All articles

LLMs and Data Privacy - Broadsword calling Danny-Boy!

May 1, 2025
headshot
Mark Rothwell-Brooks
Chief Executive

An old friend—let’s call him "Danny Boy" (we’ve been friends a long time; he’s not actually old)—has been a serial entrepreneur for years. Danny Boy has always had a knack for spotting solutions to problems that others, myself included, just don’t see.

We caught up recently on a snowy mountain, having both parachuted in for a charity event. While waiting for our pick-up, we started talking about a mutual friend—let’s call him "The Colonel"—who heads up the sales function in Europe for a software services company. The Colonel was eager to expand beyond Europe into new markets but was running into the usual hurdles: logistics, language barriers, and unfamiliar cultures.

Naturally, the conversation turned to AI and large language models (LLMs) and how they’re reshaping the world. We wondered: would this tech help or hinder The Colonel’s global domination ambitions?

I was convinced it had to be a force for good. Imagine the efficiency gains—The Colonel could instantly translate RFP bid documents from any language into English, accelerating his company’s ability to compete globally.

Danny Boy, however, looked horrified.

He pointed out that one of the key reasons organizations are banning these tools is exactly that use case. Taking an RFP written in, say, German and uploading it to ChatGPT for translation breaches all sorts of privacy laws—and exposes you and your company to serious sanctions.

A bit later, holed up in our alpine hut sipping hot wine, I fired up ChatGPT and asked it (I think it’s an “it,” though who really knows these days when it comes to pronouns) the following:

In 500 words, can you outline the data and privacy risks associated with using ChatGPT and other LLMs when organisations are asking them to translate company privileged information.

Here's the response :

Data and Privacy Risks of Using LLMs for Translating Privileged Information

Organizations increasingly turn to large language models (LLMs) like ChatGPT for tasks such as translating internal documents. While these models offer speed and cost-efficiency, they pose significant data and privacy risks, especially when handling company-privileged or confidential information.

1. Data Exposure Risk

One of the primary concerns is inadvertent data exposure. LLMs process data by transmitting inputs to centralized servers (cloud infrastructure) where the model operates. Even if providers claim strong security, the act of transmitting sensitive company information outside the organization’s own controlled environment inherently increases the risk of interception or unauthorized access—whether through cyberattacks, technical faults, or insider threats within the service provider.

2. Lack of True Data Isolation

Although reputable LLM providers often state that they do not use specific customer data to retrain their models, the complexity of cloud-based systems means absolute data isolation is difficult to guarantee. Misconfigurations or unclear data-handling policies may lead to inadvertent retention or logging of sensitive inputs, potentially exposing privileged material.

3. Jurisdictional and Regulatory Compliance

When data is sent to an LLM service, it may be processed in multiple jurisdictions, depending on the provider’s data center locations. This can trigger compliance issues with regulations such as the GDPR (EU), CCPA (California), or other data protection laws, particularly concerning cross-border data transfers and the duty to maintain data residency. Organizations may unknowingly breach legal obligations if they do not verify where and how their data is processed.

4. Ambiguity in Terms of Service

LLM service agreements often contain broad language regarding data use, disclaiming responsibility for certain risks. This lack of precision can leave organizations exposed if disputes arise over misuse of privileged information. Without explicit contractual safeguards, there is limited recourse if confidential data is compromised.

5. Risk of Misinterpretation or Loss of Context

LLMs may lack contextual understanding of sector-specific or legally sensitive terms, increasing the risk of inaccurate translation. For privileged company data, especially in legal, financial, or technical domains, a mistranslation can result in operational errors, legal liabilities, or reputational damage.

6. Insider Threats and Supply Chain Risks

Even with strong encryption and security measures, LLM providers are part of a larger supply chain. Insider threats (e.g., employees at the provider) and third-party service dependencies (e.g., subcontractors managing infrastructure) expand the attack surface and the potential for breaches.

7. Long-Term Data Retention Uncertainties

Questions often remain about how long LLM providers retain input data and under what conditions it may be archived, deleted, or repurposed. Lack of transparency in data retention practices raises concerns about long-term control over privileged company information.

"There you are!" said Danny-boy.

So, what is the solution to this problem if you're a CISO or head of risk for an organisation?

I pondered a response with the sort of irritation held by a man who is being ignored at the bar (I was).

Asking employees not to use tools that, from their perspective makes their life easier is an uphill task and I suspect, if history is anything to go by, will ultimately prove unsuccessful!

It's at this point that Danny-Boy's eye's lit up. "The solution" he said, "is an AI Data Firewall - and if you want to know what that is, you'll have to look at this...."

https://www.contextul.io/datafirewall

Broadsword out!

