Purpose Limitation Compliance with OpenAI

Jun 20, 2023
May 15, 2024
Alona Getzler
Purpose Limitation Compliance with OpenAI

You register an IoT device, subscribe to a video-on-demand service, or arrange travel. These activities collect personally identifiable information. Some of these activities, like registering the IoT device, utilize the data it’s been fed to generate more data about your movements, heart rate, and calories burned. The newly generated data then ties back to you, a single, identifiable individual.

As an individual, you may ask when does the collection of information about you stop? As part of an organization, you may ask how this information can be utilized to better serve your customers? Left unchecked, data can continue to amass with no defined end date. It can be used for a myriad of reasons by whoever accesses it. 

But there are guardrails to reign in how data is collected and used. These guardrails are expressed through the principle of “purpose limitation.” 

Background on Purpose Limitation

Purpose limitation is the principle that PII collected for a given purpose may not be used for a different purpose. The principle is also known as “business purpose.”  And like many principles written into the laws, it has been subject to different interpretations from those who define it.

There are also exceptions. According to GDPR Article(5)(1)(b), further processing of PII may be permitted when the reason is not “incompatible with the initial purposes” and for “archiving purposes in the public interest.” The GDPR is not the only law that provides workarounds or attempts to define the principle. Purpose limitation is found in many data privacy laws, frameworks, and standards, though the exact language and interpretation of the principle varies:

  • General Data Protection Regulation (GDPR) - PII must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • NIST Privacy Framework - organizations must identify the purposes for collecting and using PII.
  • Federal Trade Commission (FTC) Act, Section 5 - organizations must disclose their data collection practices, including the purposes for which they collect and use PII.

Cyera's AI-powered Data Security Platform to Understand Purpose 

Capturing data collection and usage purpose has never been easier. By incorporating Azure OpenAI into the Cyera Data Security Platform, we automatically analyze user access and surface the purpose for certain types of users. 

When it comes to monitoring access, seeing the list of users who can access the data is a start. But when you look at the usernames such as “Marketing-user,”  do you really know who they are and why they are accessing the data? 

We distinguish whether “Marketing-user” is an actual human user or machine user. When analyzing a machine user, we describe the purpose for access. This is possible because machine users provide services within the cloud that our OpenAI model captures and describes in human-readable language. 

Here are some examples of how we describe machine user purposes for accessing data:

  • EU-OLM-service’s purpose is for managing and customizing online learning management systems in the EU region. 
  • Dynamics-powerbi’s purpose is for creating and managing Power BI reports and dashboards. 
  • Marketing-user’s purpose is for generating and distributing company brochures.
  • Microsoft365-service’s purpose is for managing and customizing Microsoft Dynamics 365 applications in the EU region.
  • Geo-service’s purpose is for mapping and geographic analysis services. 

Cyera enables you to analyze metadata about the users without having to log into your different cloud accounts to retrieve this information. The purposes are also easily understood by just about anyone, without having to engage a technical resource to interpret why the machine user is accessing the data.


As the volume of PII collection grows, it is even more important to adhere to the principle of purpose limitation. Cyera’s AI-powered Data Security Platform can help you comply with purpose limitation requirements by analyzing user access and surfacing the purpose in certain circumstances. 

Cyera takes a data-centric approach to security, assessing the exposure to your data at rest and in use and applying multiple layers of defense. Because Cyera applies deep data context holistically across your data landscape, we are the only solution that can empower security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures and assure compliance without disrupting the business.

To learn more about how Cyera’s AI-powered Data Security Platform model can help you drive greater insights with ease, schedule a demo today.