Generative artificial intelligence (AI) tools can offer business benefits — but at what cost? Whilst the latest crop of AI tools helps to save time and resources, is your business at risk of a security breach?
AI tools like ChatGPT and Grammarly are basically apps. And just like any other app can be compromised by threat actors. There is a suggestion, therefore, that generative AI tools could provide a gateway for hackers to compromise your business network.
A data breach, of course, would violate data protection laws. And a data breach doesn’t often end well for small businesses. Reports reveal that over 60% of businesses fail after being infiltrated by hackers.
However, traditional hacks are not the only concern business owners should have around AI tools. The greater threat is internal. Employees could misuse these tools and inadvertently share data with third parties.
Kaspersky recently published an article explaining that C-suite executives are becoming increasingly concerned about generative AI tools. However, the cybercrime protection outfit was quick to allay fears about AI being a security risk in relation to hackers. Outdated servers and endpoints are a bigger threat.
However, the firm does note that AI tools like ChatGPT could still land you in hot water with the Information Commissioner’s Office under the auspices of GDPR.
If your staff use AI tools, your business could be sharing sensitive data or intellectual property without the consent of the property owner. This, of course, would violate the UK’s data protection laws.
What are Generative AI Tools?
Generative AI tools are a class of artificial intelligence applications that focus on generating content or data, often in a creative or human-like manner.
The latest tools are powered by large datasets and complex neural network architectures and natural language processing, to produce text, images, music, and other forms of content.
Unsurprisingly, these tools have gained popularity in various fields due to their ability to automate creative and content-generation tasks. Some examples of how businesses are benefitting from generative AI tools include:
- generating synthetic datasets for research, testing, and training machine learning models
- creating personalised recommendations, product suggestions, and marketing messages tailored to individual user preferences
- chatbots and virtual assistants
- data analysis by generating insights, summaries, and reports from large datasets across a wide range of domains, from healthcare and finance to marketing and entertainment
However, because they learn patterns, styles, and structures from existing datasets and then use this knowledge to generate new content, they pose two potential ethical issues; data protection violations and copyright concerns.
How Might AI Tools Violate GDPR?
Data sharing under GDPR is classed as disclosing personal data to third parties outside your organisation. It can also cover the sharing of personal data between different parts of your own organisation, or other organisations within the same group or under the same parent company.
AI tools can potentially violate data protection laws like the General Data Protection Regulation (GDPR) in several ways if not used or designed with due care and consideration for privacy.
In the first instance, GDPR requires that individuals provide informed and explicit consent for their data to be shared and processed by third parties. You can get around this by including a clause in your privacy policy or terms of use warning customers that you use AI tools and may share data with third parties.
If AI tools collect and process personal data without proper consent, it’s a violation of GDPR. This includes situations where users’ data is used for training AI models without their knowledge or consent.
The second consideration with data sharing is that businesses have an obligation to limit the amount of data you share with a third party. Some AI tools might collect more data than is necessary for their intended purpose. GDPR mandates that data collection be proportionate to the stated purpose.
That would mean that proper consent — even granted in a privacy policy (that nobody ever reads anyway — will not be adequate enough to satisfy the ICO that you have done everything within your power to protect the data of your stakeholders.
Moreover, GDPR emphasises transparency in data processing. If AI algorithms operate as “black boxes” with no clear explanations of how they process data and make decisions, it can be difficult to demonstrate compliance with GDPR’s transparency requirements.
GDPR also places specific restrictions on automated profiling, especially when it has significant effects on individuals. AI tools that create profiles without appropriate safeguards or offer individuals the right to object to profiling may violate GDPR.
Profiling that involves sensitive personal information, such as race, religion, age, health, or political beliefs, can be subject to legal restrictions or require explicit consent from individuals.
Ethical and legal considerations require obtaining informed consent from individuals before engaging in customer profiling, especially if it involves the use of sensitive data. Customers should be aware of how their data is being used and have the option to opt-out.
On a broader scale, GDPR grants individuals the “right to be forgotten,” which means they can request the deletion of their personal data. If you receive an RTBF request, you will also be obligated to inform the proprietors of the AI tools to effectively erase personal data from their records.
Concerns have also been raised about how accurately generative AI processes data. If AI algorithms process personal data inaccurately or a client makes a decision based on inaccurate information, it can result in legal violations under GDPR.
Inaccurate data processing can also throw up issues that lead to discriminatory outcomes, especially in areas such as employment or lending. This may also be deemed as a violation of anti-discrimination laws within GDPR.
To avoid violating GDPR, businesses must implement robust data protection measures, conduct impact assessments for high-risk AI applications, ensure informed consent, and establish clear policies and procedures for data handling.
Compliance with GDPR is essential, and organisations should incorporate privacy and data protection considerations into their AI strategy and development processes. Additionally, organisations should stay informed about the evolving regulatory landscape and adapt their practices accordingly.
