Navigating generative AI and compliance

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

December 14, 2023 - Generative AI systems are accelerating business outcomes and impacting a wide range of industries, from marketing to healthcare, product design to finance. Gartner highlights that 45 percent of organizations are scaling generative AI across multiple business functions, with customer-facing functions seeing the highest investment.

The use of these innovative models is continuing to grow and reshape business operations, and with this comes a myriad of new privacy compliance challenges. According to Salesforce’s Generative AI Snapshot Research Series, 60 percent of employees surveyed are uncertain how to use the technology while ensuring data is safeguarded. This reiterates a need for industry leaders to become front-line defenders of data security and embrace innovation responsibly.

Impacts of generative AI

The increase of AI-generated content has seen a surge in data volumes and placed ethical considerations under the spotlight. Issues such as misinformation, bias amplification, and privacy violations are becoming inherent to the technology and 58 percent of employees feel that ethical use guidelines for AI would be beneficial.

Generative AI also introduces challenges around consent. The nuanced aspects of data use, secondary or further data use, and complex data processing activities demand a robust approach to data governance to ensure compliance.

Role of regulations

Despite AI introducing new challenges, the fundamental principles of data protection including accountability, transparency, data minimization, security, and ethical considerations remain.

Privacy laws including The General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act in California, US, are essential to address ethical concerns, requiring AI systems to align with existing laws on how personal data is handled. International harmonization in data protection laws and emerging AI regulations is becoming a shared responsibility. Collaborative efforts can simplify the compliance landscape for organizations operating globally, ensuring consistent protection for international clients. (Read How EU regulations are shaping digital standards and California’s latest climate disclosure bills (SB 253 and SB261) for more on global regulations.)

Risk mitigation

Navigating the uncharted waters of generative AI requires organizations to take proactive and strategic approaches to manage risk:

  • Begin by understanding the scope of generative AI applications within your operations. Conduct thorough Data Protection Impact Assessments (DPIAs) and identify and mitigate potential risks before deploying any innovative technical solutions.
  • Establish a robust framework for obtaining informed consent, addressing the nuances introduced by generative AI.
  • Clearly communicate to clients and stakeholders how their data will be used.
  • Provide mechanisms for users to easily opt-in and out of specific data uses, especially for AI-enabled applications.
  • Prioritize data minimization and purpose limitation, ensuring that AI-generated content aligns with these principles.
  • Invest in employee training to enhance awareness of the risks associated with generative AI and foster a culture of accountability.
  • Implement security measures to protect against data breaches, unauthorized access, and cyber threats, ensuring that generative AI systems adhere to the highest standards of data security.
  • Lastly, stay informed and adapt continuously. Keeping abreast of the latest developments in both generative AI technology and data protection regulations is essential.

Embracing innovation while upholding ethics stands as a paramount objective of successfully using generative AI. Striking the right balance between innovation, ethics, compliance, and transparency can create a future where AI is deployed in a way that respects individuals' rights and empowers responsible data practices.

Read Avoiding digital chaos: Part 2: The threats and opportunities of new technology by Conor Hogan to learn more on emerging technologies; also read Transforming regulatory compliance processes from BSI environmental expert JD Gibbs. For further insights on other digital trust, privacy, information security, and environmental, health, and safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.

Conor Hogan

Conor Hogan

Conor Hogan, Global Practice Director, Data Governance, oversees our global practice team of data protection and privacy professionals. His team supports clients from across the world to meet the evolving challenges of privacy and data protection compliance.

View Data Governance >

Ask the Experts

We want to hear from you! Our experts have over 50 years of combined experience in the environmental, health & safety, digital trust, supply chain, and security & resilience industries. Take advantage of their knowledge; submit a question today.

Ask now