Conduct an AI Privacy Risk Assessment

Navigate AI privacy and data concerns with a comprehensive privacy impact assessment.

EXECUTIVE BRIEF

Analyst Perspective

Effective data privacy strategy leads to well-designed AI implementation.

The age of Exponential IT (eIT) has begun, with AI leaving the realm of science fiction and becoming an indispensable tool for business operations. It offers immense benefits but introduces ethical responsibilities and stringent compliance requirements, particularly when handling personal data. Organizations may become vulnerable to hefty fines and reputational risks if these requirements are not met.

Trust is a cornerstone of successful business relationships. Aligning AI technology with a privacy strategy generates trust among customers and stakeholders. Privacy-conscious consumers actively seek out businesses that prioritize data protection, offering organizations a competitive edge. Building trust through data privacy will strengthen your organization's market position. It will also encourage responsible innovation and collaboration by enabling secure and ethical data sharing with your business partners.

Data quality is pivotal for AI system performance. Aligning AI objectives with privacy requirements will enhance your data validation and quality checks, resulting in more effective AI models. Additionally, a proactive approach to data privacy will position your organization to be adaptable as regulations and consumer expectations evolve.

Prioritizing data privacy compliance emphasizes an organization's commitment to responsible data practices and risk management. Organizations that integrate AI with a privacy strategy will be better equipped for long-term success in a data-centric world while upholding individual privacy rights.

Safayat Moahamad
Research Director, Security Practice
Info-Tech Research Group

Executive Summary

Elevate your AI innovation by embedding privacy. As AI and privacy evolve, adapting PIAs is essential. Expanding the scope to include data governance for AI, incorporating ethical dimensions, fostering diverse stakeholder participation, and taking a continuous improvement approach to risk assessment is crucial for responsible AI implementation.

Your Challenge

This research is designed to help organizations who are facing these challenges and are looking to/need to:

• Develop a set of relevant use cases for AI implementation based on the industry and nature of the organization’s business.
• Eliminate inefficiencies by streamlining less skilled tasks through use of AI.
• Retain trust of workforce and consumers through ethical AI implementation.
• Create or revise the current data governance structure within the context of the business.
• Align data privacy practices of the organization with the scope of the external regulatory environment.
• Ensure that data privacy becomes a standard preplanning process involved in all technology implementation projects.

65%

65% of consumers have lost trust in organizations over their AI practices.

92%

92% of organizations say they need to be doing more to reassure customers about how their data is being used in AI.

96%

96% of organizations agreed they have an ethical obligation to treat data properly.

Source: Cisco, 2023

“As artificial intelligence evolves, it magnifies the ability to use personal information in ways that can intrude on privacy interests by raising analysis of personal information to new levels of power and speed.”

– Cameron Kerry, MIT Scholar, in Brookings, 2020

Data privacy: An enabler of AI

Data privacy measures enhance the efficacy and integrity of AI systems.

Data privacy and protection regulations, such as the EU’s GDPR, call into question many of the key data principles that AI is also subject to, including:

• Profiling
• Automating
• Minimizing
• Defined Period of Retention
• Transparency
• Right to Explanation
• Purpose or Intent
• Consent

While these concepts may appear contradictory when applied to AI-powered technologies, they are fundamental in ensuring the effective deployment of AI systems. Without data privacy best practices and principles of data governance, AI is like a ship without a compass.

50%

50% of organizations are building responsible AI governance on top of existing, mature privacy programs.

60%

60% of organizations stated AI impact assessments are conducted in parallel to privacy assessments.

40%

49% combine their algorithmic impact assessments with their existing process for privacy or data protection impact assessments.

Source: IAPP, 2023

Integrating responsible AI: Approach of business leaders

The rapid proliferation of AI is met with trepidation as business leaders carefully examine the challenges associated with implementation.

55%

55% of business leaders state that they are taking steps to protect AI systems from cyberthreats and manipulations.

41%

41% of business leaders are conducting reviews to be sure that third-party AI services meet standards.

52%

52% of business leaders state that they are taking steps to ensure AI-driven decisions are interpretable and easily explainable.

Source: ”2022 AI Business Survey,” PwC, 2022

Data strategy drives AI readiness.

57% of business leaders say they are taking steps to confirm their AI technology is compliant with applicable regulations.

Data governance is a key strategy for effectively managing data and keeping information protected.

Info-Tech Insight

Know your data and governance environment before you act. Scope the potential data that will be impacted and ensure appropriate controls are in place.

