K
Kathleen Martin
Guest
The world is powered by data and technology. With all the focus and new legislation on data privacy, organizations need to keep governance at the forefront when reconciling the use of emerging technologies with compliance and privacy considerations. One area where this becomes particularly important is when organizations utilize platforms, solutions, and other technologies powered by artificial intelligence (AI) for business purposes. Some examples include creditors automating decisions on consumer approvals or employers using AI technology to assist with hiring determinations. The question becomes what framework should be placed around these processes and how can organizations implement some level of governance to avoid violations under laws like the EU’s General Data Protection Regulation (GDPR), Singapore, Malaysia, and Thailand’s Personal Data Protection Act (PDPA), Korea’s Personal Information Protection Act (PIPA), or China’s Personal Information Security Specification or overall data mismanagement that can result in a myriad of other issues?
Keep reading for help on how to answer these big questions.
Getting a Better Grasp on AI
In order to make smarter governance decisions, the first step is expanding knowledge about how AI operates. While it is not necessary to be an algorithm expert, it is important to understand that this technology has the potential to bank an extremely large amount of consumer data that, in turn, can trigger various compliance obligations. Organizations using AI for business functions already understand the basics: this machine learning technology utilizes trained algorithms that grow to detect trends and automate a variety of human tasks. However, to improve AI governance, there needs to be a larger focus on the data that AI systems rely upon to make inferences. Where does this information come from? What are the collection and storage protocols? Are the resulting patterns accurate? Most importantly, what is happening with sensitive consumer data? These are all questions to evaluate to minimize the chance that AI usage runs afoul of legal obligations, especially those rooted in privacy. Having a handle on this aspect of AI will also contribute to stronger information governance practices. When an organization better understands the tools it deploys in the regular course of business, there is more insight into what data they collect and store. This will strengthen information governance, bring unknown obligations to the surface, and lessen the risk of noncompliant behavior.
Data Governance
As organizations navigate through the digital age and data boom, governance should be a top concern. When dealing with AI technology, there needs to be a greater level of accountability and transparency. Organizations can look to their general data privacy framework and expand it to consider unique AI challenges. Pay close attention to compliance obligations under privacy laws and determine how AI fits into that. One definite issue to address is that there could be a bunch of private consumer data living on a company server simply because an algorithm made an inference. If this data is accurate, then there is the concern of failing to obtain consumer consent (which violates the GDPR and other new privacy laws). If that data is inaccurate, then according to these laws consumers should be able to challenge the inferences made about them.
So, how can organizations remedy this moving forward? There needs to be a mixture of preventative measures and auditing deployed. As touched on above, the first step is setting a specific framework around privacy and AI to provide guidelines on how to handle collected consumer data and the resulting inferences. Proper responses – like whether to delete and retain data or provide consumer notification – will be situation dependent. Take the example of a company using AI to help with recruiting and hiring new talent. A process like this has the potential to acquire tons of sensitive data and make inferences about why someone is suitable or unqualified for a certain position. Including a data retention timeline or notification to potential applicants that a profile will be generated could be two key components of an AI privacy framework and help spark the creation of information policies for all people within the organization using these solutions to follow. In general, self-reporting can address several consumer privacy issues that AI usage poses for organizations.
Next, there needs to be some level of governance around what is done with sensitive data. One option is creating GDPR-type protocols that grant consumers the right to delete data collected by these solutions and to challenge inaccurate inferences that AI makes about them. Using the recruiting example, say some bad data is fed into the solution that then renders the individual unqualified for the job. Allowing potential applicants access to this information or the right to request human review are ways to uphold the principle of accuracy. It also allows a level of screening while still keeping the advantages of using AI for a task, like cutting down on the time it takes to completely manually review a project. Other suggestions for AI governance include conducting internal audits, creating steering committees, appointing individuals to review AI ethics within the organization, periodic check-ins with employees to ensure they are following AI privacy policies and protocols, updated education on new technologies or changing compliance obligations, performing risk assessments, and clearly defining objectives in AI project plans.
Continue reading: https://www.legalbusinessonline.com/node/83326
Keep reading for help on how to answer these big questions.
Getting a Better Grasp on AI
In order to make smarter governance decisions, the first step is expanding knowledge about how AI operates. While it is not necessary to be an algorithm expert, it is important to understand that this technology has the potential to bank an extremely large amount of consumer data that, in turn, can trigger various compliance obligations. Organizations using AI for business functions already understand the basics: this machine learning technology utilizes trained algorithms that grow to detect trends and automate a variety of human tasks. However, to improve AI governance, there needs to be a larger focus on the data that AI systems rely upon to make inferences. Where does this information come from? What are the collection and storage protocols? Are the resulting patterns accurate? Most importantly, what is happening with sensitive consumer data? These are all questions to evaluate to minimize the chance that AI usage runs afoul of legal obligations, especially those rooted in privacy. Having a handle on this aspect of AI will also contribute to stronger information governance practices. When an organization better understands the tools it deploys in the regular course of business, there is more insight into what data they collect and store. This will strengthen information governance, bring unknown obligations to the surface, and lessen the risk of noncompliant behavior.
Data Governance
As organizations navigate through the digital age and data boom, governance should be a top concern. When dealing with AI technology, there needs to be a greater level of accountability and transparency. Organizations can look to their general data privacy framework and expand it to consider unique AI challenges. Pay close attention to compliance obligations under privacy laws and determine how AI fits into that. One definite issue to address is that there could be a bunch of private consumer data living on a company server simply because an algorithm made an inference. If this data is accurate, then there is the concern of failing to obtain consumer consent (which violates the GDPR and other new privacy laws). If that data is inaccurate, then according to these laws consumers should be able to challenge the inferences made about them.
So, how can organizations remedy this moving forward? There needs to be a mixture of preventative measures and auditing deployed. As touched on above, the first step is setting a specific framework around privacy and AI to provide guidelines on how to handle collected consumer data and the resulting inferences. Proper responses – like whether to delete and retain data or provide consumer notification – will be situation dependent. Take the example of a company using AI to help with recruiting and hiring new talent. A process like this has the potential to acquire tons of sensitive data and make inferences about why someone is suitable or unqualified for a certain position. Including a data retention timeline or notification to potential applicants that a profile will be generated could be two key components of an AI privacy framework and help spark the creation of information policies for all people within the organization using these solutions to follow. In general, self-reporting can address several consumer privacy issues that AI usage poses for organizations.
Next, there needs to be some level of governance around what is done with sensitive data. One option is creating GDPR-type protocols that grant consumers the right to delete data collected by these solutions and to challenge inaccurate inferences that AI makes about them. Using the recruiting example, say some bad data is fed into the solution that then renders the individual unqualified for the job. Allowing potential applicants access to this information or the right to request human review are ways to uphold the principle of accuracy. It also allows a level of screening while still keeping the advantages of using AI for a task, like cutting down on the time it takes to completely manually review a project. Other suggestions for AI governance include conducting internal audits, creating steering committees, appointing individuals to review AI ethics within the organization, periodic check-ins with employees to ensure they are following AI privacy policies and protocols, updated education on new technologies or changing compliance obligations, performing risk assessments, and clearly defining objectives in AI project plans.
Continue reading: https://www.legalbusinessonline.com/node/83326
