GPT-3 to the rescue — also when Data Privacy is at stake?
Great things are done by a series of small things brought together. — Vincent van Gogh.
In a previous article, I did my best to provide some insights on how GPT-3 could be leveraged to build a solution to automatically identify personal information within your — among others — analytical data landscape.
The ideated solution allowed us to detect the type of personal information (entity type) and even recommended the most optimal method & technique to anonymize each personal data attribute.
And all of this with semantic knowledge and conceptual awareness of the European GDPR. Sounds pretty cool if you ask me ;-)
You can read more about this in the article referenced below:
GPT3 to the Rescue: Anonymise your Analytical Data the easy way
This thread is a concise follow-up on how Microsoft has thought about GPT-3 use cases for regulated corporate customers.
As highlighted, one of the caveats of using GPT-3 for personal data discovery is that OpenAI logs your text prompts, queries, and responses for product improvement, abuse monitoring, and content filtering.
I already got my hopes up for the OpenAI implementation that Microsoft — at the time — planned to implement as part of its Azure Cloud Portfolio and to which extent the Microsoft offering would introduce additional compliance features that would allow the use of OpenAI services for corporate customers in regulated industries.
While skimming through some new Microsoft Learn content about the Data privacy aspects of their new OpenAI service on Azure, I was happy to see that — at least theoretically — Microsoft has a solution that seems promising for GPT-3 in a setting that requires elevated data privacy measures.
The Limited Access features for the Azure OpenAI service: “Enable potential customers to opt out of the human review and data logging processes subject to eligibility criteria governed by Microsoft’s Limited Access framework. Customers who meet Microsoft’s Limited Access eligibility criteria and have a low-risk use case can apply for the ability to opt out of both data logging and the human review process. This allows trusted customers with low-risk scenarios the data and privacy controls they require while also allowing us to offer AOAI models to all other customers in a way that minimizes the risk of harm and abuse.”
As depicted in the diagram below, the Limited Access Features disable the logging of Customer Data, payload, generations, and parameters.
What’s next?
Knowing that Microsoft allows customers to use those “Limited Access features” strongly increases the likelihood that your fancy GPT-3 ideas will ever make it to production. At the same time, it’s rather probable that getting approval to use these features effectively is not a walk in the park and requires a whole stack of paperwork.
Even with these Limited Access Features enabled, I’m still not 100 percent convinced that the DPO in your organization will be delighted and might not stumble across some potential show stoppers in the updated version of the Microsoft Products and Services Data Protection Addendum. But hey, good things don’t come easy, right?
Sharing is Caring
Suppose you have some hands-on experience using a Microsoft OpenAI service in production for a personal-data-relevant use case within a European organization. In that case, as always, I'm very interested to hear from you, so don’t hesitate to reach out!