How Might Generative AI-Tools Violate Copyright Laws
Although AI manufacturers won’t admit it, generative AI tools can potentially violate copyright laws such as authorship, infringement, and fair use. It’s important to use these tools with care and within the bounds of legal and ethical guidelines.
Because AI tools generate content that closely resembles existing copyrighted works, including text, images, music, or videos they can potentially produce content that resembles and replicates the intellectual property of other content creators.
As a result, businesses that are using these tools for creating content and other intellectual property should exercise quality controls that make sure you avoid infringing on the copyright holder’s rights.
If a generative AI tool is trained on copyrighted material and produces content that reproduces or replicates that material — ChatGPT being a prime example — it could infringe upon the copyright owner’s exclusive rights to reproduce their work.
The owners of these tools admit that AI-generated content is based on works in the public domain but is created through fair use. However fair use is a slippery slope and exceptions may still raise copyright concerns if it does not meet the criteria for these exceptions.
This is particularly the case if you use AI for commercial purposes, such as in marketing, advertising, or product sales. There is a higher risk of AI tools leading to copyright infringement issues if they incorporate copyrighted material without proper authorisation.
In addition, replicating work that is already in the public domain also calls into question a lack of originality. This poses a problem on two counts which could harm your chances of building your business.
A lack of originality merely regurgitates existing content other similar businesses are probably publishing. This won’t help you stand out from the crowd and attract new customers. It probably won’t serve your SEO goals either.
Mitigating The Risks of Generative AI Tools
There is no doubt that businesses have to be careful when using generative AI tools. The dangers of misuse should also be communicated to the employees who take advantage of these tools.
Make sure your employees understand that sharing or distributing AI-generated content could violate data protection laws or infringe on copyright which could lead to legal liability, especially if the data or content is shared without the permission of the owner.
To mitigate the risk of data protection and copyright violations when using generative AI tools, we recommend implementing best practices which combine legal compliance, ethical considerations, and technical safeguards.
Best Practices For GDPR Compliance:
Minimise AI-Generated Data
Implement robust data control measures to protect sensitive data from breaches or unauthorised data sharing. These guidelines should include strict rules of when employees can and cannot use AI tools to streamline tasks, and which data can or cannot be included.
Minimise Data Collection
Only collect and use personal data that is strictly necessary for the intended purpose. Avoid excessive data collection.
Appoint a Data Protection Controller
The ICO says businesses must appoint a Data Protection Officer (DPO) who is responsible for ensuring that data protection laws under GDPR are not violated. Establish procedures for handling data breaches, complaints, and data access requests.
Obtain Informed Consent
Obtain explicit and informed consent from individuals before processing their personal data. Clearly communicate how the data will be used. Be transparent about how AI tools process personal data. Provide clear privacy policies and explain data processing procedures.
Data Retention Policies
Define and adhere to data retention policies to ensure that personal data is not retained longer than necessary. Ensure that individuals can exercise their GDPR rights, including the right to access, rectify, or delete their personal data.
Create Profiling Impact Assessments
Conduct Data Protection Impact Assessments (DPIAs) for high-risk AI applications that involve profiling or processing sensitive data.
Cross-Border Data Transfer
When transferring data outside the European Economic Area, implement safeguards such as Standard Contractual Clauses or Binding Corporate Rules.
Regular Audits
Periodically audit AI tools to ensure they remain compliant with GDPR. Update privacy policies and practices as needed.
Best Practices For Copyright Law Compliance:
Promote Originality and Attribution
Ensure that AI-generated content is sufficiently original and does not closely resemble copyrighted works. Encourage content creators to use AI-powered content for research and inspiration purposes only.
Public Domain and Fair Use
Make sure your employees understand how public domain works and fair use exceptions can violate copyright law. When generating content based on copyrighted material, ensure it falls within these legal exceptions.
If you’re uncertain of how you can potentially violate copyright laws, consult legal experts who specialise in copyright law to assess the legality of AI-generated content and understand the specific copyright regulations applicable in your jurisdiction.
To be on the safe side, use public domain or properly licensed content to avoid infringing on copyright laws.
There may be occasions when you will need to seek permission from copyright holders or license the necessary rights when using AI-generated content for commercial purposes or public distribution.
Perform Plagiarism Checks
Before publishing AI-generated content, conduct plagiarism checks to verify that AI-generated content is not derived from copyrighted sources without proper authorisation. Continuously monitor AI-generated content and review it for any potential copyright violations or issues.
Closing Remarks
AI-generated content and copyright law are evolving areas, and it’s important to stay informed about legal developments and best practices. Complying with copyright laws not only helps you avoid legal troubles but also promotes ethical content creation and respect for the rights of content creators.
By implementing these strategies, UK companies can reduce the risk of GDPR and copyright law violations while leveraging AI tools for various applications. Compliance with these regulations not only mitigates legal risks but also upholds ethical standards and protects the rights and privacy of individuals and content creators.