• 18 June, 2026
• No Comments

5 Ways Generative AI Is Changing the Conversation Around Personal Data

Generative AI has rapidly transformed how organisations create content, analyse information, automate workflows and deliver services. From intelligent chatbots and virtual assistants to automated document generation and software development tools, generative AI is increasingly becoming part of everyday business operations. However, as organisations race to adopt these technologies, questions surrounding the collection, use and protection of personal data have become increasingly complex.

Recognising these challenges, Singapore’s Personal Data Protection Commission (PDPC) recently launched a public consultation on proposed advisory guidelines governing the use of personal data in generative AI systems. The consultation, discussed in both the Singapore generative AI personal data consultation and the official PDPC public consultation on generative AI guidelines, seeks to clarify how Singapore’s Personal Data Protection Act (PDPA) applies throughout the development, deployment and operation of generative AI systems.

Generative AI is creating new data protection challenges

Unlike traditional software applications, generative AI systems often rely on vast amounts of information gathered from multiple sources. Training datasets may contain personal data, publicly available information, user-generated content and information collected from online sources. The scale of these datasets creates unique challenges for data governance and compliance.

One of the most debated areas involves web scraping. Many AI developers rely on publicly available online content to train models. However, the line between publicly available information and information protected by digital barriers is becoming increasingly important. The proposed guidelines clarify that organisations should carefully consider whether information is genuinely public when content sits behind paywalls, registration requirements, authentication systems or other access restrictions.

This reflects a broader trend seen globally. Regulators increasingly recognise that technological capability does not automatically create a legal basis for collecting and using personal data. As AI systems become more powerful, organisations are expected to demonstrate greater accountability regarding how training data is obtained and processed.

Consent cannot become an afterthought

One of the most significant aspects of the proposed guidance relates to consent and transparency. The PDPC proposes that generic privacy notices may no longer be sufficient when organisations intend to use personal data for large-scale AI model training or fine-tuning.

Instead, organisations may need to provide AI-specific notices that clearly explain the categories of personal data involved, the purpose of processing, the intended functions of the model and how individuals can withdraw consent if applicable. This represents a meaningful shift in expectations.

For many organisations, consent mechanisms were originally designed for traditional business activities rather than machine learning systems. Generative AI introduces additional complexity because data may be used to develop capabilities that were not envisioned when the information was originally collected. The proposed guidance seeks to address this gap by emphasising meaningful transparency rather than broad disclosures that users may not fully understand.

This approach also aligns with broader international discussions around AI governance, where transparency is increasingly viewed as a cornerstone of responsible AI development.

Accountability extends across the entire AI lifecycle

Another notable aspect of the consultation is its emphasis on accountability throughout the AI value chain. The proposed guidance recognises that generative AI ecosystems often involve multiple stakeholders, including model developers, service providers, platform operators and end-user organisations.

Historically, responsibility for data protection has often been associated primarily with the organisation collecting the information. However, generative AI systems blur traditional boundaries. Data may pass through multiple entities before reaching an end user.

The proposed guidelines seek to clarify how responsibilities relating to retention, protection, purpose limitation and accountability should be allocated across different parties. This is particularly important because a single AI system may involve numerous vendors, cloud providers and integration partners.

For organisations deploying generative AI, understanding these responsibilities will become increasingly important when conducting vendor assessments, negotiating contracts and establishing governance frameworks.

The challenge of post-deployment rights management

One of the most technically challenging aspects of generative AI involves handling individual rights requests after a model has already been trained.

Traditional data protection processes often assume that personal data can be identified, corrected or removed relatively easily. Generative AI models complicate this assumption because information may become embedded within training datasets, model parameters, embeddings and temporary context windows.

The PDPC’s proposed guidance acknowledges these technical realities while still emphasising the importance of responding appropriately to access and correction requests. This balanced approach reflects a growing recognition that AI governance requires practical solutions rather than purely theoretical expectations.

As organisations continue integrating AI into customer-facing services, they will need robust processes for managing personal data requests while understanding the limitations of current AI architectures.

AI governance is becoming a competitive advantage

Many organisations still view compliance primarily as a regulatory obligation. However, the emergence of generative AI is changing this perspective. Customers, partners and regulators increasingly expect organisations to demonstrate responsible AI practices alongside strong data protection controls.

Trust is becoming a differentiator. Organisations that can clearly explain how personal data is used, protected and governed within AI systems are likely to enjoy greater confidence from stakeholders. Conversely, organisations that fail to address transparency concerns may face reputational and regulatory challenges.

This shift means that AI governance should not be viewed solely as a legal requirement. It is increasingly becoming part of broader risk management, corporate governance and stakeholder trust strategies.

The organisations that succeed in the AI era will likely be those that balance innovation with accountability rather than treating the two as competing priorities.

How Privacy Ninja helps organisations navigate generative AI risks

As generative AI adoption accelerates, organisations require practical guidance to navigate evolving regulatory expectations and emerging data protection challenges. Privacy Ninja helps organisations establish governance frameworks that support both innovation and compliance.

Our DPO-as-a-Service (DPOaaS) assists organisations in understanding their obligations under the PDPA, reviewing AI-related data processing activities and developing appropriate policies and procedures. We help organisations evaluate consent mechanisms, privacy notices, vendor arrangements and accountability structures that may be impacted by AI deployments.

Privacy Ninja also provides Vulnerability Assessment and Penetration Testing (VAPT), cybersecurity advisory services and data breach management support to strengthen the security and resilience of systems supporting AI initiatives. By combining data protection expertise with cybersecurity capabilities, we help organisations build trustworthy AI programmes that align with evolving regulatory expectations.

Generative AI is reshaping industries, creating new opportunities for innovation, efficiency and growth. At the same time, it is challenging long-established assumptions about how personal data is collected, used and governed.

Singapore’s proposed guidelines represent an important step towards clarifying how existing data protection principles apply within modern AI environments. The consultation highlights key issues surrounding consent, transparency, accountability and post-deployment rights management that organisations can no longer afford to ignore.

As regulatory expectations continue to evolve globally, organisations that invest early in strong data protection and AI governance practices will be better positioned to innovate responsibly. The future of generative AI will not be determined solely by technological capability, but also by the ability to build systems that are transparent, accountable and worthy of public trust.