15 guidelines for companies using large language model chatbots

AI Checklist for Companies

The emergence of generative AI, particularly in the form of chatbots like ChatGPT, Luminous, and Bard, presents an efficient means of content creation. While these tools have become integral in many institutions, their usage often lacks clear guidelines. Operating these large language models (LLMs) in a cloud environment poses significant data protection risks. Confidentiality and personal data are jeopardized due to shared cloud- based LLM models, where inputs contribute to further model training, potentially exposing business secrets and personal information. The checklist below serves as a guide for organizations to ensure data protection-compliant use of chatbots.

15 Aspects for Controlled Use of LLM Chatbots:

• Specify Compliance Regulations: Clearly define and document internal directives on the conditions and scenarios for using AI tools.
• Involve Data Protection Officers: Engage internal data protection officers in creating directives and conducting data protection impact assessments.
• Provision of a Functional Account: Provide professional chatbot accounts to prevent the creation of profiles using private data. Work accounts should ideally avoid individual employee names.
• Secure Authentication: Implement strong passwords and additional authentication factors to prevent unauthorized access and potential abuse.
• Do Not Enter Personal Data: Refrain from transmitting personal data to AI models based on terms and conditions restrictions.
• No Output of Personal Data: Ensure AI application results do not contain personal data, limiting inputs to non-individual cases.
• Caution with Personal Data: Avoid entries that might be related to specific persons, considering the risk of drawing conclusions from the context.
• Opt-out of AI Training: Allow users to reject the use of their data for AI training purposes, if the service permits.
• Opt-out of the History: Disable saving previous entries to avoid linking individual entries, especially in shared environments.
• Check Results for Correctness: Verify the accuracy of AI-generated results, as models may include outdated or incorrect information.
• Check Results for Discrimination: Assess AI results for discriminatory effects, ensuring compliance with legal frameworks.
• No Automated Final Decision: Decisions with legal consequences should be made by humans to comply with GDPR requirements.
• Sensitize Employees: Provide training, guidelines, and discussions to raise awareness among employees about the permissible use of AI tools.
• Data Protection is Not Everything: Consider other aspects, such as copyright and trade secret protection, in addition to personal data protection.
• Follow Further Developments: Stay informed about evolving regulations at the EU level, as the future AI Regulation may impact providers and users of such services.

Additionally, ongoing reviews are essential, considering technical advancements and updates to language models, while data protection authorities scrutinize the legality of existing language models in test cases.