Open any newspaper or magazine these days and you are guaranteed to find an article covering AI or ChatGPT (or both). Everyone seems to be getting incredibly excited about what the latter especially can provide in terms of taking over monotonous writing tasks; however, Regulators around the world are sounding alarm bells about the serious risk of personal data breaches associated with large language models. Italy banned ChatGPT for two weeks following concerns about the lack of screening by its creator Open AI for personal data when it scraped masses of content from the internet to train the language model. Italy’s Data Regulator, Garante per la Protezione dei Dati Personali, lifted the ban on 13 April 2023, subject to “several concrete measures [which] will have to be implemented” by OpenAI including notifying people on its website about its logic and processing and preventing children from using the site.

The Regulator stated:

“OpenAI will have to draft and make available, on its website, an information notice describing the arrangements and logic of the data processing required for the operation of ChatGPT along with the rights afforded to data subjects (users and non-users).”

In addition, Open AI will need to launch a national advertising campaign alerting people to how they can remove their personal data from the ChatGPT training set.

Warnings of potential GDPR breaches by ChatGPT users have also been sounded. Although there is the potential for increasing productivity by using the language model, businesses who fail to run a proper risk assessment can easily find themselves in breach of the GDPR. Furthermore, cybercriminals, never ones to miss an opportunity, have already started utilising ChatGPT to build new hacking tools which could allow them to infiltrate networks and steal personal data.

All this is on top of the sky-high risk businesses face regarding data breaches. In the first quarter of 2023, 310 security incidents were reported, up 12.7% on Q4 2022. The breaches were made up of cyberattacks, ransomware, and internal data breaches (usually made by mistake). And to add fuel to the data breach tinderbox, cybercriminals have now upped the ante when it comes to Ransomware attacks and are not only demanding money to release the data, but also threatening to publish the seized information online if demands are not met.

Given the challenging situation businesses now find themselves in regarding cybersecurity and potential data breaches, it is important to know what actions to take if a data breach occurs. Acting swiftly means you can comply with the data breach notification requirements under the UK GDPR as well as protect your customers’ personal information and your organisation’s reputation.

What are the data breach notification requirements under the UK GDPR?

Article 33 of the UK GDPR states that if a personal data breach that poses a risk to the rights and freedoms of natural persons occurs, the Data Controller must notify the ICO within 72 hours.

If a Data Processor suffers a data breach, they need to notify the Controller immediately.

When notifying the ICO you must:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If you cannot provide full details to the ICO within 72 hours, it is acceptable to send the information in phases, provided there is no delay in doing so.

Finally, you must document the steps you take to deal with the data breach. If you decide the breach does not risk the rights and freedoms of a natural person and therefore does not need to be reported to the ICO, make sure your reasoning is recorded in writing.

If you do not notify the ICO as required by Article 33, your organisation could be fined up to £8.7 million or 2 per cent of its global turnover. The fine can be combined with the ICO’s other corrective powers under Article 58, which includes issuing a reprimand and/or banning a Data Processor from engaging in processing activities.

How can I ensure my business can comply with the UK GDPR if a data breach occurs?

There are several steps you can take immediately to enhance your capacity to swiftly and accurately comply with your UK GDPR duties and responsibilities when (not if) a data breach occurs:

1. Map your data and keep the information contained in the data map up-to-date. To establish who has been affected by a data breach, you need to understand what personal data your organisation holds, where it is stored, and who has access to it.
2. Have a disaster response plan in place that has been communicated to staff so it can be instantly actioned should a breach occur. Appoint a responsible and knowledgeable person (or outside organisation) to manage the plan and ensure all steps taken to comply with Article 33 are documented.
3. If the breach is assessed to be ‘high risk’ you must be able to notify anyone affected. For example, if a hacker accesses your company’s CRM system which includes client credit card details, those affected need to be informed not only of the breach and its likely impact, but the steps you are taking to rectify it.
4. Ensure all staff members understand what is required under Article 33 should a data breach occur. It is also crucial to undertake regular cybersecurity risk management assessments and use the insights acquired to provide employee training on the signs of a potential cyberattack and how to avoid a data breach occurring.

To ensure you and your team can comply with the UK GDPR data breach notifications, it is vital to seek professional advice and ensure everyone in your organisation receives sufficient training on recognising and responding to internal and external cybersecurity breaches. As with all matters concerning compliance (and law in general) prevention is far more effective and cheaper than the cure.

To find out more about any matters discussed in this article, please email us at [email protected] or phone 0121 249 2400.

The content of this article is for general information only.  It is not, and should not be taken as, legal advice.  If you require any further information in relation to this article, please contact 43Legal.