In today's business world, the integration of artificial intelligence (AI) has become indispensable. Technologies such as OpenAI's GPT API offer innovative methods with which companies can automate and optimize their processes. These developments open up practical solutions for a variety of challenges in different business areas and enable more efficient workflows with measurable cost savings.
AI technologies can, for example, help to improve customer interaction, particularly through the use of intelligent chatbots. They enable more efficient inventory and goods management and automate numerous business processes, leading to significant increases in effectiveness. AI applications are therefore already being used successfully by many companies today and are contributing to measurable cost savings and a significant improvement in operational processes.
However, the introduction of AI technologies also brings challenges, particularly in terms of data protection and privacy. The legally correct implementation of AI technologies is of fundamental importance, especially with regard to compliance with laws such as the General Data Protection Regulation (GDPR).
It is important to fully exploit the potential of AI, while at the same time safeguarding data sovereignty and not jeopardizing customer trust. It is also important to minimize data protection risks in order to avoid potential fines.
This necessitates a legally compliant implementation that balances the technological capabilities with the legal obligations, making it a crucial consideration for businesses.
Generative AI and Language Models
Generative AI, or Generative Artificial Intelligence, refers to an area of artificial intelligence that specializes in creating new data similar to that on which it has been trained. This can include text, images and speech. Unlike traditional AI, which is designed to analyze and interpret data, generative AI generates content on its own.
Machine learning, on the other hand, is a specific application of AI that gives systems the ability to learn from data and improve without being explicitly programmed.
The GPT (Generative Pre-trained Transformer) API from OpenAI is an example of advanced generative AI. GPT is based on the concept of Large Language Models (LLMs), which are a subset of machine learning models. These models are trained on huge datasets of text and can therefore perform a variety of language-based tasks, from answering questions to creating text in different styles.
At its core, GPT differs from traditional AI through its generative approach. While traditional AI systems are mainly geared towards analyzing and interpreting data, GPT can independently generate content that has a human-like effect. This includes writing articles, creating poems or generating dialogs.
A key element of LLMs, and GPT in particular, is the concept of "pre-training". Prior to deployment, the model is trained on a wide range of text data, allowing it to develop a deep understanding of the language and its nuances. After this pre-training, GPT can then be "fine-tuned" to specific tasks by training it on smaller, specialized data sets. This allows for a high degree of flexibility and adaptability to different application areas.
In addition to GPT, there are other important large language models, including Google's BERT, which is known for its contextual text analysis, TransformerXL and XLNet, which specialize in advanced text processing, and RoBERTa and T5, which excel in specific areas of natural language processing (NLP). Claude by Anthropic differs in its focus on human-centered interaction and security. These models represent different approaches and specializations in the field of generative AI.
ChatGPT vs. GPT API
OpenAI's GPT API is an interface that provides third parties with access to the capabilities of the GPT (Generative Pre-trained Transformer) model. This API enables developers and companies to use the capabilities of GPT in their own applications.
In contrast to OpenAI's GPT API, which serves as a comprehensive interface to the multiple capabilities of the GPT model, ChatGPT is a specific application of this model, optimized mainly for dialog purposes. This can be compared to the difference between accessing an entire library and a single book:
- ChatGPT: Similar to a specialized book that provides answers to a wide range of topics, ChatGPT is designed to answer questions and engage in conversations. It is a concrete implementation of the GPT model that focuses on dialog-oriented interaction.
- GPT API: The GPT API, on the other hand, is like accessing a library of different books, with each book representing different functions of the GPT model. Developers can use the API to access these functions and integrate them into their own digital products. This opens up the possibility of using the GPT model for a variety of applications - from text generation and automatic translations to specialized information requests.
Technically, ChatGPT provides a focused way of interacting with the GPT model, while the GPT API provides broader access to the model's diverse capabilities. Thus, ChatGPT is a conversation-focused instance of GPT, while the GPT API is a versatile tool for a range of applications that want to utilize the extensive capabilities of the GPT model.
Example case: GPT-Powered E-Commerce Chatbot
An illustrative application example for OpenAI's GPT API is provided by a fictitious company that operates an online store for customized woodwork. In order to optimize the customer process on its website, this company has introduced a chatbot that uses the GPT API.
