15 guidelines for companies using large language model chatbots

Key recommendations include specifying internal directives, involving data protection officers, securing authentication, refraining from personal data input and output, offering opt-out options, ensuring human involvement in legal decisions, and staying updated on evolving regulations, particularly the EU's upcoming AI Regulation.

ai visualized wittmann legal services

AI Checklist for Companies

The emergence of generative AI, particularly in the form of chatbots like ChatGPT, Luminous, and Bard, presents an efficient means of content creation. While these tools have become integral in many institutions, their usage often lacks clear guidelines. Operating these large language models (LLMs) in a cloud environment poses significant data protection risks. Confidentiality and personal data are jeopardized due to shared cloud- based LLM models, where inputs contribute to further model training, potentially exposing business secrets and personal information. The checklist below serves as a guide for organizations to ensure data protection-compliant use of chatbots.

15 Aspects for Controlled Use of LLM Chatbots:

  • Specify Compliance Regulations: Clearly define and document internal directives on the conditions and scenarios for using AI tools.
  • Involve Data Protection Officers: Engage internal data protection officers in creating directives and conducting data protection impact assessments.
  • Provision of a Functional Account: Provide professional chatbot accounts to prevent the creation of profiles using private data. Work accounts should ideally avoid individual employee names.
  • Secure Authentication: Implement strong passwords and additional authentication factors to prevent unauthorized access and potential abuse.
  • Do Not Enter Personal Data: Refrain from transmitting personal data to AI models based on terms and conditions restrictions.
  • No Output of Personal Data: Ensure AI application results do not contain personal data, limiting inputs to non-individual cases.
  • Caution with Personal Data: Avoid entries that might be related to specific persons, considering the risk of drawing conclusions from the context.
  • Opt-out of AI Training: Allow users to reject the use of their data for AI training purposes, if the service permits.
  • Opt-out of the History: Disable saving previous entries to avoid linking individual entries, especially in shared environments.
  • Check Results for Correctness: Verify the accuracy of AI-generated results, as models may include outdated or incorrect information.
  • Check Results for Discrimination: Assess AI results for discriminatory effects, ensuring compliance with legal frameworks.
  • No Automated Final Decision: Decisions with legal consequences should be made by humans to comply with GDPR requirements.
  • Sensitize Employees: Provide training, guidelines, and discussions to raise awareness among employees about the permissible use of AI tools.
  • Data Protection is Not Everything: Consider other aspects, such as copyright and trade secret protection, in addition to personal data protection.
  • Follow Further Developments: Stay informed about evolving regulations at the EU level, as the future AI Regulation may impact providers and users of such services.

Additionally, ongoing reviews are essential, considering technical advancements and updates to language models, while data protection authorities scrutinize the legality of existing language models in test cases.

More Articles

Latest news about Data Protection, GDPR, AI Legislation and more

european government strassbourg wittmann legal services

The European Data Act and its Consequences for your Company

The European Data Act will be implemented in September 2025 and will affect the use and access of non-personal, user-generated data across all industries. Companies should start preparing now to ensure compliance with the new legislation. Find a comprehensive checklist and key takeaways to help you and your company navigate data access, sharing, and protection requirements.

Read more
european flag wittmann legal services

Generative AI and the GDPR - a complete guide

A comprehensive guide to companies using generative AI tools to ensure compliance, transparency, and address potential challenges such as bias and security issues as well as processing data under GDPR in relation to generative AI.

Read more
Contact us now