norm. data protection bulletin: 01st May 2023

ChatGPT, Artificial Intelligence and data protection/privacy

ChatGPT, an artificial intelligence (AI) chatbot launched in November 2022 by Open AI, reached 100 million active users in January 2023. In March 2023, Open AI launched GPT-4, the latest version of ChatGPT.

ChatGPT requires large amounts of data to function and improve, much of it personal data. (OpenAI is alleged to have provided 300 billion words from internet-based sites).

Some privacy regulators have already started investigations into OpenAI and how personal data has been handled:

• The Italian data-protection regulator has banned the use of ChatGPT and announced that it will start an official investigation into OpenAI and whether it had complied with the GDPR.
• The German commissioner for data protection has announced that Germany may follow Italy’s ban and investigation.
• The Canadian federal privacy commissioner has already launched an investigation into OpenAI’s collection and use of personal data. 

In the UK, the ICO has published AI guidance. Separately, on 29 March 2023, the UK government published its white paper on its “pro-innovation approach to AI regulation”, launching a public consultation with responses to be submitted by 21 June 2023.

There are also ethical considerations to be contended with, as such technologies may inherit biases apparent in their underlying datasets and subsequent decisions made using AI-tools may result in discrimination against certain groups. 

What you should do

Organisations keen to adopt AI-based technologies to help increase efficiency should be aware that where such technologies involve the processing of personal data, data protection laws need to be considered and complied with. Lack of transparency is a big concern. You should ensure among other things that you have legal basis to process personal data, carry out DPIAs and comply with your obligations in relation to transparency, security and purpose limitation.

UK cyber security breach survey 2023

The latest Cyber Security Breaches Survey, conducted by the UK government as part of its National Cyber Strategy, has been released.

Here are some key insights from the survey:

• 69% of large organisations and 32% of smaller firms experienced a breach and/or cyber-attack.
• 68% of victims say that they had a fraudulent loss of money resulting from a phishing attack.
• The percentage of micro businesses who consider cyber security to be a top priority has dropped from 80% in 2022 to 68% in the current year.
• Only 30% of businesses (and a similar proportion of charities, 31%) have board members or trustees taking explicit responsibility for cyber security as part of their job.
• 11% of businesses and 8% of charities have been the victim of at least one cyber-crime in the last 12 months.
• It’s estimated that UK businesses have experienced around 2.39 million cyber-crimes of all types and 70,000 non-phishing cyber-crimes in the last 12 months.
• The mean cost of businesses experiencing any cyber-crime other than phishing was £20,900.

What you should do

This survey highlights various areas where organisations of all sizes can potentially improve their approaches and become more resilient to cyber-attacks. The findings show the impact of good, ongoing communication between those in technical cyber or IT roles, wider staff and management boards.

For the first time, the majority of large businesses report taking actions to review cyber risks from their suppliers. However, this kind of activity is much less common in SMEs, where organisations still lack awareness of supply chain risks. These findings suggest that information and guidance, pressure from clients and feedback from auditors can all encourage organisations to review this area, and to put more formal processes in place.

Formal incident response plans are relatively rare. Most organisations claim they would take a range of actions to manage a cyber incident, but these tend not to be documented. And while directors or trustees are likely to be informed of cyber incidents, they may lack training to know what their roles should be in these circumstances.