Earlier this month, the Dutch Data Protection Authority warned about the risks of using AI in the workplace (in Dutch). It found that providers of AI tools might retain personal data shared with them.

The employee might be using AI tools without their employer’s knowledge or consent. If so, they might be in breach of their employer’s data policy. Even if done within the scope of the corporate policy, it might still be outside the initial purposes expressed to the individual.

This is nothing new. Samsung disabled employee access to ChatGPT last year when it discovered employees were sharing Samsung’s proprietary code! Microsoft and Amazon took similar steps with other AI tools this year. I wrote about that earlier this year.

So, old news then? Maybe, but employers should take note that the Dutch DP authority has issued this warning. It says employers should guide staff on when they can use AI tools and what types of data it can share. In particular, it warns about the use of medical data by GP practices.

Since Brexit, the UK is not part of the EEA, or “Data Fortress Europe” if you like. But UK GDPR is equivalent to EU GDPR. After all, the EU Commission (currently) deems UK data protection laws as “adequate”, meaning commensurate with GDPR. It won’t be that much of a stretch for the UK’s ICO to issue a similar warning. Take action now.

What to do?

Employers: Make sure you cover use of AI in your data and IT policies. Is it ok for employees to use AI? Do you have a preferred AI tool they should use? Does that tool have a locked-box of data you share? Or does it retain your data and use it to train its algorithms and finesse its own output? Be prepared to pay for the best option for you and your data, rather than the version available for free. Consider training your staff on how and when to use AI tools. Remember, if there is a data breach, you should assess whether you need to report it to the ICO.

Employees: Don’t use use AI without checking your employer’s policy and definitely don’t use it in breach of a policy. Don’t share personal data if you don’t need to. The goal is to obtain efficiencies in processing personal data. But ensure you do it in a compliant manner.

If you need advice, contact me at +44 20 3824 9748 or fjennings@hcrlaw.com.