Dutch DPA sends out warning: ‘use of AI chatbots could lead to data breaches’
De Autoriteit Persoonsgegevens, the data protection authority (DPA) in the Netherlands, has recently received multiple reports of data breaches because employees shared personal information of patients or customers with a chatbot that uses artificial intelligence (AI).
By handing over personal information to AI-driven chatbots, companies can gain unauthorized access to that information.
The Dutch DPA has noticed that many people in the workplace use digital assistants like ChatGPT or Copilot, for instance to answer questions from customers or to summarize large files.
AI driven applications surely save time and will make the work of employees easier and more efficient, but it also comes with major risks.
If an employee enters personal information into a chatbot without permission, this means there’s a data breach. Even if the use of a chatbot is part of a company’s policy, it’s often not permitted by law. Organizations need to prevent both scenarios.
“Most companies behind the chatbots store all data entered. As a result, these data end up on the servers of those tech companies, often without the person who entered the data realizing and without that person knowing exactly what that company will do with that data. Moreover, the person whose data it concerns will not know either,” the regulator warns in a press release.
In one case a general practitioner (GP) entered medical data from his patients into an AI chatbot. Sharing such sensitive data with a company that develops AI tools, is a major privacy violation of the people concerned.
Therefore, the Dutch DPA wants to remind companies to make clear arrangements with its employees about the use of AI chatbots. If organizations allow their employees to use AI chatbots, they have to document what information they are allowed to enter and what not. Another option is to arrange which data will not be stored by the company that provides the chatbot.
Should an employee by accident leak personal information to an AI chatbot, the company is obligated by law to report this as a data breach to the DPA.
Your email address will not be published. Required fields are marked