How should privacy teams be managing AI?

Not a week goes by without AI making the headline news, one of the latest items being the landmark EU AI Act entering into force on 1 August 2024 (as discussed in this blog). Business uptake of AI continues to increase at pace, with a nearly 40% increase in UK companies reporting using AI between 2022 and 2023 according to IBM research. But what impact is this all really having on in-house privacy teams and how can they best ensure they are facilitators rather than blockers of AI and innovation?

Challenges posed by the current landscape 

While AI has been a focus for data privacy regulators for some time, with extensive guidance produced by the ICO for example, it often remains difficult to find straightforward solutions to the challenges posed. Many of the ‘meatier’ issues haven’t been fully addressed in regulatory or court decisions yet and guidance (including from non-data regulators too) is evolving. For example the ICO’s guidance on genAI is still at the consultation stage, as we discuss here. In any case, privacy teams must apply the guidance to the facts for each use case and they are often coming under increasing pressure to do so in short-time frames driven by business appetite for AI tools. 

Evolving roles in AI governance 

Experience and skills built up by privacy teams over the years mean that many of them are being called upon to lead on, or at least be heavily involved with, AI. Having said that, responsibilities and reporting lines vary extensively between businesses. Regardless of precise structuring, it is crucial privacy teams avoid working in silos as AI (and genAI in particular) requires cross-team working, including with technical and specialist project teams.

Routes forward? Leveraging existing GDPR compliance for AI (and vice-versa) 

Privacy compliance programmes can be leveraged to cover AI, for example DPIAs and supplier onboarding processes can be expanded to avoid duplication of documentation. There are also opportunities to leverage the business interest in AI to create a more proactive environment where privacy teams become involved early on, helping assess risk and ensuring privacy by design. While there is yet no consensus that the EU AI Act will become the global gold-standard for AI, aspects of the Act are likely to filter through the market to inform compliance even by those not caught by its scope.

We explore each of these issues further in our latest briefing, How  should privacy teams manage AI? It takes a village, first published in the July 2024 edition of the Privacy Laws & Business UK report.