Responsible AI guiding principles

Without guiding principles, outcomes of AI use can be negative for individuals and organizations.

Data Privacy

AI systems must respect and safeguard individuals' privacy by addressing potential privacy impacts and implementing protective measures for sensitive data.

Explainability and Transparency

Individuals impacted by the AI system’s outputs must be able to comprehend the logic and why similar situations may yield different outcomes. Organizations have a duty to make AI system development, training, and operation understandable.

Fairness and Bias Detection

AI must align with human-centric values, which encompass core principles such as freedom, equality, fairness, adherence to laws, social justice, consumer rights, and fair commercial practices.

Accountability

This involves the responsibility of organizations and developers to ensure the expected functionality of AI systems they create, manage, or use, in line with their roles and relevant regulations, demonstrated through their actions and decision making.

Validity and Reliability

AI systems must function effectively under various use conditions and contexts. It involves assessing potential failure scenarios and their consequences.

Security and Safety

AI systems must not create undue safety risks, including physical security, throughout their lifecycle. Regulations on consumer and privacy protection define what constitutes unreasonable safety risks.

Source: Build Your Generative AI Roadmap

"On an operational level, there are several ways privacy processes are used for responsible AI. AI impact assessments are typically merged or coordinated with privacy impact assessments.”

– IAPP, 2023

Microsoft case study: Responsible use of technology

INDUSTRY: Technology
SOURCE: World Economic Forum, 2023

In 2016, Microsoft grappled with challenges following the chatbot Tay racism fiasco. The experience motivated the company to incorporate ethics into its product innovation process. Microsoft acknowledges the profound influence of technology, advocating for responsible technology development to benefit society.

The company established six core ethical principles for AI: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability.To translate these principles into practice, Microsoft outlined steps to support the development of ethical AI systems. Sensitive cases require reporting. In 2019, Microsoft introduced a responsible AI training course, mandatory for all employees.

Now, the company employs practical tools to facilitate ethical technology development which includes impact assessments and community jury, among others.

This shift promoted innovation and encouraged ethical considerations regarding technology's impact on society and recognizes the urgency of addressing the issue.

Material impact on Microsoft’s business processes include:

• Judgment Call: A team activity where participants take on different roles to simulate product reviews from various stakeholder perspectives. This promotes empathy, encourages ethical discussions, and supplements direct stakeholder interactions in the product design process.
• Envision AI: A workshop that employs real scenarios, instilling a human-centric AI approach and ethical considerations, empowering them to understand and address the impacts of their products on stakeholders.
• Impact Assessments: Impact assessments are compulsory for all AI projects in its development process. The completed assessments undergo peer and executive review, ensuring the responsible development and deployment of AI.
• Community Jury: A method for project teams to engage with diverse stakeholders who share their perspectives and discuss the impacts of a product. A group of representatives serve as jury members, and a neutral moderator facilitates the discussion, allowing participants to jointly define opportunities and challenges.

Additionally, Microsoft utilizes software tools aimed at understanding, assessing, and mitigating the ethical risks associated with machine learning models.

Nvidia: A case for privacy enhancing technology in AI

INDUSTRY: Technology (Healthcare)
SOURCE: Nvidia, n.d.; eWeek, 2019

Leading player within the AI solution space, Nvidia’s Clara Federated Learning provides a long-awaited solution to a privacy-centric integration of AI within the healthcare industry.

The solution safeguards patient data privacy by ensuring that all data remains within the respective healthcare provider’s database, as opposed to moving it externally to cloud storage. A federated learning server is leveraged in order to share data, completed via a secure link. This framework enables a distributed model to learn and safely share client data without risk of sensitive client data being exposed and adheres to regulatory standards.

Clara is run on the NVIDIA EGX intelligent edge computing platform. It is currently in development with healthcare giants such as the American College of Radiology, UCLA Health, Massachusetts General Hospital, as well as King’s College London, Owkin in the UK, and the National Health Service (NHS).

Nvidia provides solutions across its product offerings, including AI-augmented medical imaging, pathology, and radiology solutions.

Personal health information, data privacy, and AI

• Global proliferation in data privacy regulations may be recent, but the realm of personal health information is most often governed by its own set of regulatory laws. Some countries with national data governance regulations include health information and data within special categories of personal data.
  • HIPAA – Health Insurance Portability and Accountability Act (1996, United States)
  • PHIPA – Personal Health Information Protection Act (2004, Canada)
  • GDPR – General Data Protection Regulation (2018, European Union)
• This does not prohibit the injection of AI within the healthcare industry, but it calls for significant care in the integration of specific technologies due to the highly sensitive nature of the data being processed.

