The Use of Generative Artificial Intelligence Tools in the Workplace

The Turkish Personal Data Protection Law No. 6698 establishes a general legal framework applicable to all situations where personal data is processed, regardless of the technology used, and personal data processing activities carried out through generative artificial intelligence (“GAI”) systems are also evaluated within this scope. The Turkish Personal Data Protection Authority (“Authority”) had prepared the “Generative Artificial Intelligence and Personal Data Protection Guide (15 Questions)” [1] to assess the impact of GAI systems on the protection of personal data, encourage privacy-respecting use, and provide guidance to data controllers.

As a result of the increasing use of GAI tools in the workplace, the Authority has newly prepared a document on the “Use of Generative Artificial Intelligence Tools in the Workplace”[2] (“Document”) to regulate this area. The Document is prepared to provide a general framework for the use of GAI tools provided by third parties and publicly accessible in the workplace.

• Overview of the Use of GAI Tools in the Workplace

GAI refers to artifical intelligence (“AI”) systems trained on large datasets that can generate new content such as text, images, video, audio, or code based on given commands. Unlike traditional AI, which only makes predictions, GAI can create human-like new content by leveraging patterns in existing data. Such tools are beneficial in various fields such as customer service, marketing and advertising, education, healthcare, law, and software development.

The use of GAI facilitates employees' ability to utilize these tools in their work processes. Examples of such usage include preparing email and text drafts, summarizing documents and evaluating their content, supporting idea development efforts, creating meeting notes, and contributing to research activities.

• Uncontrolled Use of GAI Tools (Shadow AI) and the Risks It Poses

“Shadow AI” refers to the use of GAI tools within an organization or institution by employees outside the knowledge, approval, or corporate control of said organization or institution in business processes.

With the proliferation of GAI tools, employees have begun to use these tools more frequently in their work processes. As a result, meeting notes, internal correspondence, draft reports, and certain non-public internal information may be shared using third-party GAI tools. Furthermore, the fact that these tools are free or low-cost, easily accessible, and simple to use contributes to the increase in individual usage.

The widespread use of Shadow AI complicates risk management for organizations. When it is not sufficiently clear which GAI tools are being used for what purposes and what data is being shared, it becomes difficult to assess compliance with legal obligations and intervene in potential violations. In this context, the Document explains the risks associated with Shadow AI use as follows:

      i.   Risks related to auditability and accountability: In this context, it is not possible to determine which data is used for what purpose and scope, or the reasons behind specific outcomes. 

     ii.   Risks related to decision quality and accuracy: AI tools can produce erroneous, misleading, or inconsistent outputs and lead to biased results.

   iii.   Risks related to the protection of intellectual property and trade secrets: Sharing trade secrets or other confidential information that is sensitive in terms of competition with GAI tools may carry the risk of intellectual property rights infringement and weakening corporate control over information.

   iv.   Risks related to loss of corporate reputation and trust: The use of GAI outputs whose accuracy and reliability have not been verified may lead to misinformation.

   v.   Risks related to information security and cybersecurity: Insecure application programming interfaces, personal devices, or unmanaged integrations can expose organizations to cyber-attacks.

   vi.   Risks related to the protection of personal data: Sharing personal data with GAI tools may increase the risk of data breaches.

•  Considerations Regarding the Use of GAI Tools in the Workplace

The increasing use of GAI tools in business processes necessitates a review of corporate approaches and practices regarding the use of these tools. In this context, it is important to adopt approaches based on guidance, balance, and awareness rather than prohibitive approaches regarding the use of GAI tools in the workplace. In this respect, the Document lists the following general points that companies, institutions, and organizations should consider when using GAI tools in the workplace:

-    An explicit corporate policy should be established that outlines the limits of correct and appropriate use.

-    Employees should adopt a cautious approach when using these tools regarding sensitive information and personal data, and where necessary, use anonymized, generalized, and abstract expressions.

-   Over-reliance on GAI should be carefully evaluated in terms of business processes. Therefore, GAI should be used in conjunction with human oversight and evaluation.

-   Measures related to data security and access control must be taken to manage the use of GAI in business processes. In this context, measures such as ensuring that employees can only access GAI tools specified by the organization and with defined terms of use and clarifying the framework for types of information that are not considered appropriate to share with GAI tools, can be made possible.

-   Information and training activities must be carried out for employees regarding the purposes of use of GAI tools, the risks that may arise, and the issues that require attention.

Conclusion

The use of GAI tools in the workplace must be addressed with due consideration to the potential risks and legal obligations involved. The ethical and responsible use of GAI tools ensures that the speed and efficiency they offer can be exploited in a sustainable manner. In this process, compliance with legislation on the protection of personal data is of great importance. This supports the predictable and responsible use of GAI tools in the workplace and reduces the risks that may arise from uncontrolled use.

References

(Only in Turkish) Generative Artificial Intelligence and Personal Data Protection Guide (15 Questions). Retrieved from The Turkish Personal Data Protection Authority: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/MTY5MjNmNmIwZWY3YTE.pdf

(Only in Turkish) Use of Generative Artificial Intelligence Tools in the Workplace. Retrieved from The Turkish Personal Data Protection Authority: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/MTY5YTdkNjdjNzJlMjM.pdf