Xử lý PII trong input/output LLM như thế nào (GDPR, data privacy)?

PII (Personally Identifiable Information) gồm: tên, email, SĐT, CMND/CCCD, thẻ tín dụng, địa chỉ, MRN, SSN... Rủi ro chính với LLM:
- Lộ PII qua logs / training data.
- Provider bên thứ 3 thấy PII (OpenAI, Anthropic — trừ khi có ZDR agreement).
- Model memorization (với model self-train).
- GDPR / CCPA / HIPAA vi phạm — phạt nặng.

Chiến lược bảo vệ:

1. Minimize PII gửi lên LLM (nguyên tắc vàng):
- Tokenize/redact trước khi gửi: thay PII bằng placeholder ([NAME_1], [EMAIL_1]), map giữ local. LLM chỉ thấy placeholder; sau khi có response thì un-mask. Library: Presidio (Microsoft), Pii-Codex, spaCy custom.
- Hash/pseudonymize với ID dùng chung nhiều lần.

2. Provider với data privacy commitment:
- Zero Data Retention (ZDR): OpenAI Enterprise, Anthropic, Google Vertex — không lưu, không dùng để train.
- Azure OpenAI, AWS Bedrock — dữ liệu ở region bạn chọn, GDPR-compliant, có BAA cho HIPAA.
- Self-host (vLLM, Ollama với Llama/Qwen) — data không ra ngoài. Cần GPU ops.

3. Output scanning: LLM có thể sinh PII (hallucinate ra email, tên), hoặc regurgitate từ context. Scan output trước khi trả user: Presidio analyze + redact.

4. Logging & storage:
- Không log raw prompt/response chứa PII. Nếu cần debug, log placeholder version.
- Retention policy: auto-delete log theo TTL (VD 30 ngày).
- Encryption at rest + in transit.
- Access control: ai xem được log?

5. Training data: nếu fine-tune, scrub dataset trước (Presidio + manual review). Model có thể memorize training data — nguy cơ rò rỉ.

6. User consent & transparency:
- Privacy notice rõ: dữ liệu nào đi đâu, lưu bao lâu, gửi cho provider nào.
- Data Subject Rights (GDPR): export (Article 15), delete (Article 17 — "right to be forgotten"), opt-out training.
- DPIA (Data Protection Impact Assessment) cho AI feature xử lý dữ liệu nhạy cảm.

7. Kỹ thuật nâng cao:
- Differential privacy khi train (noise thêm vào gradient).
- Federated learning với dữ liệu y tế/tài chính nhạy cảm.
- Homomorphic encryption / confidential computing (Intel SGX, AWS Nitro Enclave) — hiếm dùng vì chậm.

Checklist trước khi ship: data flow diagram, PII inventory, DPIA, contract với provider (DPA), incident response plan, audit log, team training về GDPR/CCPA/HIPAA.

PII (Personally Identifiable Information) includes names, email, phone, IDs, credit cards, addresses, MRN, SSN... Main LLM risks:
- PII leaking via logs / training data.
- 3rd-party providers seeing PII (OpenAI, Anthropic — unless under ZDR agreement).
- Model memorization (for self-trained models).
- GDPR / CCPA / HIPAA violations — heavy fines.

Protection strategy:

1. Minimize PII sent to LLMs (golden rule):
- Tokenize/redact before sending: replace PII with placeholders ([NAME_1], [EMAIL_1]), keep the mapping locally. LLM only sees placeholders; unmask the response afterwards. Libraries: Presidio (Microsoft), Pii-Codex, custom spaCy.
- Hash/pseudonymize with stable IDs when reused.

2. Providers with privacy commitments:
- Zero Data Retention (ZDR): OpenAI Enterprise, Anthropic, Google Vertex — no storage, no training use.
- Azure OpenAI, AWS Bedrock — data stays in your chosen region, GDPR-compliant, BAAs for HIPAA.
- Self-host (vLLM, Ollama with Llama/Qwen) — data never leaves. Requires GPU ops.

3. Output scanning: LLMs can generate PII (hallucinated emails, names) or regurgitate from context. Scan outputs before returning: Presidio analyze + redact.

4. Logging & storage:
- Do not log raw prompts/responses with PII. For debugging, log the placeholder version.
- Retention policy: auto-delete logs per TTL (e.g. 30 days).
- Encryption at rest + in transit.
- Access control: who can read logs?

5. Training data: for fine-tuning, scrub the dataset first (Presidio + manual review). Models can memorize training data — leak risk.

6. User consent & transparency:
- Clear privacy notice: which data goes where, how long it's kept, which providers see it.
- Data Subject Rights (GDPR): export (Article 15), delete (Article 17 — "right to be forgotten"), opt-out of training.
- DPIA (Data Protection Impact Assessment) for AI features handling sensitive data.

7. Advanced techniques:
- Differential privacy in training (noise added to gradients).
- Federated learning for sensitive medical/financial data.
- Homomorphic encryption / confidential computing (Intel SGX, AWS Nitro Enclave) — rare due to slowness.

Pre-ship checklist: data flow diagram, PII inventory, DPIA, DPA with providers, incident response plan, audit logs, team training on GDPR/CCPA/HIPAA.