The chatbot is programmed to provide customers with comprehensive advice. It provides information about the product catalog, gives details about the materials and dimensions of the woodwork, explains delivery times and guides customers through the ordering process. For example, a customer can ask the chatbot for a specific wooden table and receive information on different designs, sizes, and types of wood. The chatbot also answers questions about the ordering and delivery process in a precise and user-friendly manner.
When a customer is ready to place an order, the chatbot guides them through the ordering process, takes the order and collects all the necessary information. If the customer has further questions or would like more personal advice, the chatbot collects the contact details and forwards them to the company for later feedback.
By integrating the GPT API, the chatbot is able to understand and respond to complex customer queries, resulting in improved efficiency in the sales process.
Further examples of applications are
- Content creation and management:
• Automated creation of marketing content, such as blog posts or product descriptions
- Personal assistants in apps:
• Intelligent assistants for planning and organization tasks in productivity apps
- Voice-controlled applications:
• Development of voice interfaces for software and IoT devices
• Enabling more intuitive and accessible user interaction
- Education sector:
• Creation of personalized learning content and interactive learning aids
- Analysis and data preparation:
• Automated summarization and interpretation in data analysis and presentation
These examples demonstrate the versatility and power of the GPT API, which enables companies to develop customized and intelligent solutions for a wide range of applications.
Data Protection requirements when using the GPT API
Description of the data flows:
When using OpenAI's GPT API, different actors are involved and both personal and non-personal data are processed. Depending on the application scenario, these actors include customers, companies, employees and OpenAI, Inc. the developer and provider of the GPT API.
In the context of the example in which a customer enters order data (such as name, address, e-mail and order content) on a website, the data flow from input to processing by OpenAI can be represented as follows:
The customer enters their order details - name, address, email and details of the order - in an input field on the website, which is supported by a chatbot or an order form that uses the GPT API. The information entered is recorded and processed by the website interface.
The company that operates the website collects the data entered by the customer. This data can be viewed by employees, for example to check the order or to respond to customer inquiries. The collected order data is automatically forwarded to the GPT API if the process requires processing or response by the AI, such as confirmation of the order or additional information.
OpenAI receives the data through the company's API request. The GPT API processes this request to generate the appropriate responses or actions, such as generating an order confirmation. OpenAI has access to the data transmitted through API requests, including possible personal data of customers, depending on the type of request and the information provided.
Legal Perspective: Data Protection Compliance
The company implementing the GPT API is responsible for ensuring that the collection and processing of customer data complies with legal requirements.
From a data protection perspective, the company that operates the website and uses OpenAI's GPT API is subject to the General Data Protection Regulation (GDPR). The handling of customer data must therefore take the following aspects into account:
Compliance with the GDPR by the company: When processing personal customer data, the company is bound by the GDPR. The legal basis for the processing of this data is the performance of a contract pursuant to Article 6(1)(b) GDPR. This includes the collection and processing of customer data for orders placed via the website.
Use of service providers: The company may involve service providers for various tasks, such as web hosting companies, server operators or shipping service providers. In such cases, the legal basis for data processing by these service providers is Article 28 GDPR, which regulates the requirements for processors.
OpenAI as a processor: In relation to the use of the GPT API, OpenAI acts as a processor for the company. As such, OpenAI processes the data on behalf of and in accordance with the instructions of the Company. It is necessary that a data processing agreement exists between the company and OpenAI, which regulates the handling and protection of personal data in accordance with Article 28 GDPR.
The Company provides its customers with a Data Processing Addendum ("DPA") that governs the processing of customer data by OpenAI. This addendum is part of the overall contract between the customer and OpenAI and also relates to the use of OpenAI's API and other services for companies.
The company incorporates the EU Standard Contractual Clauses (SCC) into the Data Processing Addendum (DPA) in order to regulate the transfer of personal data outside the EU in accordance with EU data protection regulations. These clauses form the legal basis for international data transfers. They are usually either used directly as DPAs or integrated into existing contracts.
According to OpenAI's DPA, the EU Standard Contractual Clauses (SCC) will be applied in cases where customers transfer data from the European Economic Area. In such cases, the SCCs take precedence and are considered an integral part of the DPA. If there is a conflict between the SCCs and other parts of the DPA or the underlying agreement, the provisions of the SCCs shall prevail over any deviating provisions in the Open AI DPA.
