The Role of Privacy in AI Governance

What is a Brand Discovery ?

Organizations are dedicating large budgets to “AI” without necessarily knowing how to govern AI nor where to start. To lower compliance costs for the organization and to avoid reinventing the wheel, the Privacy Function will and can play an initial pivotal role in building the required AI governance framework.

The Role of the Privacy Function in Accountable AI and Use  

There is no AI without Privacy.  AI is all about data, and personal data will inevitably be a part of the massive amounts of data required to build, use and deploy AI systems.  Many of the requirements for data under the EU AI Act are overlapping with the requirements under GDPR (by design and default, impact assessments, risk assessments, incident handling, etc.) and this brings with it a familiarity that the privacy officer possesses, making it easier to quickly assess the requirements that the AI Act demands.  In addition to complying with the new rules under the EU AI Act, GDPR still applies in parallel to the same data processing, and the respective assessments need to go hand in hand.  Privacy officers are also used to dealing with contextual situations, ensuring transparency, assessing ethical aspects of data processing and, importantly, building accountable and trustworthy privacy governance frameworks, all of which is also applicable in an AI governance context.   

The Relevance of your Organization’s Size, Location and Nature of the Business in Managing your Organization’s Risk Profile  

The AI governance framework should be tailored to the organization’s scale, industry, resource availability, and strategic goals to effectively manage risks and ensure responsible AI use.  By aligning the governance framework with these factors, organizations can ensure that AI technologies are developed and deployed in a manner that supports business objectives while adhering to ethical standards and regulatory requirements.

Ulrika Dellrud

Large organizations with diverse and complex AI operations will require a more comprehensive AI governance framework, whereas Small to Medium Enterprises (SMEs) may have fewer AI applications and can focus on key risk areas without the need for extensive bureaucracy.  Similarly, if the organization is in a heavily regulated industry, the AI governance framework will need to address additional strict regulatory requirements, whereas for organizations where AI is not central to the business model, the governance framework may focus on minimizing risks in specific applications without needing extensive oversight across all business functions. 

Benefits and Pitfalls of Working in AI beyond Personal Data  

The existing scope and mandate of the Privacy function offers much of the knowledge required for an AI governance framework.  It can positively influence the ethical AI development and help shape the AI policies which has an important strategic impact, contributing to building trust while also providing the function the ability to stay at the forefront of both technology and privacy law.

However, going beyond personal data brings with it a number of pitfalls, including the complexities of navigating other areas of law and compliance, dealing with a constantly changing regulatory landscape, and balancing innovation with privacy.  To gain a better grasp the world of AI, individuals will need to grow their remit into other less familiar areas and think beyond their current expertise.     

 

Effective Collaboration between Key Stakeholders and the AI Function  

Even if Privacy may initially play an important role in AI governance, it is imperative that the various key stakeholders (eg. procurement, legal, security, privacy, compliance, legal, risk, business, finance, etc.) in the organization collaborate effectively through cross-functional teams for the successful integration of AI into the organization.  To accomplish this, and as the overarching umbrella, executive sponsorship for joint AI initiatives needs to be secured in order to ensure they are prioritized and resourced appropriately while, at the same time, ensuring that the AI projects align with the organization’s goals and objectives.

During the upcoming ISACA Europe Conference 2024 on October 23 – 25, Ulrika Dellrud will further explore the topic of “The Role of Privacy in AI Governance” together with co-panelist Punit Bhatia 

For more information on the ISACA Europe Conference 2024 and to register, visit ISACA Europe Conference.