonipillai, J. (2023). The Intersection of Generative AI, Data Privacy, and GDPR: Unlocking Marketing Opportunities Responsibly           https://wirewheel.io/blog/the-intersection-of-generative-ai-data-privacy-and-gdpr-unlocking-marketing-opportunities-responsibly/

Baig, A. (2024). Navigating Generative AI Privacy: Challenges & Safeguarding Tips                                                                https://securiti.ai/generative-ai-privacy/

BBC News (2023). ChatGPT Bug Leaked Users’ Conversation Histories https://www.google.com/amp/s/www.bbc.com/news/technology-65047304.amp

Cisco (2024). Cisco 2024 Privacy Benchmark Study https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2024/m01/organizations-ban-use-of-generative-ai-over-data-privacy-security-cisco-study.html

European Parliament (2023). EU AI Act: First Regulation on Artificial Intelligence https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence

Gartner Inc. (2021). Gartner Identifies the Top Strategic Technology Trends for 2022. Explore Industry Trends at Gartner IT Symposium/Xpo 2021 Americas, October 18-21.          https://www.gartner.com/en/newsroom/press-releases/2021-10-18-gartner-identifies-the-top-strategic-technology-trends-for-2022#

Hogan, C. and Goodbun, M. (2024). International: Navigating Generative AI and Compliance                   https://www.dataguidance.com/opinion/international-navigating-generative-ai-and-compliance

Hyseni, V. (2023). Generative AI and Data Privacy    https://pecb.com/article/generative-ai-and-data-privacy

IT Convergence (2023). Data Security Considerations for Generative AI https://www.itconvergence.com/blog/data-security-considerations-for-generative-ai/

Keating, M. and Waymouth, S. (2024) Securing Generative AI: Data, Compliance, and Privacy Considerations  https://aws.amazon.com/blogs/security/securing-generative-ai-data-compliance-and-privacy-considerations/

Kisluk, S. (2024). Navigating Generative AI Data Privacy and Compliance https://thenewstack.io/navigating-generative-ai-data-privacy-and-compliance/

Obi, U. (2023). Generative AI and Data Privacy: Exploring the Cutting Edge https://businessday.ng/news/legal-business/article/generative-ai-and-data-privacy-exploring-the-cutting-edge/

OpenAI (2023). Privacy Policy                 https://openai.com/policies/privacy-policy/

Telliswall (2024). Exploring AI Tools: What’s with ChatGPT and Microsoft Copilot https://telliswall.org/exploring-ai-tools-whats-with-chatgpt-and-microsoft-copilot/

University of Illinois (2024). Privacy Considerations for Generative AI https://cybersecurity.illinois.edu/policies-governance/privacy-considerations-for-generative-ai/