Data Privacy Happenings

Hello and welcome to the second edition of Mine's monthly newsletter, The Privacy Mindset! 👋

In between all the awestruck reactions and explosion in self-styled AI experts in the wake of OpenAI's release of ChatGPT, data privacy concerns have failed to emerge as a consensus worry. While some have pointed out concerns and others have exposed the model as one that frequently invents sources and presents misleading information, the prevailing narrative has been that we are at a turning point in technological history.

For anyone with an inkling of interest in or knowledge of data privacy, hopefully that is not the case. As if the above problems were not enough, Microsoft, one of OpenAI's main investors, has announced the revolutionary upstart will use its AI to power Bing. 

To say Bing's AI has had a tough time of things since the announcement is an understatement. Misinformation? Check. Insulting users? Check. Users messing with the chatbot to crack it? Check.

None of that would be worrisome if these chatbots had not vacuumed up virtually the entire internet and all the data on it before launching, or if they were not storing and processing terabytes of information from all its user conversations every few minutes.

But they are. 

OpenAI was not granted explicit access to go through all of that data, some of it surely yours and mine, nor does it seem like OpenAI considers itself bound to any data regulations considering it was built on the very opposite of data minimization.

There is currently no way for individuals to exercise their data rights and inquire as to what ChatGPT has stored, largely because that data is not merely sitting in data centers, but feeding into the system's evolution itself, making it incredibly difficult to isolate and extract.

Few can be sure of the specifics of how OpenAI and Microsoft are handling and processing the data ChatGPT receives, but from what we can infer about its interactions with users, these chatbots are playing with fire when it comes to data protection.

Given many people's pursuits to break these systems, as well as the systems themselves already mixing up users when prompted to recall past conversations, any leak or outage could result in a data privacy catastrophe with tons of data--sensitive or not--being exposed to the public. 

That is a step backward for the internet and one we collectively need to consider more as we integrate this AI technology into our work and life. 

Product Spotlight

Data discovery and classification, and our unique approach to them, are vital to understanding the scope of a company's data landscape.

Since companies are often adding data systems, Mine has designed our Radar to boost the continuity of data discovery and inventory. 

Radar by Mine gives enterprises a clean way to monitor new data sources connecting to the company and understand their significance based on usage, employee access, and departmental use.

Based on those insights, privacy professionals then choose to confirm the data source and add it to their Inventory or off-board and remove the system.

Radar makes the process of organizing data discovery & inventory and keeping track of shadow IT more straightforward than ever before.

Regulation Focus

GDPR article 11.1:

If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

GDPR Article 11, the last article in Chapter 2, which outlines data protection principles, covers data processing which does not require identification. 

It states that controllers do not need to get or process additional data to identify an individual given the controller's purpose for data collection does not require data subjects to be identified.  Article 11 acts as a way to limit controllers' obligations and reinforce the practice of data minimization.

The article is sound in theory, although AI chatbots are testing its and the GDPR's limits. 

Projects like OpenAI's ChatGPT have scanned and processed unimaginable amounts of data, including massive quantities of PII, and were able to do so without repercussion given the purpose of those data processing activities did not technically require data subject identification.

Regulation has perpetually lagged behind technology, and even in 2016 when the GDPR was passed, lawmakers could not have fathomed the scope of AI even six years later. 

Even if ChatGPT is not storing and processing data using traditional methods, it is going through endless data, completely contracting the notion of data minimization and exploiting Article 11's original intention. How--and if--lawmakers respond to AI and its risk to data protection will be a key to watch in 2023. 

Founder's Corner 

CEO & co-founder Gal Ringel

Q: What advice would you give for businesses to handle tougher economic conditions for startups?

A: Do more with less. Sale cycles are increasing, companies are reducing budgets and it will be harder to sell. Try to explain the situation to the entire team and be transparent with them, so they can understand what is expected. Work as one team! 

Upcoming Events

The Mine team will be appearing at PrivSec London 2023, with CEO & co-founder Gal Ringel and CPO & co-founder Kobi Nissan each taking part in a panel:

• A New Era of AI Governance - Feb 28 at 2:15 PM GMT
• Privacy Program Management: How Companies Can Best Juggle Their Compliance Requirements - March 1 at 11:40 AM GMT

In the lead-up to PrivSec, our next webinar on Successful Data Privacy Program Essentials will take place Feb 23 at 3 PM GMT/10 AM EST. We'll have one of our amazing customers, Clarin Gniffke, with us, and will unveil the platform's latest and greatest capabilities. Register here so you don't miss out!

We're always around

to talk data privacy.

Get in touch at press@saymine.com 

How did you like this month's issue?