AI and data protection: How can companies use artificial intelligence safely?
How AI and data protection can be effectively combined in companies, what risks cloud-based AI entails, and when local AI is the better choice.
AI and data protection are closely linked, because companies can only use artificial intelligence effectively if personal data, trade secrets, and sensitive information are protected. This is precisely where many companies face the question: How can AI be used without incurring legal or security risks?
The good news is that yes, AI can be used safely – just not with every AI solution. In this article, we explore how companies can combine artificial intelligence and data protection and where the limits of public AI systems such as ChatGPT lie.
Why consider data protection when using AI?
Data protection and security must be taken into account when using AI because AI systems regularly work with sensitive data, i.e., data that is very valuable and should not fall into the wrong hands.
AI is used, for example, for:
- Internal knowledge systems
- Document analysis
- Code and text generation
- Process automation
This often involves processing personal data, customer information, or internal know-how. Without clear rules, this can lead to confidential data being passed on to external AI providers in an uncontrolled manner.
What exactly does data protection mean in the context of AI use?
In a corporate context, AI compliance means that every use of AI must be evaluated in terms of both GDPR compliance and data security.
There are two levels involved here:
- Data protection (GDPR): Protection of personal data
- Data security: Protection of all sensitive company data – including data that is not personal
This is precisely where a common fallacy arises: GDPR compliance does not automatically mean security for company secrets.
What are the data protection requirements under the GDPR?
Under the GDPR, personal data must be processed in a legally compliant, transparent, and controllable way.
A key component of this is the data processing agreement (DPA) with the AI provider:
- The DPA regulates how personal data is processed
- It creates a legal basis in accordance with the GDPR
This ensures compliance with the GDPR.
However, an DPA does not automatically protect against the leakage of trade secrets or confidential company knowledge. Internal information can still leave the company.
A DPA resolves the legal data protection issue, but not the security risks to sensitive company data. Especially in the case of trade secrets, strategic documents, source code, or internal decision-making frameworks, there is always a residual risk with cloud AI.
This was illustrated by a ChatGPT data breach in Italy, which led to a temporary ban on ChatGPT. Data from conversations with ChatGPT and payment information were leaked.
Although OpenAI offers the option of concluding an DPA, many data protection experts still advise caution. Reasons for this include the limited transparency of data processing, limited control options, and unanswered questions about the use of input and training data. Data protection consultancies such as Proliance have highlighted these issues.
What are the risks associated with using cloud-based AI systems?
Typical risks of cloud-based AI systems include:
- Data processing outside of the company's own infrastructure
- Lack of transparency regarding storage locations
- Unclear use of inputs for model improvement
- Limited control options
Shadow IT can also become a problem: if companies do not offer their employees an AI solution, they may resort to using private AI accounts to simplify their daily work.
How can companies use AI safely?
More and more companies are consciously deciding against cloud-based AI services for internal use cases. AI can only be used securely if, for example, it accesses company data only locally.
What is local AI?
Local AI means that the language model (LLM) is run on your own hardware or in a private cloud instance without data flowing to external providers.
A local AI solution offers clear advantages:
- Data remains entirely within the company
- No leakage of sensitive information
- Full control over models, data, and access
- GDPR-compliant and secure for trade secrets
This is how artificial intelligence and data protection can be effectively combined.
What questions should companies ask themselves about AI and data protection?
Companies should ask themselves not only legal but also strategic questions about AI and data protection.
For example:
- What data is our AI allowed to process?
- Is an DPA sufficient, or do we need more control?
- Is there any data that must never leave the company?
- How do we protect our internal knowledge in the long term?
These questions determine whether AI becomes a risk or a real added value, and whether a local solution might make more sense.
What role does the EU AI Act play for companies?
The EU AI Act obliges companies to make the use of AI more transparent, controllable, and risk-based.
The EU AI Act supplements the GDPR and imposes additional requirements on the use of AI systems, especially for companies in high-risk areas of application, such as healthcare, banking, or critical infrastructure.
This highlights an advantage of local AI solutions:
Companies retain significantly more control over how AI systems work, what data they process, and how the requirements of the EU AI Act are met.
Conclusion: Combining AI and data protection
AI and data protection can be combined if companies make conscious decisions about where their data is processed.
Although DPAs protect data when using AI in accordance with the GDPR, internal confidential data is most secure when you use local AI. This allows you to retain control over trade secrets and other important data.
Artificial intelligence and data protection are therefore not contradictory.