About The Impact Team

The Impact Team is a digital transformation consultancy that partners with organisations to enhance their digital products and services. Their expertise encompasses advising on team structures, managing design operations, and implementing governance frameworks, all with a focus on customer-centric solutions and effective execution.

Recognising the importance of continuous improvement, The Impact Team integrates change within organisations to swiftly respond to evolving market demands. They foster a culture of innovation and adaptability, embedding these principles into the organisational fabric.

In the realm of cybersecurity, they employ advanced technologies and best practices to protect data, systems, and networks from malicious attacks and vulnerabilities. This approach ensures that digital assets remain secure and resilient against evolving cyber risks.

The Impact Team operates globally, with offices in London, New York, Hong Kong, Tallinn, and Dubai, enabling them to deliver tailored digital transformation services across various regions.

Their mission is to empower organisations to thrive in the digital age while fostering a sustainable and responsible future. They are committed to providing ESG-friendly solutions that drive meaningful change and create value for clients, society, and the planet.

Through their comprehensive approach, The Impact Team aims to transform businesses by fine-tuning operations to achieve tangible, impactful results, ultimately contributing to business growth and success.

Articles

Slides from an AI Governance presentation with headers like "Who's in charge", and "What Happens If We Fail?"

🚨 Governing AI: The Global Challenge We Can't Afford to Get Wrong

May 7, 2025
AI is the future’s operating system, reshaping healthcare, finance, defense, and more. But as its power grows, so does the question: Who’s ensuring it’s safe? From the EU’s AI Act to the UAE’s bold AI Legislative Intelligence Office, global efforts are underway—but a governance gap looms. Here’s why we need bold action now to secure AI’s promise without risking its perils. #ResponsibleAI #AIGovernance
A lone parachutist glides above the tree tops across a snowy mountainous landscape

LLMs and Data Privacy - Broadsword calling Danny-Boy!

May 1, 2025
On a snowy mountain, two friends, parachuted in for charity, debated global business. Their friend dubbed, "The Colonel," aims to expand his software firm beyond Europe but faces language and cultural hurdles. Could AI language models unlock his ambitions? One saw efficiency; the other, privacy risks. LLMs promise fast translation of sensitive documents like RFPs but risk data breaches and regulatory violations. How can firms use AI safely?
Blurred reflection of a building in the windows of another

Regulatory Concerns with IT Controls in Identity and Access Management (IAM). How The Impact Team deliver value

October 14, 2024
Regulatory concerns around IT controls in Identity and Access Management (IAM) are vital to organisational security. Weak IAM controls can lead to non-compliance, data breaches, insider threats, and costly penalties. To mitigate these risks, organisations should prioritise IAM by adopting best practices like Zero-Trust, Multi-Factor Authentication, automated provisioning, and regular audits, ensuring compliance and safeguarding valuable data.
Landscape photograph of Tallinn, Estonia at sunset showing the convergence of modern and traditional architecture.

Estonia: Growth, Trends, Future Prospects and why The Impact Team have made this their Technology Centre of Excellence

September 14, 2024
The Impact Team chose Tallinn, Estonia, for its Software Engineering Centre of Excellence due to the city's role as a global tech hub. Known as the "digital republic," Estonia offers cutting-edge digital infrastructure, strong government support, and a thriving startup scene. With top engineering talent and home to companies like Skype and Wise, Tallinn is the perfect location to drive innovation for our global retail banking clients.
Image of red rooftops of Tallinn

Impact Team Commits to Tallinn

June 27, 2024
The Impact Team, a global leader in innovative technology solutions, is thrilled to announce the opening of its new IT Software Development Centre of Excellence in Tallinn, Estonia.This strategic move underscores The Impact Team’s commitment to driving technological advancement and delivering top-tier software solutions to its clients worldwide.
A new approach to IAM frameworks

How To Mature and Create an Effective IAM Framework

February 23, 2024
IAM framework should answer two questions: what users have access to and what that access allows. We offer a program to quickly address these questions, creating a top-down model of entitlement landscapes and constructing bottom-up user templates to enhance IAM processes efficiently and effectively.
Find Out More
arrow_circle_right

Let us make an impact on your next project

Whether you have a project in mind, are interested in working with us or just want to learn more about what we do, please get in touch.
By submitting this form, you consent to receive email communications from The Impact Team. You can unsubscribe at any time, and you can read about how we handle your data in our Privacy Policy.
Thanks for your message, we'll be in touch soon!
Sorry, Something went wrong while submitting the form. Please try again or drop us a line at [email protected].
© 2018 – 2024
The Impact Team.
All rights reserved.