GDPR compliance of ChatGPT

GDPR compliance of ChatGPT

Article by Tsaaro

7 min read

GDPR compliance of ChatGPT


In recent years, ChatGPT along with other AI-driven models have become more well-liked, and many businesses now rely on them to provide fresh content. However, this application brings up a variety of moral and legal issues, particularly regarding data privacy. One of these concerns is whether Open AI can adhere to Article 17 of the GDPR and remove a person’s data from the model upon request. 

These days, chatbots powered by AI are all the rage, and ChatGPT is the greatest star. It surpassed industry titans like Instagram and TikTok and now holds the mark for the fastest-growing digital platform in history with over 100 million users every month just a few weeks after its introduction.  It’s simple to see why Open AI’s ChatGPT is appealing. Artificial intelligence (AI) is a kind, helpful, and omniscient buddy who is always willing to assist. People use it all across the world for a variety of purposes, including writing poetry, matching wines, fine-tuning code, co-authoring novels, and passing tests. 

AI systems like DALL-E and ChatGPT replicate human responses to queries and instructions by building a comprehensive language model from millions of data points collected from the internet. People who utilize ChatGPT have written poems, and academic writings, and used them to illustrate scientific topics. But like with any innovation that provides novel and cutting-edge capabilities, there is also a significant risk of exploitation and invasion of data privacy. 

Although ChatGPT has previously been charged with disseminating false information by providing misleading or incorrect answers to inquiries about facts, its possible use by cybercriminals and other malicious people is also quite concerning. 

GDPR compliance and ChatGPT 

Data collection is the primary function of chatbots like ChatGPT, hence GDPR is quite pertinent. Particularly for chatbots that use machine learning and natural language processing (NLP). Because you need data to construct a chatbot that truly functions properly, that is, chatbots that can comprehend the context and facilitate meaningful discussions. This includes information like a person’s name, email address, and, if applicable, social security number. 

GDPR is a set of regulations offered by the European Union to its residents’ legal control over how they may share, update, and remove their private information online. Transparency in business and user relationships for gathering and storing data is the goal of the law. 

Simply said, GDPR promotes online privacy protection. Companies must disclose how and when data is gathered, safeguard it from security breaches, and report any such incidents. Users have the right to request the modification or deletion of their data at any time. These regulations are stringent and frequently regarded as the biggest update to Europe’s privacy laws ever. 

At this early point, it is challenging to evaluate ChatGPT’s compliance with the GDPR, especially as all of the operational details are yet unknown. The quantity of personal information in ChatGPT’s original data is unclear, but it stands to reason that the massive volumes of material required to train it contain details regarding real people, and all of this is still there in the dataset it uses. The chatbot itself asserts that every bit of its data used for training has been anonymized and cleansed to remove any identification when questioned about this. Even with knowledgeable users, it is essentially difficult to verify this. 

Additionally, interactions provide computer access to a wealth of personal data. The privacy statement published by Open AI states that the company gathers personal data through the use of services, through interactions including the kinds of content you engage with. The “right to erasure” is the ability under GDPR for individuals to ask for the total removal of their data from an organization’s files. It is difficult to retrieve an individual’s data from natural language processing techniques like ChatGPT since the software consumes potentially personal data and turns it into a form of data soup. 

Thus, it is not evident that ChatGPT conforms with GDPR. It doesn’t seem to be transparent enough, it could be illegally collecting and using personal data, and it looks like it would be challenging for data subjects to exercise their rights, such as their right to be informed and the right to be forgotten. 

How can ChatGPT ensure GDPR compliance 

  1. Examine the information you’re gathering. 

Additionally, ensure that your chatbot only requests necessary information. Never forget that your organization must provide a legal justification for every request for information. A privacy policy has to be very explicit about why this kind of data is being gathered. 

  1. Check the security of the chatbot. 

An AI-generative platform should be able to show that it has the necessary organizational and technological safeguards in place to prevent a data breach. It should also have mechanisms in place to deal with any information leaks. According to article 55 (GDPR) data breaches must be reported to Data Protection Agency and the affected people that might endanger them within 72 hours without undue delay. 

  1. Updating the Privacy Policy 

Having a transparent privacy policy is one of the key obligations of the GDPR. One should be able to easily access it. You must include the legal justification for each of the eight user rights on your GDPR-compliant page. The fundamental guidelines for exercising such rights at any time must be outlined in the privacy policy. Additional steps are required to make the GDPR requirements function for chatbots. 

  1. Include access to the chat data and privacy 

The chatbot should give consumers a simple, recognizable, transparent, and easily available form so they can understand what information is gathered and the way the bot and company will utilize it. When their data is gathered, users should familiarise themselves with privacy regulations. Companies can utilize a link in the conversational flow of chatbots to share this information with users or include a condensed version as part of opening remarks and dialogue. 


Due to the permanent nature of the data produced by generative AI systems like ChatGPT, it is challenging to implement the right to be forgotten as stipulated in Article 17 EU-GDPR. Since replies are generated from the gathered data using natural language processing, it is very difficult to completely erase all traces of a person’s personal information. 

The intricacy of wiping data upon request must now be understood by organizations using generative AI since it necessitates a detailed grasp of how their AI systems read and produce replies. For organizations to abide by the right to be forgotten, they must understand the data that is utilized to generate these replies. 

Even though Chat GPT has a lot to offer businesses in terms of client service and communication, there are several security issues associated with its use that businesses need to be mindful of and actively manage. Organizations may use Chat GPT’s capabilities responsibly and safeguard their data and reputation by taking the necessary steps to recognize and reduce these dangers. 

Keep yourself informed and learn about guidelines for effective privacy management and administration. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Understanding these guidelines will help you better protect yourself from common scam tactics. To learn more, reach out to us at 

1 thought on “GDPR compliance of ChatGPT”

Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION:  The enactment of the Digital Personal Data Protection Act, 2023, marks a significant milestone in the realm of data …

Shubham Bansal

Introduction  The introduction of the DPDPA, 2023 has brought in the opportunity for various sectors including the pharma companies to …

Shubham Bansal

INTRODUCTION:  The enactment of data protection legislation across various jurisdictions have necessitated strict mandates to protect people’s personal information. India …

Shubham Bansal

Introduction  In today’s digital age, data protection and privacy are crucial for businesses, especially those operating online. As companies increasingly …

Shubham Bansal

INTRODUCTION Last year, India achieved a significant mark when the long-awaited data protection legislation known as the Digital Personal Data …


Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them