Info-Tech’s methodology for AI and data protection readiness

Insight Summary

Implement responsible AI

Elevate your AI innovation by embedding privacy. As AI and privacy evolve, adapting PIAs is essential. Expanding the scope to include data governance for AI, incorporating ethical dimensions, fostering diverse stakeholder participation, and taking a continuous improvement approach to risk assessment is crucial for responsible AI implementation.

Assess the changing landscape

Learn from those who paved the way before you. Once you've determined your organization's privacy strategy, analyze various use cases specific to your industry. Assess how leaders in your sector have incorporated AI technology with privacy considerations, successfully or unsuccessfully. Draw from both sets of results and strategies to get your organization ready while eliminating unsuitable use cases.

Embrace a privacy-centric approach

Prioritize data privacy as an integral part of your organization's values, operations, and technologies in the AI-driven future. This approach is essential for responsible AI implementation. It will offer insight and awareness for aligning AI with your current processes, data landscape, regulatory requirements, and future goals. A privacy-centric approach will enable your technology to achieve compliance and trust.

Be precise

Narrow down the potential ways AI can improve existing operations in your environment in order to drive efficiencies.

Govern your data

Know your data and governance environment before you act. Scope the potential data that will be impacted and ensure appropriate controls are in place.

Blueprint benefits

IT Benefits

• An updated understanding of the different types of AI and relevant industry-specific use cases.
• Perspective from a privacy lens on mitigating data privacy risk through IT best practices.
• Guidance on completion of impact assessments that validate the integration of AI technology within the organization’s environment.
• Knowledge around core AI vendor solutions that maintain a privacy-first approach based on integration of explainability.
• Data privacy best practices and how AI technology can support a privacy-centric environment.

Business Benefits

• Overview of the different types of AI and how they drive business efficiency in isolation or in combination.
• Understanding of the scope of data privacy regulations within the context of the organization.
• Comprehensive outlook around data privacy best practices that enable effective AI integration.
• Ability to leverage privacy as a competitive advantage in streamlining how customer data flows through the organization.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is four to six calls over the course of four to six months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Measure the value of this blueprint

As AI technology continues to augment organizational capabilities and drive efficiency, business and IT leaders must look to integrate appropriate use cases in a responsible manner that accounts for data privacy and protection regulatory obligations.

A privacy impact assessment approach ensures organizations remain compliant and can effectively implement AI technologies in a way that applies to the specific business environment.

Info-Tech’s data privacy and AI project steps

1. Coordinate internal stakeholders to identify privacy and AI tech drivers.
2. Evaluate use cases and review data governance structure and data privacy program strategy.
3. Assess the privacy implications of implementing AI technology.

“Artificial intelligence is already altering the world and raising important questions for society, the economy, and governance.”

– Brookings, 2018

Info-Tech Project Value

Note: The duration of a privacy impact assessment (PIA) can vary depending on the complexity of the project and the data involved. It can take several weeks to a few months. For the purposes of this blueprint, projects are assumed to be of moderate complexity.

Phase 1

Identify Privacy Drivers for Your Business

Phase 1

Identify Privacy Drivers for Your Business

This phase will walk you through the following activities:

• Define your data privacy drivers

This phase involves the following participants:

• Privacy officer
• Senior management team
• IT team lead/director
• PMO or PMO representative
• Core privacy team
• InfoSec representative
• IT representative

1.1 Define your data privacy drivers

1 hour

1. Bring together a large group comprised of relevant stakeholders from the organization. This can include those from the following departments: Legal, HR, Privacy, Finance, as well as those who handle personal data regularly (Marketing, IT, Sales, etc.).
2. Using sticky notes, have each stakeholder write one driver for the privacy program per sticky note. Examples include:
   • Create clear lines about how the organization uses data and who owns data
   • Clear and published privacy policy (internal)
   • Revised and relevant privacy notice (external)
   • Clarity around the best way to leverage and handle confidential data
   • How to ensure vendor compliance
3. Collect these and group together similar themes as they arise. Discuss with the group what is being put on the list and clarify any unusual or unclear drivers.
4. Determine the priority of the drivers. While they are all undoubtedly important, it will be crucial to understand which are critical to the organization and need to be dealt with right away.
   • For most, any obligation relating to an external regulation will become top priority. Noncompliance can result in serious fines and reputational damage.
5. Review the final priority of the drivers and confirm current status.