The best path forward may not always be clear, so educating stakeholders on the policies and principles is critical, and a “trade-off framework” should be developed to help work through conflicts.
Lastly, having line of sight into data use in connection with AI across the organization is critical for monitoring data ethics compliance. Since data privacy concerns extend to suppliers and other third parties, they should also be contractually required to disclose when AI is used in any solutions or services.
4. Report data privacy and ethics risks at board level
Stakeholders will need to work together to help the board understand and mitigate the risks associated with AI and make strategic decisions within an overarching ethical framework. Responsibility is often divided between the Data Protection Officer (DPO) or Chief Privacy Officer (CPO) – who will possibly have responsibility for data ethics – and the Chief Data Officer (CDO). Some organizations may want to go further and appoint a Chief AI Officer (CAIO). Together, these senior leaders will need to help ensure the right checks and balances are in place around the ethical uses of data in AI.
5. Expand horizon scanning to include customer sentiment
In April 2023, Italy became the first Western country to (temporarily) block an advanced GenAI chatbot amidst concerns over the mass collection and storage of personal data.3 Japan’s privacy watchdog also spoke out, warning it not to collect sensitive data without people's permission.4
Such actions can, at a stroke, destroy the value of investments in AI. Systematic forward-looking analysis or horizon scanning is vital to reduce the uncertainty of regulatory change and help avoid unexpected developments. But it’s not just about regulations – companies also need to stay in touch with what customers are thinking about AI usage and data privacy. Stay ahead of regulators by talking to your customers regularly to understand acceptable limits and “no-go” areas.
6. Invest in compliance and training
In a relatively short time, interest in using AI has multiplied, putting pressure on employees across organizations to understand the implications of its use and the impact on data privacy. Many organizations may have to hire additional specialists as well as train and upskill existing compliance teams, combining on-the-job with theoretical studies.
It’s especially important to train employees in AI-facing roles such as developers, reviewers and data scientists, helping them understand the limitations of AI, where AI is prone to error, appropriate ethics and how to complement AI with intervention from a person. In addition to operational guidance on implementing AI controls, you will need to create a mindset that balances innovation with an appreciation of data privacy and ethics.
EY member firms do not practice law where not permitted by local law or regulation.