Many businesses are using artificial intelligence (AI) in some form in order to create business efficiencies. Some businesses use generative AI for copywriting, software writing, or employ Chatbots. These programmes work by being ‘trained’ by the inputting of large amounts of data. Other AI in use includes tools to summarise data or to perform analysis. Some businesses use off-the shelf AI tools and others augment the tools with their own specific datasets.

The datasets being fed to train the AI tool has the potential to process personal data. This may create data protection risks for the business. If a business is developing or augmenting an AI tool, it must remain conscious of where the datasets are coming from and whether the processing is compliant with data protection laws.

Generated content may contain personal data. If a business is processing or retaining this data, it must be conscious of its role as a data processer or controller. The rules around the bases of processing personal data remain the same for AI generated data regardless of whether the data is freely available online.

It is vital that personal data is gathered fairly and within the law, and that Data Processing Impact Assessments (DPIA) are carried out in respect of projects or activities that involve significant data processing.

Any automated decision making in relation to an individual is highly risky. In relation to using AI as a basis for human decision-making, particular caution applies where AI is used to monitor data subjects or where individuals are tracked on the internet leading to potential profiling or decision-making in relation to individuals. It is important to note that AI tools that have been improperly trained may cause bias that could lead to decisions that impact people’s rights.

Before you begin using an AI tool, you should understand how it works and what personal data is involved. Investigate what personal data will be inputted and how it will be treated by third parties. If necessary, conduct a DPIA to establish how to best minimise risks of a data breach or incorrect treatment of personal data. Processes should be established to facilitate the exercise of rights by affected individuals; ensure you can delete or correct records and comply with a data subject access request.

The above is intended for information purposes only. It is not legal advice. If you would like to discuss a DPIA or data protection audit for your business or any aspect of compliance, please contact Fitzsimons Redmond LLP on 01-6763257 or by email at law@fitzsimonsredmond.ie.

By Lisa Quinn O’Flaherty

Partner at Fitzsimons Redmond LLP