Data Privacy in Today’s Digital Age

Data privacy is a critical issue for businesses, particularly those that use advanced technologies such as AI language models like ChatGPT or other emerging technologies. While these technologies can offer significant benefits in terms of improving productivity, streamlining processes, and enhancing customer experiences, they also present unique data privacy challenges that must be addressed.

Businesses must ensure that any personal data they collect, or use, is done so in a lawful, fair, and transparent manner. This means that businesses must be transparent about the types of data they are collecting, why they are collecting it, and how they plan to use it. This includes transparency on a business’s use of AI language models like ChatGPT, and how personal data will be input or processed through it. Additionally, businesses must ensure that they have a lawful basis for collecting and processing personal data, and that they are doing so in accordance with relevant data protection laws and regulations.

Businesses must ensure that they are taking appropriate steps to protect the personal data they are collecting and using. This may include implementing strong data security measures, such as encryption and access controls, to prevent unauthorized access or data breaches. In addition, businesses should check the AI language model or technology they are utilizing to see what, if any, data protection it offers. For instance, AI language model ChatGPT protects user privacy is by ensuring data is encrypted during transmission and storage, and access to it is strictly controlled. Only authorized personnel have access to user data, and they are required to adhere to strict data privacy policies and procedures.

Businesses must also consider how they will obtain the necessary consents from individuals whose personal data they will be processing. This may include obtaining explicit consent for the processing of sensitive personal data or implementing mechanisms for individuals to opt-out of certain types of data processing. It may also include businesses providing individuals with the necessary rights to access and control their personal data. This may include providing individuals with the ability to request that their personal data be deleted, updated, or corrected, or to restrict or object to certain types of data processing. For instance, AI language model ChatGPT provides that its users have the right to access their data, request that it be deleted, and opt-out of data collection altogether.

Businesses should consider implementing data privacy policies and procedures, conducting regular risk assessments, and providing training and education to employees on data privacy best practices. Additionally, businesses should work with legal counsel to stay informed about any changes or updates to data privacy laws that may impact their operations.

On May 1, 2023, the governor of Indiana signed Senate Bill 5, known as the Indiana Consumer Data Protection Act (INCDPA), making Indiana the seventh state to enact a comprehensive data privacy law. Indiana’s new law takes a more “business-friendly” approach but is only applicable to certain types of businesses and there are several exemptions. However, the INCDPA helps provide data protection. Under the INCDPA, consumers are granted several rights over their personal data including the right to access, right to correct, right to data portability, right to delete, and right to opt-out of targeted advertising and sale of personal data. Businesses have the obligation to limit personal data collection to what is “adequate, relevant, and reasonably necessary,” protect personal data, obtain consumer consents, not discriminate, be transparent, and conduct impact assessments for certain activities.

For the full text of the new INCDPA see: Senate Bill 5 - Consumer data protectionIndiana General Assembly, 2023 Session

Businesses must have a plan in place to respond to data breaches or other security incidents. This may include having a designated data protection officer responsible for overseeing data security and privacy, as well as establishing incident response protocols to quickly and effectively address any data breaches or other security incidents. Some key elements of an effective data privacy incident response plan include:

1. Preparation: Identify the types of personal information that the business collects and stores, identifying the risks and vulnerabilities associated with that information, and implementing security measures to protect against those risks.

2. Detection: Detect any data breaches or other privacy incidents as quickly as possible. This may involve setting up alerts, monitoring network activity, or other measures to identify potential incidents.

3. Response: Take immediate action to contain the damage and protect affected individuals. This may include shutting down affected systems, disconnecting from networks, and/or engaging outside experts to help with the response.

4. Notification: Notify affected individuals, law enforcement, and/or regulatory authorities. The incident response plan should include clear procedures for notifying these parties in a timely and effective manner.

5. Investigation: Conduct a thorough investigation to determine the cause and scope of the incident. This may involve reviewing logs, interviewing witnesses, and/or engaging forensic experts.

6. Remediation: Address any vulnerabilities or weaknesses that were identified. This may involve implementing additional security measures, updating policies and procedures, or other measures to prevent similar incidents from occurring in the future.

7. Evaluation: Evaluate the effectiveness of its incident response plan and make any necessary updates or revisions based on lessons learned from the incident.

Businesses must ensure that they are taking appropriate steps to protect the personal data they collect and use, including implementing strong data security measures, obtaining necessary consents, providing individuals with access and control over their personal data, educating employees on data privacy best practices, and establishing incident response protocols. By doing so, businesses can help to ensure that they are meeting their obligations under relevant data protection laws and regulations, while also promoting trust and confidence among their customers and stakeholders.

The FMLA applies to public agencies, including local, State, and Federal employers, and local education agencies (schools); and private sector employers who employ 50 or more employees for at least 20 workweeks in the current or preceding calendar year—including joint employers and successors of covered employers HCBM

Cari Sheehan is an Assistant Clinical Professor of Business Law and Ethics at IU Kelley School of Business –Indianapolis. She is also a local attorney and frequent seminar speaker focusing her practice on legal ethics and litigation. This article should not be interpreted as providing legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.