How uncontrolled use of AI exposes your business

Shadow AI and GDPR

In a world where digital transformation is accelerating, artificial intelligence (AI) is increasingly making its presence felt in our business environments. Yet this rapid adoption is not without risks. Shadow AI, or the uncontrolled use of AI tools by employees, represents a major new challenge for businesses, particularly in terms of GDPR compliance and data security.

What is Shadow IA?

Shadow AI refers to the unofficial or uncontrolled use of artificial intelligence tools and applications by employees within an organization. Like Shadow IT, where employees use software or IT services without the approval of the IT team, Shadow AI occurs when employees adopt AI solutions without the company being fully aware of them, or without them being integrated into an appropriate security framework.

Why do employees use AI informally?

The appeal of AI is obvious and understandable. Here are some reasons why your employees might be tempted to use these technologies informally:

• Productivity gains: AI tools automate repetitive tasks, enabling employees to focus on higher value-added activities.
• Access to innovation and competitiveness: AI solutions offer a competitive edge by facilitating the rapid analysis of large quantities of data.
• Tool accessibility: many AI platforms are easily accessible, often for free or low cost, encouraging employees to use them for work optimization.
• Lack of internal solutions: If internal tools don't meet employees' needs, they may turn to unapproved external solutions.

What are the risks of Shadow IA?

1. Leakage of sensitive information

e.g employees who copy and paste clients information, business plans, product roadmaps, contracts, internal reports, HR data, etc. into a chatbot → risk of disclosure, loss of competitive advantage, and breach of confidentiality clauses.

2. Unregulated personal data

Use of AI without legal basis, without informing individuals, without Data retention period, and without guaranteed deletion → GDPR risk.

3. Uncontrolled learning

Some models reuse prompts, outputs, or metadata for training → risk of data re-exposure or unintended use.

4. Transfer of data outside the EU

Many AI tools operate via non-European clouds and providers → issues relating to data localization, the Cloud Act, contractual agreements, and insufficient guarantees.

5. Deterioration in the quality of work

Unproofread AI outputs, errors, hallucinations, biases, approximations, or risky translations → decreased reliability, loss of credibility, and decisions made on the wrong basis.

Example: The case of Samsung and the consequences of Shadow AI

In April 2023, Samsung faced a critical situation concerning the unauthorized use of artificial intelligence by its employees, which lead to the leak of sensitive data.

Here's what happened:

Incident background

Samsung, a world leader in electronics and semiconductors, had authorized the experimental use of ChatGPT, a generative AI tool developed by OpenAI, in certain divisions to facilitate tasks such as document translation, code review and productivity improvement. However, some employees, while trying to take advantage of this tool to speed up their work, accidentally shared highly confidential information with the platform.

Compromised data

The incident involved three separate data leaks:

1. Sensitive source code: An employee copied and pasted source code from a proprietary semiconductor application into ChatGPT to correct programming errors. This code contained proprietary algorithms and critical technical information for Samsung products.
2. Internal meeting notes: Another employee used ChatGPT to summarize confidential meeting notes on the performance and strategy of an internal project. This information included strategic discussions and management decisions.
3. Performance data: A third employee submitted semiconductor test data to receive suggestions for improvement, exposing performance parameters and internal data.

Consequences for Samsung

Following this incident, Samsung was forced to :

• Review security policies: By prohibiting the unauthorized use of external AI tools.
• Raising awareness: Through internal campaigns to educate employees about the risks associated with Shadow IA.
• Implement safe alternatives: By developing internal AI solutions to limit reliance on unsecured outsourced platforms.

How can you prevent Shadow AI in your company?

To limit the risks associated with Shadow IA and protect your organization, here are some essential measures to adopt:

1. Employee awareness: train your employees on the risks of unauthorized use of AI tools and the potential consequences for the company.
2. Set up a clear policy for AI use: establish strict rules on the adoption and use of AI tools, with validation processes by compliance and security teams.
3. Monitoring and auditing: Implement monitoring systems to detect unauthorized use of AI, and carry out regular audits to identify and correct risky practices.
4. Adoption of secure, compliant AI tools: Provide your employees with secure, regulatory-compliant AI alternatives so they can achieve their goals without compromising corporate data.
5. Outsourcing the DPO function: Entrust the management of your GDPR compliance to an outsourced DPO, like Dipeeo, to benefit from dedicated expertise, guarantee compliance and train your teams in best practices.

Conclusion

Shadow AI represents a growing challenge for businesses in the age of artificial intelligence. By taking a proactive approach, raising awareness among your teams and collaborating with experts like Dipeeo, you can safely navigate this ever-changing landscape. Compliance and security must be top priorities to protect what's at the heart of your business: your data.