ChatGPT and Data Protection: This enables GDPR-compliant use in the company

ChatGPT and Data Protection: This is how the GDPR-compliant use in the company

Introduction: The growing importance of AI chatbots

Artificial intelligence, especially in the form of advanced language models such as ChatGPT, revolutionizes the way companies work. From the automation of customer service to the creation of content to support in [software development](/services/software development) – the possibilities of use are diverse and promise considerable efficiency increases.

However, with the growing enthusiasm for these technologies, critical issues are also focussed, especially on data protection. The legal implementation of AI solutions is a key challenge for companies within the scope of the General Data Protection Regulation (GDPR).

The concern about data protection violations and the uncertain legal situation lead to restraint in many decision-makers.

The legal grey area: ChatGPT and the GDPR

The use of ChatGPT in its standard configuration is in a voltage ratio to several core principles of the GDPR. A main conflict point is the principle of data minimisation, which states that only the personal data necessary for the purpose of processing may be collected.

ChatGPT, on the other hand, has been trained and processed with huge amounts of data without the user having full control of which data is stored and used accurately.

The transparency obligations of the GDPR are also difficult to fulfill because the exact functioning of the algorithms and the data flows for the end user are hardly understandable.

OpenAI, the company behind ChatGPT, has responded to these concerns and now offers a data processing addendum (DPA). This document is an important building block for GDPR compliance, but does not solve all problems.

In particular when using the free version of ChatGPT, conversations are used for training the model, which represents a processing of personal data for a purpose that is not clearly defined.

Risks when using ChatGPT in the company

The unconsidered input of sensitive information represents the greatest risk. As soon as personal data from customers, employees or confidential business secrets are entered into the chat window, they will withdraw from the company's control.

This can have far-reaching consequences, from data protection violations with high fines to the loss of intellectual property. Another, often overlooked risk arises from the fact that OpenAI is an American company and is therefore subject to laws such as the CLOUD Act.

Under certain circumstances, this allows US authorities to access data stored by US companies even if the servers are located in Europe.

Solutions for the Datansc

References and further reading

The following independent references complement the topics in this article:

• Bitkom – German digital industry association
• German Federal Office for Information Security (BSI)
• European Commission – Digital strategy
• MDN Web Docs (Mozilla)
• W3C – World Wide Web Consortium

> "Mobile apps need clear offline and security models alongside UX—trust collapses without both." > > — Björn Groenewold, Managing Director, Groenewold IT Solutions

<!-- v87-geo-append -->