OpenAI API and Privacy

Your questions answered

The adoption of ChatGPT API into business operations necessitates a consideration of relevant privacy regulations. Companies must understand that they become data controllers when using the API. An important compliance step that can be taken is the creation of data processing agreements (DPAs) with OpenAI so that users are adequately informed about how their data is being used.

Practical Steps:

• Execute a Data Processing Agreement: Enter into a legally binding DPA signed with OpenAI, which outlines the responsibilities and obligations regarding data processing. OpenAI offers a DPA which can be created using a form on Ironclad.
  • External Data Sharing: The DPA explicitly addresses external data sharing. OpenAI may engage Subprocessors to process Customer Data, but it must notify customers of any changes to the Subprocessor list and obtain consent. Customers have the right to object to new Subprocessors on reasonable grounds related to data protection. OpenAI mandates that all Subprocessors comply with data protection obligations comparable to those in the DPA.
  • Processing Purposes: OpenAI processes Customer Data primarily to provide and support its services. This includes insights, reporting, analytics, platform abuse monitoring, trust and safety monitoring, and other purposes as specified in the agreement.
  • Data Use for Improvements: The DPA allows OpenAI to process Customer Data for the primary purpose of providing and maintaining the Services. However, it also specifies that OpenAI may use de-identified, anonymized, or aggregated data to improve its systems and services.
• Update Privacy Policies: Clearly articulate how personal data is processed, the purpose of processing, retention periods, and users’ rights. In 2023, we wrote a blog on how to draft a privacy statement (NAALA, 2023).
• Conduct a Data Protection Impact Assessment: For high-risk processing activities, a DPIA is required to identify and mitigate potential risks. For a more detailed description of how to conduct a DPIA, see our January 2024 blog (NAALA, 2024).

Information security is another important topic to consider when integrating AI technologies like the ChatGPT API. Protecting the integrity, confidentiality, and availability of data processed by the API requires internal security measures.

Recommended Actions:

• Access Controls: Implement strict access controls to ensure that only authorized personnel can access sensitive data.
• Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security weaknesses.
  • API Monitoring: Implement continuous monitoring to detect and respond to unusual activity or potential security threats. This includes logging all API access, monitoring for unusual patterns or spikes in traffic, and setting up alerts for suspicious activities.
  • Penetration Testing: While you may not be able to perform penetration testing directly on OpenAI’s ChatGPT API, you can conduct penetration tests on your own implementation and integration of the API. This contributes to your application and its interaction with the API being secure.
• Consider using the API through Azure: Extended terms of use apply to these preview functions. Microsoft’s data protection guide restricts data use, which mandates customer data is not accessible to others or used to improve OpenAI models (Microsoft Azure, 2024). Data processed by Microsoft includes content generation, model creation, and abuse monitoring. Data, including prompts, is stored on special servers for 30 days for misuse prevention, with objections to data storage requiring an approved request (Microsoft Azure, 2024).