The main obligations of OpenAI under the data processing agreement pursuant to Art. 28 GDPR include
no use for own purposes: OpenAI acts as a data processor and processes customer data exclusively in accordance with the customer's instructions.
data protection and security: OpenAI is obliged to implement appropriate security measures to protect data and to carry out data processing in accordance with the applicable data protection laws.
data deletion and data sovereignty: OpenAI is bound by the customer's instructions as a processor. At the end of the contract or on other instructions from the customer, OpenAI Inc. must delete the transmitted data.
In summary, the data flow in the application example discussed fundamentally fulfills the data protection requirements. The company that uses the customer data for orders and consultations is generally authorized to transfer personal data to OpenAI in accordance with the DPA and in accordance with Article 28 GDPR and the Standard Contractual Clauses (SCC).
Pitfalls and common mistakes in data protection implementation
However, the above is by no means a free pass when it comes to data protection. In order to integrate the GPT API in a legally compliant manner, the following liability traps must be avoided:
Liability trap 1: Careful selection of the service provider
Article 28 GDPR requires companies to ensure that their service providers, such as OpenAI, comply with data protection requirements. This means that companies must actively check whether these service providers comply with data protection requirements.
In practice, however, the implementation of this obligation presents companies with practically insurmountable challenges, as it is often difficult to assess compliance with data protection requirements by third parties. However, as long as no official prohibition orders or similar measures have been issued against these service providers, companies cannot be expected to assess the data protection compliance of OpenAI any better than the data protection authorities themselves with their far more extensive means of data protection assessment. At this point in time, it is not possible to derive from Art. 28 (1) GDPR a comprehensive obligation to examine the data protection compliance of OpenAI more closely.
Liability trap 2: Involvement in the specific case and risk assessment
Although the transfer of data, including personal data, to OpenAI is generally possible on the basis of a data processing agreement, it should not be concluded across the board that such a transfer would be permissible in every case and every constellation.
Rather, it is crucial to consider each specific application scenario individually. It should first be evaluated which categories of data are to be transferred and whether contractual or legal requirements prevent a transfer to OpenAI.
Companies that integrate OpenAI GPT into their own applications must also ensure that their own applications are data protection compliant in the specific case. The planning of the integration of the GPT API should therefore already be included in the development process ("Privacy by Design", Art. 25 GDPR).
For example, application and assessment center decisions based exclusively on AI would regularly violate data protection regulations due to a breach of Art. 22 GDPR. Before data is transferred to OpenAI, it must therefore be precisely evaluated which data is affected and to what extent there are special legal requirements regarding the handling of this data.
Liability trap 3: Lack of internal data protection measures (procedure directory, data protection declaration, DPIA)
When integrating OpenAI's GPT API into company processes, internal data protection measures are of crucial importance in addition to the direct transfer of data to OpenAI. An essential component here is the careful maintenance of the procedure directory to ensure that the relevant processes are correctly and fully documented. This includes a precise description of how the GPT API is integrated into the company's processes, including the data processing steps and the systems involved.
In addition, depending on the result of an initial risk assessment, a data protection impact assessment must be carried out in the event of high risks to the rights and freedoms of data subjects. This serves to identify the data protection risks that could arise from the use of the GPT-API and to define appropriate measures to minimize the risks.
The legally compliant use of the OpenAI API requires a sound understanding of both the technical possibilities and the legal framework. It is crucial for companies and developers to follow practical recommendations that ensure both technological efficiency and compliance with data protection regulations. The checklist provided in this article can serve as a guide to consider the most important data protection aspects when implementing the OpenAI API.
The field of AI, particularly with regard to data protection, is constantly evolving. Future technological advances and changes in legislation will continue to influence the way companies use AI technologies. A proactive approach that takes into account both current developments and possible future trends is therefore essential.
The integration of AI technologies such as the OpenAI API offers enormous opportunities, but also poses significant data protection challenges. At Simpliant, our focus is on helping your organization integrate AI language models like GPT into your business processes in a privacy-compliant way. If you need help to overcome the complex data protection challenges in the field of artificial intelligence, please get in touch via our contact form.
Support from Simpliant
The integration of AI technologies such as the OpenAI API holds great potential, but also presents significant data protection challenges for companies. Simpliant focuses on assisting you in the data protection-compliant integration of AI language models like GPT into your business processes. If you need support in managing the complex data protection challenges in the AI sector, please feel free to contact us via our contact form.