Data is typically added to an AI to explain a problem, situation, or request (“input data”). Some popular AI models refer to input data by the term “prompt” as the user is prompting the AI to initiate an action, or to create additional information. Prompts can take different forms such as text prompts or image prompts, and may, or may not, contain personal information. As an example, the prompt “what is Pi to the 15th digit” would contain no personal information whereas the prompt “write a letter to David Zetoony, a data privacy attorney in Colorado,” would contain personal information.
Organizations that use an AI may either be acting as a controller or a processor depending on the degree of discretion they exercise in deciding how the AI will function, including whether personal information will be inputted into an AI prompt. For example, if an organization determines that it will input personal information into an AI it will likely be considered a “controller.” If the same organization directs a third party to input the personal information into an AI on its behalf, that third party would likely be considered a “processor.”
Whether an organization is a controller or a processor, the GDPR requires each organization to create a record of processing activities. The record of processing activities can take many forms, and many organizations choose to satisfy the requirement through a data inventory (i.e., a list of all the systems that collect and process personal information). What must be included in that record of processing activities or data inventory differs, however, based upon the company’s controller or processor designation. The following summarizes the information that must be included when personal information is added to input data/prompts depending on whether an organization is a controller or a processor. Click on the chart to view larger.