Using Generative AI in your Business - How to Mitigate the Risks

Everybody is talking about it. Many are already using it (though they might not know it!). So what is it? Generative AI is a type of artificial intelligence that can be used to generate content like text, audio, images, video and more. Generative AI tools have to trawl through huge amounts of data to be “trained”. The product on everyone’s lips is ChatGPT but there are many others.

While Generative AI tools bring many exciting new opportunities their use is not without risk. Training an AI tool is usually achieved by scraping the web and other sources for data.

This can include personal data from social media accounts or elsewhere, taken without the data subjects’ knowledge or consent. The Italian Data Protection Regulator (the Garante) has been very vocal about ChatGPT in particular and has publicly stated that due to the way it was trained, it is in breach of the General Data Protection Regulation (GDPR). So it is possible, that a company using an AI tool that has been trained on personal data gathered illegally, could itself be sued by an aggrieved data subject.

Another risk concerns intellectual property rights. A Generative AI tool may have been trained by scraping copyright material without the owner’s permission. Getty Images is currently suing the US corporation Stability AI in the London High Court, claiming that it breached Getty Images’ copyright by using over 12 million of its pictures illegally to train the corporation’s AI tool.

Lastly, there is the risk of “fake news” - can the output from a Generative AI tool be trusted?  In 2023 a New York Law Firm was fined for using ChatGPT to create court pleadings to support its client’s claim for damages. When the proceedings came to court, it became apparent that none of the cases cited in the pleadings were real. The tool could not find any real cases that backed the claim, so it just made some up!

So how can companies enjoy the undoubted benefits of Generative AI tools, and minimise the risk at the same time?

Firstly, before putting any particular tool into use in its business, companies should ask the AI provider how the product was trained, so that they can make an informed risk assessment, as to whether using it could lead to a data protection or copyright claim. Before publishing any outputs from a Generative AI tool, it would be wise to have some human intervention and have it reviewed by a “real” person. If that is not possible then any publication should be heavily caveated with a disclaimer.

More generally, companies should consider introducing an AI policy for both the business and the staff. Typically, such a policy would set out the rules for both the procurement and deployment of AI tools and particularly Generative AI tools. Companies may elect to ban some tools completely; others may require various levels of sign-off. All staff should be required to read the policy, and some training may be mandatory. Staff should be obliged to report any incidents arising from the use of Generative AI tools (such as a data breach or other security incident for example).

The policy should introduce clear governance rules, setting out the person(s) responsible for deciding whether a particular Generative AI tool could be deployed and the type of information they would require to make an informed decision. There would also need to be clear reporting lines if an incident did occur. It should also make clear what the consequences are for breaching the policy and using Generative AI tools, without going through the proper procedures.

Such an AI policy would require constant review to make sure it remains relevant in respect of new legislation such as the EU AI Act which will shortly become law, but also with any changes in technology and new perceived threats.

For further information about the use of Generative AI tools or help with drafting an AI policy, contact Victor Timon, Partner and Head of the Technology Group at ByrneWallace LLP

vtimon@byrnewallace.com +353 1 691 5866

ByrneWallace LLP is hosting a seminar on Generative AI and Your Business - Safe Use and Mitigating Risks on Wednesday, 24 April. To learn more about this event and register to attend, visit here.